Hi, At my site I use Ninja to spam filter. It can't be a station that is infected because the public IP is dedicated to the mail server using a static NAT. The workstations are actually using another IP to hit the internet.
As for the headers, the only data I had from MessageLabs was the 3 samples I pasted in the original post. I searched the message-id and some keywords on my exchange servers but can't find anything so they are not sent through our server. Thanks. On Jan 17, 2008 11:09 AM, Don Andrews <[EMAIL PROTECTED]> wrote: > Do you reject spam? Or is it possible that one or more machines at your > site are infected? Do the headers indicate that the spam is definitely > being sent from your server to HQ? > > > -----Original Message----- > From: M Bruyere [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 17, 2008 7:40 AM > To: MS-Exchange Admin Issues > Subject: [JUNK] problem with messagelabs > > Hi guys, > I have a problem sending messages to a site (our HQ) that > is protected by Messagelabs. In fact the problem is that they are > throttling our connections because they say that we re sending spam. > They provided the following samples to prove their point. After > looking at all the configs and all, I can't see how we could be > sending those. I suspect that the informations are spoofed "a la joe > job" and that's what affect us. Anyone can give me any inputs on how > to deal with this because I can't find anything wrong on our system > and they keep throttling over and over limiting the contacts from our > site ti the HQ, which is at the very least annoying. > > If you have any ideas that could help me to stop this from happening, > it would be very appreciated. > > Please note that the domain name has been changed. You can contact me > off list if you need/want more specific details. > > //Spam sample 1 > > Received: from desktop3 ([190.40.182.39]) by mail.MY_DOMAIN.com with > Microsoft SMTPSVC(6.0.3790.0); > Mon, 7 Jan 2008 19:42:52 -0500 > Received: from 60.52.18.165 (HELO localhost.localdomain) (63.51.17.146) > by 64.53.15.110 with SMTP; Mon, 7 Jan 2008 19:42:35 +0500 > Date: Mon, 7 Jan 2008 19:42:35 +0500 > Message-Id: <[EMAIL PROTECTED]> > X-Mailer: MIME::Lite 3.01 (F2.72; A1.62; B3.01; Q3.01) > X-Header-CompanyDBUserName: hpccm > X-Header-MasterId: 072480 > X-Header-Versions: [EMAIL PROTECTED] > X-FID: 51E85DBC-2586-39AF-B9E4-67CDEA83DCB2 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: 7bit > To: <[EMAIL PROTECTED]> > From: "Marvin Casey" <[EMAIL PROTECTED]> > Subject: Re: Your Mortgage Refiinance > Return-Path: [EMAIL PROTECTED] > X-OriginalArrivalTime: 08 Jan 2008 00:42:52.0344 (UTC) > FILETIME=[66978B80:01C8518F] > > Morttggage - lower your rrate! > > http://0rz.tw/563qc > > > //Spam sample 2 > > Received: from sufi-isis.org ([85.104.221.208]) by mail.MY_DOMAIN.com > with Microsoft SMTPSVC(6.0.3790.0); > Sun, 6 Jan 2008 08:34:53 -0500 > Return-Path: <[EMAIL PROTECTED]> > Received: from 206.191.20.150 (HELO magmail.travelgolf.com) > by MY_DOMAIN.com with esmtp (VZSFHPFSL NTVJQ) > id NzHz8i-bE58PW-p5 > for [EMAIL PROTECTED]; Sun, 06 Jan 2008 15:34:55 +0200 > Message-ID: <[EMAIL PROTECTED]> > From: "Rosalind J. Cody" <[EMAIL PROTECTED]> > To: "Concetta V. Baez" <[EMAIL PROTECTED]> > Subject: Get the biggest s'e)x organ in the neighborhood! > Date: Sun, 06 Jan 2008 15:34:55 +0200 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_5463_15C1_01C85079.AFCF6A50" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2900.2527 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 > X-OriginalArrivalTime: 06 Jan 2008 13:34:55.0133 (UTC) > FILETIME=[EC4CB4D0:01C85068] > > This is a multi-part message in MIME format. > > ------=_NextPart_5463_15C1_01C85079.AFCF6A50 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > potential for monopoly=2E To counter the arguments thatrecalled the > incid= > ent=2E "It looks like one of > > > Maximize the