I got this message 3 times! 1 without and 2 with the virusscanmessage at the end.
These 2 had some extra lines at the top of the heading, I marked them blue
Thibaud Chabot
Delivered-To: [EMAIL PROTECTED]
X-VirusChecked: Checked
X-Env-Sender: [EMAIL PROTECTED]
X-Msg-Ref: server-7.tower-22.messagelabs.com!1113512783!24262441!1
X-StarScan-Version: 5.4.11; banners=-,-,euromacs.com
X-Originating-IP: [148.78.247.50]
Date: Thu, 14 Apr 2005 14:05:55 -0700
From: Brooke Clarke <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax;nscd1)
X-Accept-Language: en-us, en
To: Sundial Mail List <sundial@rrz.uni-koeln.de>
Cc: Mac Oglesby <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Duplicate messages
X-Virus-Scanned: by amavisd-new
X-Virus-Status: Clean
X-OriginalArrivalTime: 15 Apr 2005 07:16:36.0468 (UTC) FILETIME=[0F684B40:01C5418B]
X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1
X-Scanned-By: MIMEDefang 2.48 on 134.95.19.103
Sender: [EMAIL PROTECTED]
Reply-To: Brooke Clarke <[EMAIL PROTECTED]>
X-Virus-Scanned: amavisd-new isd-holland.nl
Hi Mac:
I've run Sam Spade on the header of a duplicate email.
And am adding my comments in Red.
It looks like G2 Solutions Inc. has a couple of servers called:
DNS0.STAR.CO.UK 195.216.16.129
DNS1.STAR.CO.UK 195.216.16.65
For more on G2 Solutions see below. Most likley one of the Sundial list subscribers is using them as an ISP. G2 solutions is improperly reflecting the email back to the list causing the duplicate postings.
Have Fun,
Brooke Clarke
04/14/05 13:47:11 Input
The Received: headers are the important ones to read
My comments are just hints, and should be considered only (My here means the Sam Spade Program)
an opinion. I may have guessed wrong, or things may have
changed since I was written
>From - Thu Apr 14 09:45:19 2005
Hmmm from isn't a header I recognise
X-UIDL: f3-!!U'~"!2#1"!_^5"!
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <[EMAIL PROTECTED]>
Received: from mailfilter.pacific.net
(mailfilter.pacific.net [63.162.241.9]) by mail.pacific.net
(8.12.0/8.12.1) with ESMTP id j3EGN6EN027432 for
<[EMAIL PROTECTED]>; Thu, 14 Apr 2005 09:23:07 -0700
(PDT)
This received header was added by your mailserver
mail.pacific.net received this from mailfilter.pacific.net
(IP addresses match)
Received: from psmtp.com (exprod5mx86.postini.com
[64.18.0.74]) by mailfilter.pacific.net (8.12.9/8.12.9)
with SMTP id j3EGNQTf001020 for <[EMAIL PROTECTED]>; Thu,
14 Apr 2005 09:23:26 -0700
mailfilter.pacific.net received this from someone claiming
to be psmtp.com
This doesn't match the IP address in the headers, so this
may be a relay point. If so all headers below are probably
forged.
It really came from exprod5mx86.postini.com
Received: from source ([134.95.100.208]) (using TLSv1) by
exprod5mx86.postini.com ([64.18.4.10]) with SMTP; Thu, 14
Apr 2005 12:23:16 EDT
exprod5mx86.postini.com received this from someone claiming
to be source
This doesn't match the IP address in the headers, so this
may be a relay point. If so all headers below are probably
forged.
It really came from mail1.rrz.uni-koeln.de
All of the above relates to getting the email from the Sundials list to me.
Received: from mail1.rrz.Uni-Koeln.DE (localhost
[127.0.0.1]) by mail1.rrz.Uni-Koeln.DE (8.13.1/8.13.1) with
ESMTP id j3EGIV2G000295 (version=TLSv1/SSLv3
cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for
<[EMAIL PROTECTED]>; Thu, 14 Apr 2005
18:18:32 +0200 (MEST)
mail1.rrz.Uni-Koeln.DE received this from someone claiming
to be mail1.rrz.Uni-Koeln.DE
but really from 127.0.0.1(localhost)
All headers below may be forged
Received: (from [EMAIL PROTECTED]) by mail1.rrz.Uni-Koeln.DE
(8.13.1/8.13.1/Submit) id j3EGIVhU000292 for sundial-out;
Thu, 14 Apr 2005 18:18:31 +0200 (MEST)
Comment before any parameter. Perfectly legal, but unusual
mail1.rrz.Uni-Koeln.DE received this, but doesn't tell us
where from.
