In this case, there was no opportunity to fake headers. Your server received the connection directly from the source.
The IP address is 82.234.174.1. This is the one thing that is almost impossible to fake. This address resolves to "pro75-3-82-234-174-1.fbx.proxad.net". This can't be faked without hacking the DNS servers. The sending server identified itself as "burkeauto.com". This can be (and frequently is) faked, but it doesn't really matter. So what you have here is a simple case of a remote server sending you spam. If there were more received lines below the one indicating receipt by your server, you have to assume that the information could be fake. This is why the trusted_networks setting in SpamAssassin is so important. It lets SA determine which headers can be trusted. Bowie Thomas Lindell wrote: > Does that mean they just faked the headers? > > > I am new to mail administration only been doing it a couple of months > now and I appreciate all the help. > > Thanks > > Tom > > From: Stuart Johnston [mailto:[EMAIL PROTECTED] > > > > I think you may be misreading the headers. This mail came from > > pro75-3-82-234-174-1.fbx.proxad.net > > [82.234.174.1] (a French ISP). > > > > > > Thomas Lindell wrote: > > > Gah just when I thought I had spam problems resolved not it appears > > > someones able to send spam directly from the server > > > > > > > > > Return-Path: <[EMAIL PROTECTED]> > > > X-Original-To: [EMAIL PROTECTED] > > > Delivered-To: [EMAIL PROTECTED] > > > Received: from localhost (localhost.airbornedatalink.com [127.0.0.1]) > > > by adlsrv4.airbornedatalink.com (Postfix) with ESMTP id 19D3A34004 > > > for <[EMAIL PROTECTED]>; Wed, 26 Jul 2006 10:41:52 -0500 (CDT) > > > X-Virus-Scanned: amavisd-new at adlmail.com > > > Received: from adlsrv4.airbornedatalink.com ([127.0.0.1]) > > > by localhost (adlsrv4.airbornedatalink.com [127.0.0.1]) (amavisd-new, port 10024) > > > with ESMTP id 63sUVcMA5Y1h for <[EMAIL PROTECTED]>; > > > Wed, 26 Jul 2006 10:41:47 -0500 (CDT) > > > Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net [82.234.174.1]) > > > by adlsrv4.airbornedatalink.com (Postfix) with SMTP id 402AB34001 > > > for <[EMAIL PROTECTED]>; Wed, 26 Jul 2006 10:41:47 -0500 (CDT) > > > Message-ID: <[EMAIL PROTECTED]> > > > Reply-To: "Wojciech Doucette" <[EMAIL PROTECTED]> > > > From: "Wojciech Doucette" <[EMAIL PROTECTED]> > > > To: [EMAIL PROTECTED] > > > Subject: Re: keiyqVjlAGRA > > > Date: Wed, 26 Jul 2006 08:37:50 -0700 > > > MIME-Version: 1.0 > > > Content-Type: multipart/alternative; > > > boundary="----=_NextPart_000_0001_01C6B08E.C7334B30" > > > X-Priority: 3 > > > X-MSMail-Priority: Normal > > > X-Mailer: Microsoft Outlook Express 6.00.2800.1106 > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > > > X-Antivirus: AVG for E-mail 7.1.394 [268.10.4/399 > > > > > > > > > Based on this header I believe it's some sort of bounce attack or > > > local attack > > > > > > Anyone have any thoughts I'm at my wits end
