>here are the headers of the spam-they flagged me on one of the received from
>that had IP address of 63.173.78.187 - a block that sprint assigned me, but
>I haven't put to use yet. (they looked up the ip at arin.net)
> >Return-Path: <[EMAIL PROTECTED]>
> >Delivered-To: l
These two are irrelevant, they were added by the receiving mail server or
mail client.
> >Received: (qmail 16885 invoked from network); 28 Dec 2001 21:43:09 -0000
This is the only header you can trust 100% (assuming, of course, that the
headers were the real headers, and that the person that sent the headers
didn't just make them up). It's pretty safe to assume that this is just a
dummy header, and that the next one is trustable, too. But, that can't be
guaranteed; only the recipient or his/her postmaster could know for sure.
> >Received: from adsl-nrp10-sao-c8b0fab9.brdterra.com.br (HELO lycos.com)
> > ([EMAIL PROTECTED]) by with SMTP; 28 Dec 2001 21:43:09 -0000
This header, which we are assuming is a trustable one, doesn't say WHO it
is ("by [blank]"). So we can't even say whose mail server this is, and
where it really fits in in the scheme of things. We'll have to assume that
this is their "real" mail server, and that their mail server is just messed up.
Even assuming that this header is trustable, it still doesn't include an IP
address (which would appear as "[xxx.xxx.xxx.xxx]", with the brackets, or
possible malformed as "(xxx.xxx.xxx.xxx)"). The "([EMAIL PROTECTED])"
doesn't mean anything, and is just a comment added by the mail
server. However, that IP has a reverse DNS entry of
"adsl-nrp10-sao-C8B0FAB9.brdterra.com.br" (which matches the host name
listed in the header), so that's likely the mail server the spammer is using.
However, given the horrible mail server that received it, we can only make
educated guesses.
> >Received: from unknown (HELO rly-xb01.mx.aol.com) (62.133.159.140)
> > by smtp-server1.cfl.rr.com with NNFMP; Sat, 29 Dec 2001 00:28:22
> -0000
Assuming that adsl-nrp10-sao-C8B0FAB9.brdterra.com.br is the spammer's
server, this one is high suspect. It appears to be a rr.com mail server,
but again it has screwy information that makes it bery likely this header
was forged. And again, while it looks like there is an IP in there, we
can't assume that is a real IP.
> >Received: from [99.85.114.89] by f64.law4.hotmail.com with asmtp; 29 Dec
> > 2001 04:24:11 -0400 Received: from unknown (179.108.71.159)
> > by pet.vosn.net with QMQP; Fri, 28 Dec 2001 14:20:00 +1000
> >Received: from mailout2-eri1.midsouth.rr.com ([63.173.78.187])
> > by f64.law4.hotmail.com with asmtp; Fri, 28 Dec 2001 20:15:49 +0400
> >Received: from [43.132.91.89] by asy100.as122.sol.superonline.com with
> > esmtp; Sat, 29 Dec 2001 05:11:39 -0500 Reply-To: <[EMAIL PROTECTED]>
Again, these are almost certainly forged headers. Given how unreliable and
untrustworthy the previous headers were, we have to assume that the spammer
added these. Since this is where your IP comes into play, it's safe to
assume these are simply forged headers.
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
