Kai Schaetzl wrote:
Michael Moyse wrote on Fri, 08 Jul 2005 17:55:32 +0100:
To me it looks like a duck and sounds like a duck I'm probably wrong
and missing something here because I'm no expert so I'm happy to be
enlightened.
Ok, I enlighten you ;-) I hope I'm not wrong. Now that I look again at the
headers it turns out I was wrong as well, see below.
From the headers:
Received: (qmail 10812 invoked by uid 567); 5 Jul 2005 12:03:20 -0000
Received: from 65.33.195.76 by host1 (envelope-from
<[EMAIL PROTECTED]>, uid 502) with
qmail-scanner-1.25
(clamdscan: 0.86.1/967. spamassassin: 3.0.4.
Clear:RC:0(65.33.195.76):SA:0(0.0/1.5):.
Processed in 0.44071 secs); 05 Jul 2005 12:03:20 -0000
Received: from unknown (HELO ss) (65.33.195.76)
by 0 with SMTP; 5 Jul 2005 12:03:19 -0000
65.33.195.76 = 76.195.33.65.cfl.res.rr.com !
Received: from vitalmex.com.mx (mail1.vitalmex.com.mx [148.223.241.181])
by 76.195.33.65.cfl.res.rr.com (Pastfix) with ESMTP id 0456EDBA28
for <[EMAIL PROTECTED]>; Tue, 05 Jul 2005 05:21:23 -0700
The mail went:
vitalmex -> Roadrunner (Po/astfix) -> boom-edv.de (qmail)
The last Received line looks forged (Pastfix), there's also no SMTP
running at 76.195.33.65.cfl.res.rr.com (=no open/abusable relay). This
suggests that the mail was sent out directly from that roadrunner account
and the last Received plus all vitalmex stuff is completely forged. Also,
a spammer which abused a Roadrunner account would obviously not send
openly from his own MX and giving you a return-path which leads back to
him.
So, what you actually have to block is .rr.com and not .vitalmex.com.mx or
.mx. This mail would have never reached us, because we already block all
of .rr.com :-)
Kai
Cool! Thanks for the explanation