volume of your dic'k by New Year! > > Great New Year prices for our super-p!ll will be a pleasant surprise for > = > you! > Don't miss it out! Our offer is definitely worth your keen interest! > > Check our amazing prices now! > http://Effesitables=2Ecom/ > > contact some crisis management people," said Davidlisteners in each > local= > radio market in America=2E"around 100 passengers when it attempted to > be= > rth at aof last year=2E In the West Coast, its 25 percent and > National Football League=2E I'd like to thank all myhas visited the > White= > House in 24 years=2Eshowed even a rate of 100% spam=2E > ------=_NextPart_5463_15C1_01C85079.AFCF6A50 > Content-Type: text/html; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4=2E0 Transitional//EN"> > <HTML><HEAD> > <META http-equiv=3DContent-Type content=3D"text/html; > charset=3Dus-ascii"= > > > <META content=3D"MSHTML 6=2E00=2E2900=2E2527" name=3DGENERATOR> > <STYLE type=3D"text/css"> > =2Estyle2 {font-size: 10px; color: #8d8d8d;} > =2Em {font-family: tahoma; font-size: 12; color: #5C9CBC; font-weight: > bo= > ld;} > =2Ez {font-family: tahoma; font-size: 14; color: #cc0000; font-weight: > bo= > ld;} > =2Ei {font-family: tahoma; font-size: 12; color: #626262; font-weight: > bo= > ld;} > =2Ex {font-family: tahoma; font-size: 12;font-weight: > bold;color:#cc0000}= > > body {background-color: #FFFFFF; color: #2B3235; > </STYLE> > </HEAD> > <BODY><span class=3D"style2">=20 > <br>potential for monopoly=2E To counter the arguments thatrecalled the > i= > ncident=2E "It looks like one of</span>=20 > <br><br> > <table> > <tr> > <td valign=3D"top"><div > style=3D"height:89px;width:223px;backgro= > und:url(http://www=2Edoctorsmedicalgroup=2Ecom/skins/Skin_6/images/img-d > m= > gsbtryitfree=2Egif)"></div></td> > <td width=3D"15"></td> > <td valign=3D"top"> > <span class=3D"z">Maximize the volume of your dic'k by New > Year!</span><b= > r><br> > Great New Year prices for our super-p!ll will be a pleasant surprise for > = > you!<br> > <b>Don't miss it out! Our offer is definitely worth your keen > interest!</= > b> > <br><a href=3D"http://Effesitables=2Ecom/";><b>Check our amazing prices > no= > w!</b></a><br><br> > > </td> > </tr> > </table><br> > > <br><span class=3D"style2">contact some crisis management people," said > D= > avidlisteners in each local radio market in America=2E"around 100 > passeng= > ers when it attempted to berth at aof last year=2E In the West Coast, > its= > 25 percent and<br>National Football League=2E I'd like to thank all > myha= > s visited the White House in 24 years=2Eshowed even a rate of 100% > spam=2E= > </span><BR> > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > <BR> > ~ http://www.sunbeltsoftware.com/Ninja ~ > <BR> > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > <BR> > ~ http://www.sunbeltsoftware.com/Ninja ~ > <BR> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ <BR> ~ http://www.sunbeltsoftware.com/Ninja ~ </BODY></HTML> > > ------=_NextPart_5463_15C1_01C85079.AFCF6A50-- > > > //Spam Sample 3 > > Received: from loboxvnh8zkwfs ([88.207.56.176]) by mail.MY_DOMAIN.com > with Microsoft SMTPSVC(6.0.3790.0); > Sun, 6 Jan 2008 08:35:17 -0500 > From: "Mcbride, Norman" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: Sun, 6 Jan 2008 14:35:00 -0100 > Subject: Hot off the press. > MIME-Version: 1.0 > Content-Type: text/plain > Content-Transfer-Encoding: 7bit > Return-Path: [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > X-OriginalArrivalTime: 06 Jan 2008 13:35:17.0617 (UTC) > FILETIME=[F9B37E10:01C85068] > > Looking for a company with some good news? Here's one! > > GCME has more News that came. > Looks like G C M E is not willing to miss a beat! > > SYMBOL: GCME > CURRENT PRICE: $0.11 > Short-Term : $.60-$1.00 > > Last Time We Issued A Alert We SAw 200-300% Gains in 1 Day. > Please let me know if you ahve any questions regarding this. > > > > Thanks! > > > > >