(Without a from parameter it's hard to verify later
received headers. Treat with caution)
Received: from server01.Smith-Gardner.local
([217.154.181.6]) by mail1.rrz.Uni-Koeln.DE (8.13.1/8.13.1)
with ESMTP id j3EGIQTO000250 for
<sundial@rrz.uni-koeln.de>; Thu, 14 Apr 2005 18:18:30 +0200
(MEST)
mail1.rrz.Uni-Koeln.DE received this from someone claiming
to be server01.Smith-Gardner.local
This host doesn't exist, so all headers below this one
are probably forged
Received: from server01.Smith-Gardner.local ([10.2.0.240])
by server01.Smith-Gardner.local with Microsoft
SMTPSVC(5.0.2195.6713); Thu, 14 Apr 2005 17:16:20 +0100
server01.Smith-Gardner.local received this from someone claiming
to be server01.Smith-Gardner.local
This host doesn't exist, so all headers below this one
are probably forged
Received: by server01.Smith-Gardner.local (Microsoft
Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global
POP3 Download) id
[EMAIL PROTECTED]; Thu, 14
Apr 2005 17:16:15 +0100
server01.Smith-Gardner.local received this, but doesn't tell us
where from.
(Without a from parameter it's hard to verify later
received headers. Treat with caution)
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 21400 invoked from network); 14 Apr 2005
16:08:37 -0000
Just a qmail status line
Received: from unknown (HELO smtp-in-2.star.net.uk)
(10.200.12.2) by welly-5.star.net.uk with SMTP; 14 Apr
2005 16:08:37 -0000
welly-5.star.net.uk received this from someone claiming
to be unknown
(welly-5.star.net.uk doesn't record the senders IP
address in any way I recognise, so it's impossible to be
sure. All received headers after this one should be
treated with suspicion)
Received: (qmail 15268 invoked from network); 14 Apr 2005
16:08:37 -0000
Just a qmail status line
Received: from mail35.messagelabs.com (62.231.131.195) by
smtp-in-2.star.net.uk with SMTP; 14 Apr 2005 16:08:37 -0000
smtp-in-2.star.net.uk received this from mail35.messagelabs.com
(IP addresses match)
X-VirusChecked: Checked
X-Env-Sender: [EMAIL PROTECTED]
X-Msg-Ref: server-12.tower-35.messagelabs.com!1113494916!0!1
X-StarScan-Version: 5.4.11; banners=-,-,euromacs.com
X-Originating-IP: [134.95.100.208]
Received: (qmail 30713 invoked from network); 14 Apr 2005
16:08:37 -0000
Just a qmail status line
Received: from mail1.rrz.uni-koeln.de (134.95.100.208) by
server-12.tower-35.messagelabs.com with SMTP; 14 Apr 2005
16:08:37 -0000
server-12.tower-35.messagelabs.com received this from mail1.rrz.uni-koeln.de
(IP addresses match)
Received: from mail1.rrz.Uni-Koeln.DE (localhost
[127.0.0.1]) by mail1.rrz.Uni-Koeln.DE (8.13.1/8.13.1) with
ESMTP id j3EG5oVe023080 (version=TLSv1/SSLv3
cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for
<[EMAIL PROTECTED]>; Thu, 14 Apr 2005
18:05:50 +0200 (MEST)
mail1.rrz.Uni-Koeln.DE received this from someone claiming
to be mail1.rrz.Uni-Koeln.DE
but really from 127.0.0.1(localhost)
All headers below may be forged
Received: (from [EMAIL PROTECTED]) by mail1.rrz.Uni-Koeln.DE
(8.13.1/8.13.1/Submit) id j3EG5oiT023079 for sundial-out;
Thu, 14 Apr 2005 18:05:50 +0200 (MEST)
Comment before any parameter. Perfectly legal, but unusual
mail1.rrz.Uni-Koeln.DE received this, but doesn't tell us
where from.
(Without a from parameter it's hard to verify later
received headers. Treat with caution)
Received: from mail.gravitymedia.com
(user-6.utah2.fiber.net [209.90.77.6]) by
mail1.rrz.Uni-Koeln.DE (8.13.1/8.13.1) with ESMTP id
j3EG5gQJ023021 (version=TLSv1/SSLv3
cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for
<sundial@rrz.uni-koeln.de>; Thu, 14 Apr 2005 18:05:47 +0200
(MEST)
mail1.rrz.Uni-Koeln.DE received this from mail.gravitymedia.com
(IP addresses match)
Received: from PDK (ns2.digis.net
[208.186.134.102]) (authenticated bits=0) by
mail.gravitymedia.com (8.12.8/8.12.8) with ESMTP id
j3EFLmG4017838; Thu, 14 Apr 2005 09:21:48 -0600
mail.gravitymedia.com received this from someone claiming
to be PDK
This doesn't match the IP address in the headers, so this
may be a relay point. If so all headers below are probably
forged.
