That sounds about right. I assume that 'vsmtp15.tin.it' is your ISP. If so, the only information they can trust is that they received a connection from cpe-68-203-199-222.satx.res.rr.com (68.203.199.222). They cannot prove (without access to that machine, or some logs from a trusted application or user) what generated the traffic from it. It's possible that a virus generated the message, but it technically could be anything.
Sounds like your ISP needs an IQ upgrade. If you feel like it, you may even want to point out that if this information was legit, then *68.203.199.222* is the one that's actually relaying the email (which it probably isn't, because I'm sure the headers are forged), not you. Have a good one, Christian -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chase Seibert Sent: Thursday, April 21, 2005 11:11 AM To: [email protected] Subject: [IMail Forum] ISP accusing me of relaying Hey, I have gotten a couple false reports of spam originating from my system over the last few months. These reports are comming from my ISP. I contend that what they have sent me is not proof, because email headers can be forged. I also present a logical argument for why this mail could not have originated from out system, as well as speculation as to what might have happened. Does this make sense to anyone else? My ISP is acting like they don't beleive me, and saying they will cite this as evidence if they ever want to terminate my access. Here is the header then sent me: Received: from vsmtp15.tin.it (192.168.70.119) by ims5b.cp.tin.it (7.0.027) id 4200083A00DEF78F for [EMAIL PROTECTED]; Thu, 21 Apr 2005 10:18:41 +0200 Received: from cpe-68-203-199-222.satx.res.rr.com (68.203.199.222) by vsmtp15.tin.it (7.0.027) id 4227B8750499C924 for [EMAIL PROTECTED]; Thu, 21 Apr 2005 10:18:41 +0200 Received: from grouppowellone.com (mail1.bullhorn.com [209.202.131.100]) by cpe-68-203-199-222.satx.res.rr.com with esmtp id 9B89474B31 for <[EMAIL PROTECTED]>; Thu, 21 Apr 2005 01:18:56 -0700 Here is my argument. We don't send mail from 209.202.131.100. That's our incomming mail server. We have a seperate cluster for outgoing mail, that communicates on a seperate IP to the external world (209.202.131.98). In fact, our firewall does not ALLOW outgoing port 25 traffic from any IP except 209.202.131.98. Here is what I think happened: 1. Some RoadRunner (rr.com) home PC has been trojaned by a virus. 2. Virus either looks in the local Outlook address book or does a search online and finds a random contact/DNS record with the domain grouppowellone.com. We happen to host this domain. 4. Virus does an MX lookup on the domain it wishes to forge mail from, and gets mail1.bullhorn.com, 209.202.131.100 as the primary MX record. 5. Virus sends a spam message through the local RoadRunner open SMTP relay server, but forges both the sender (which is a common tactic) AND the first hop of the header (which I am seeing more and more). This has the effect of making it look like the message came from a legit email server. The whole in their plan, with respect to us, is that email does not originate from that IP address in our system. We route all outgoing mail through another IP. Just to be sure, I tested out servers. They are not an open relay: >telnet mail1.bullhorn.com 25 220 INBOUND4.BULLHORN.COM (IMail 8.05 139897-7) NT-ESMTP Server X1e >ehlo 250-INBOUND4.BULLHORN.COM says hello 250-SIZE 0 250-8BITMIME 250-DSN 250-ETRN 250-AUTH LOGIN CRAM-MD5 250-AUTH=LOGIN 250 EXPN >mail from: [email protected] 250 ok >rcpt to: [EMAIL PROTECTED] 550 not local host virgilio.it, not a gateway Am I in the right here? This is fairly low volume, we get about 1 report a month. Also, we are on no blacklists except SPEWS, which we have been on for more than a year due to some casino website sharing our IP block. -Chase Chase Seibert | Network and Systems Engineer | Bullhorn Inc. | 617.464.2440 x119 | www.bullhorn.com To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
