On 30 Mar 2016, at 9:48, Matus UHLAR - fantomas wrote:
On 30.03.16 06:18, redtailjason wrote:
[....]
The headers you have posted show mail that only goes through
internal IPs and localhost, that mail doesn't seem to come from
outside.
On 31.03.16 09:23, Bill Cole wrote:
I believe that this is not correct.
I have looksed at all headers in the original mail, they were localhost or
from private range 192.168.0.0/16
it also looks that it comes from EPSON scanner, and has .tiff
attachment
that is quite common for scanned documents.
It is meant to seem that way. This is a very common flavor of spam
these days, although no well-run system accepts it.
Unfortunately...
[...]
Received: from [1.22.69.90] (Unknown_Domain [192.168.1.175])
by MAILSECURITY010.redtailtechnology.com (Symantec Messaging
Gateway) with
SMTP id 69.3E.24467.E9DBBF65; Wed, 30 Mar 2016 04:50:54 -0700 (PDT)
1.22.69.90 is a known recently active spambot:
http://www.abuseat.org/lookup.cgi?ip=1.22.69.90 and it seems like
that spambot is using a proper IP literal of its own IP as its HELO
argument, but is actually appearing to be 192.168.1.175. This is
possible in some environments that use firewalls which NAT inbound
connections so that they seem to come from the firewall itself.
Well, if this is the case, I'm done with it. Are you going to help anyone
with that dumb network copnfiguration, that makes it very hard to fight
spam?
On
the other hand, this is a proprietary device which may be building
its Received header perversely... In any case, something is either
claiming to be or seeming to be a spambot in Mumbai when talking to
an inbound MTA in California, which seems unlikely to be in any way a
normal internal mail transmission.
This is a problem at the "Symantec Messaging Gateway" device and
possibly with how it sees connections from the net at large.
Fortunately, Symantec has people paid to support their systems (at
least for p[aying customers) and one need not post the same thing 3
times in 5 minutes to a public mailing list to get them to respond.
So the OP needs to talk to his vendor. It is;letting mail in from a
source that NO ONE should be accepting mail from. The family of bot
CBL thinks that 1.22.69.90 is running says HELO in sub-second times
after connecting whether it sees a banner or not. If Symantec's crap
doesn't refuse that sort of client it is living up to their
reputation for selling the widest collection of popular but broken
garbage of any tech vendor.
I agree. But I would first check if that's really the NAT nonsense (hide
real IP, so we can't find it in blacklists...)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]