It really came from ns2.digis.net
Message-ID: <[EMAIL PROTECTED]>
From: "Sundial Alarms" <[EMAIL PROTECTED]>
To: "Mac Oglesby" <[EMAIL PROTECTED]> , "Sundial Mail
List" <sundial@rrz.uni-koeln.de>
References: <[EMAIL PROTECTED]>
Subject: Re: Duplicate messages
Date: Thu, 14 Apr 2005 09:23:01 -0600
MIME-Version: 1.0
Content-Type:
text/plain; format=flowed; charset="iso-8859-1"; reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Scanned: by amavisd-new
X-Spam-Status: 0
X-Spam-Status: 0
X-Spam-Report: FORGED_RCVD_HELO
X-Spam-Report: FORGED_RCVD_HELO
X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1
X-Scanned-By: MIMEDefang 2.48 on 134.95.19.103
X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1
X-Scanned-By: MIMEDefang 2.48 on 134.95.19.103
X-OriginalArrivalTime: 14 Apr 2005 16:16:20.0515 (UTC)
FILETIME=[4B63F730:01C5410D]
Sender: [EMAIL PROTECTED]
Precedence: bulk
Reply-To: "Sundial Alarms" <[EMAIL PROTECTED]>
X-pstn-levels: (S:99.90000/99.90000 R:95.9108 P:95.9108
M:97.0232 C:98.7678 )
X-pstn-settings: 5 (2.0000:2.0000) s gt3 gt2 gt1 r p m c
X-pstn-addresses: from <[EMAIL PROTECTED]> [2169/95]
X-MailScanner-Information: Please contact the ISP for more
information
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam (whitelisted),
SpamAssassin (score=4.524, required 5.5, RCVD_IN_SORBS
1.10, RCVD_IN_SORBS_WEB 2.80, SARE_RECV_MANYMX 0.62)
X-MailScanner-From: [EMAIL PROTECTED]
X-UIDL: f3-!!U'~"!2#1"!_^5"!
Status: U
A Whois on [EMAIL PROTECTED] returns the following:
04/14/05 13:59:01 whois euromacs.com
.com is a domain of USA & International Commercial
Searches for .com can be run at http://www.crsnic.net/
whois -h whois.crsnic.net euromacs.com ...
Redirecting to NETWORK SOLUTIONS, LLC.
whois -h whois.networksolutions.com euromacs.com ...
NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS
database through the use of high-volume, automated, electronic processes. The
Data in Network Solutions' WHOIS database is provided by Network Solutions for information
purposes only, and to assist persons in obtaining information about or related
to a domain name registration record. Network Solutions does not guarantee its accuracy.
By submitting a WHOIS query, you agree to abide by the following terms of use:
You agree that you may use this Data only for lawful purposes and that under no
circumstances will you use this Data to: (1) allow, enable, or otherwise support
the transmission of mass unsolicited, commercial advertising or solicitations
via e-mail, telephone, or facsimile; or (2) enable high volume, automated,
electronic processes that apply to Network Solutions (or its computer systems). The
compilation, repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of Network Solutions. You agree not to use
high-volume, automated, electronic processes to access or query the WHOIS
database. Network Solutions reserves the right to terminate your access to the WHOIS
database in its sole discretion, including without limitation, for excessive
querying of the WHOIS database or for failure to otherwise abide by this policy.
Network Solutions reserves the right to modify these terms at any time.
Registrant:
G2 Solutions Ltd
Ground Floor
St Johns House
Spitfire Close
Ermine Business Centre, Huntingdon pe29 6xy
UK
Domain Name: EUROMACS.COM
Administrative Contact, Technical Contact:
G2 Solutions Ltd [EMAIL PROTECTED]
Ground Floor
St Johns House
Spitfire Close
Ermine Business Centre, Huntingdon pe29 6xy
UK
01480 451190
Record expires on 28-Apr-2005.
Record created on 28-Apr-2000.
Database last updated on 14-Apr-2005 16:59:03 EDT.
Domain servers in listed order:
DNS0.STAR.CO.UK 195.216.16.129
DNS1.STAR.CO.UK 195.216.16.65
________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
Th. Taudin Chabot, home email: [EMAIL PROTECTED]
________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________