That part is faked. Return-path can be faked. Reply-to can be faked.
Virtually any part of the headers can be faked up to where servers
you control enter the picture.
{^_^}
----- Original Message -----
From: "Thomas Lindell" <[EMAIL PROTECTED]>
I guess I am confused. It appears to me that it was sent by
[EMAIL PROTECTED] to [EMAIL PROTECTED]
Of course like stuart pointed out I could be just misreading it
-----Original Message-----
From: Bowie Bailey [mailto:[EMAIL PROTECTED]
In this case, there was no opportunity to fake headers. Your server
received the connection directly from the source.
The IP address is 82.234.174.1. This is the one thing that is almost
impossible to fake.
This address resolves to "pro75-3-82-234-174-1.fbx.proxad.net". This
can't be faked without hacking the DNS servers.
The sending server identified itself as "burkeauto.com". This can be
(and frequently is) faked, but it doesn't really matter.
So what you have here is a simple case of a remote server sending you
spam.
If there were more received lines below the one indicating receipt by
your server, you have to assume that the information could be fake.
This is why the trusted_networks setting in SpamAssassin is so
important. It lets SA determine which headers can be trusted.
Bowie
Thomas Lindell wrote:
Does that mean they just faked the headers?
I am new to mail administration only been doing it a couple of months
now and I appreciate all the help.
Thanks
Tom
From: Stuart Johnston [mailto:[EMAIL PROTECTED]
>
> I think you may be misreading the headers. This mail came from
> pro75-3-82-234-174-1.fbx.proxad.net
> [82.234.174.1] (a French ISP).
>
>
> Thomas Lindell wrote:
> > Gah just when I thought I had spam problems resolved not it appears
> > someones able to send spam directly from the server
> >
> >
> > Return-Path: <[EMAIL PROTECTED]>
> > X-Original-To: [EMAIL PROTECTED]
> > Delivered-To: [EMAIL PROTECTED]
> > Received: from localhost (localhost.airbornedatalink.com [127.0.0.1])
> > by adlsrv4.airbornedatalink.com (Postfix) with ESMTP id
19D3A34004
> > for <[EMAIL PROTECTED]>; Wed, 26 Jul 2006 10:41:52 -0500
(CDT)
> > X-Virus-Scanned: amavisd-new at adlmail.com
> > Received: from adlsrv4.airbornedatalink.com ([127.0.0.1])
> > by localhost (adlsrv4.airbornedatalink.com [127.0.0.1])
(amavisd-new, port 10024)
> > with ESMTP id 63sUVcMA5Y1h for <[EMAIL PROTECTED]>;
> > Wed, 26 Jul 2006 10:41:47 -0500 (CDT)
> > Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net
[82.234.174.1])
> > by adlsrv4.airbornedatalink.com (Postfix) with SMTP id
402AB34001
> > for <[EMAIL PROTECTED]>; Wed, 26 Jul 2006 10:41:47 -0500
(CDT)
> > Message-ID: <[EMAIL PROTECTED]>
> > Reply-To: "Wojciech Doucette" <[EMAIL PROTECTED]>
> > From: "Wojciech Doucette" <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: Re: keiyqVjlAGRA
> > Date: Wed, 26 Jul 2006 08:37:50 -0700
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
> > boundary="----=_NextPart_000_0001_01C6B08E.C7334B30"
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> > X-Antivirus: AVG for E-mail 7.1.394 [268.10.4/399
> >
> >
> > Based on this header I believe it's some sort of bounce attack or
> > local attack
> >
> > Anyone have any thoughts I'm at my wits end
