>I am getting a lot of spam from a particular class C (204.127.131.0-254) >and when I process it through spam cop it never shows those IPs as the >offenders.
I'm not sure why it doesn't show those IPs as the offenders: >Received: from mtiwgwc26.worldnet.att.net [204.127.131.29] by >mail.integrated.cc with ESMTP > (SMTPD32-6.06) id A705117201EC; Mon, 25 Mar 2002 20:12:05 -0700 The first Received: header is normally the only one you can trust. In this case, 204.127.131.29 connected to IMail. Unless you have reason to trust that server (IE it's your backup mail server, or someone has an account there that forwards mail to you), it's the culprit. However, http://www.dnsstuff.com/tools/whois.ch?ip=204.127.131.29 shows that AT&T has the 204.127.0.0/16 Class B range, which makes it more interesting (the reverse DNS entry mtiwgwc26.worldnet.att.net isn't clear as to whether it's a dialup account, a AT&T mailserver, or a static IP that a company may be using as a mailserver). Since it doesn't seem to be responding on port 25, I'm guessing it's a dialup account. If it is a dialup account, then any further headers can safely be ignored, as they are almost certainly forged. >Received: from hanvitservice.co.kr ([203.251.168.41]) > by mtiwgwc26.worldnet.att.net > (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP > id ><[EMAIL PROTECTED]> > for <[EMAIL PROTECTED]>; Tue, 26 Mar 2002 03:11:58 +0000 But, this header (which can't be trusted) makes it appear as though the E-mail was being sent to [EMAIL PROTECTED], which was then forwarded to your mail server. Given that the worldnet.att.net MX records all point to IPs at 204.127.134.x, it may be that 204.127.131.x IPs are also AT&T mailservers of some sort. So my guess is that the [EMAIL PROTECTED] account is forwarding the mail to you. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
