Hi, The mail supposedly took the following route:
- cousinssubs.com (mail.cousinssubs.com [216.43.194.27]) - YahooBB218116092015.bbtec.net (Postfix)([218.116.92.15]) - mx4.uniserve.ca ([216.113.192.45]) We can assume that the first receive header is "legit": Received: from mx4.uniserve.ca ([216.113.192.45]) by mail-host.uniserve.ca with esmtp (Exim 4.22) id 1CUJoZ-000Jyw-QH for [EMAIL PROTECTED]; Tue, 16 Nov 2004 23:01:15 -0800 However that only shows that the mail was received from "YahooBB218116092015.bbtec.net" [218.116.92.15]. The question is whether either party manages "YahooBB218116092015.bbtec.net" [218.116.92.15]. If NOT then it is possible that this server was a hijacked/proxy or otherwise abused server which then inserted a FAKE third "received" header (in this case: mx4.uniserve.ca [216.113.192.45]) If "YahooBB218116092015.bbtec.net" [218.116.92.15] can be trusted to insert only valid headers, THEN it would indeed implicate "mx4.uniserve.ca ([216.113.192.45])" as the apparent originator of the email Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 http://www.HM-Software.com/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Ognenoff Sent: Wednesday, November 17, 2004 03:40 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Help investigating abuse complaint Hello all, I just received a complaint at our abuse@ address asking us to stop spamming. The guy sent me the message in question as an attachment and after reviewing the headers and digging into the logs I need some help deciphering what is going on here. Here are the headers for the spam in question: Received: from mx4.uniserve.ca ([216.113.192.45]) by mail-host.uniserve.ca with esmtp (Exim 4.22) id 1CUJoZ-000Jyw-QH for [EMAIL PROTECTED]; Tue, 16 Nov 2004 23:01:15 -0800 Received: from yahoobb218116092015.bbtec.net ([218.116.92.15]) by mx4.uniserve.ca with smtp (Exim 4.22) id 1CUJoY-000HAt-0B for [EMAIL PROTECTED]; Tue, 16 Nov 2004 23:01:14 -0800 Received: from cousinssubs.com (mail.cousinssubs.com [216.43.194.27]) by YahooBB218116092015.bbtec.net (Postfix) with ESMTP id 59B128F2E5 for <[EMAIL PROTECTED]>; Wed, 17 Nov 2004 06:42:47 +0000 Message-ID: <[EMAIL PROTECTED]> From: "Reach B. Cubbyhole" <[EMAIL PROTECTED]> To: Frankadsl <[EMAIL PROTECTED]> Subject: RE: Hot Wemon nice pussy Date: Wed, 17 Nov 2004 06:42:47 +0000 ---- The uniserve.ca references are the servers of the guy who complained. The mail.cousinssubs.com (216.43.194.27) is my mail server. The other ones referring to bbtec.net is where I am having trouble figuring out what happened here. Please correct me if my understanding is incorrect but it looks like the message originated on my server, was relayed to the bbtec.net server and then relayed to the uniserve.ca servers. With that as my understanding of the chain, the log files don't make sense to me. In fact, I can't find any reference to 218.116.92.15 in my logs at all for the last 3 days. The references I can find for bbtec.net are SMTPD entries of spam that was delivered to some of my local users but nothing to indicate relaying that I can tell. I have Relay Mail for Address set with my local IPs listed as well as several external server IPs. Can anyone help me figure this out? Does it look like something I can control? I would post log snippets but like I said I can't find anything to indicate we sent this. Andy Ognenoff Online Systems Administrator Direct: (262)250-2860 [EMAIL PROTECTED] ----------------------------- Cousins Submarines, Inc. http://www.cousinssubs.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
