>I've a question about the Mail-Header below:
>Following the Mailservers that passed this mail, I can see, that the
>first one was a hotmail-Mailserver.
Maybe.
Since a spammer could send E-mail directly to your mailserver, he could
have forged all the Received: headers. So, the only Received: header that
is guaranteed to be accurate is the first one (the one that your mailserver
adds):
>Received: from relay.seq.it [194.242.192.7] by mail.zcom.it with ESMTP
> (SMTPD32-6.06) id A4524E900C2; Fri, 14 Jun 2002 03:18:10 +0200
In this case, all you know for sure is that you received the E-mail from
194.242.192.7 (which may or may not be relay.seq.it -- that's just what the
remote mailserver claims to be). The next Received header:
> Received: from smtp.seq.it (lyskamm.dnet.it [194.242.196.14])
> by mbox.seq.it (8.11.0/8.11.0) with ESMTP id g5E1OC104889;
> Fri, 14 Jun 2002 03:24:12 +0200 (MET DST)
may or may not be legitimate. In this case, it looks legitimate, in which
case we would check the next header:
>Received: from exchsrvr55.nardeen.com.sa ([212.93.162.195])
> by smtp.seq.it (8.11.0/8.11.0) with ESMTP id g5E1Yhr15353;
> Fri, 14 Jun 2002 03:34:44 +0200 (MET DST)
and this one looks legitimate too (but may not be). This shows that
smtp.seq.it supposedly received the E-mail from 212.93.162.195, which is a
Saudi Arabian mailserver.
>The second server (exchsrvr55.nardeen.com.sa) is very strange, because
>it has absolutely nothing to do with the recipients mailserver. (but
>it's obviously an OR)
>
>So, why a hotmail-server sends a mail to an OR that has nothing to do
>here?
Because the last Received: header:
>Received: from mx14.hotmail.com (209.248.175.2.nw.nuvox.net
> [209.248.175.2]) by exchsrvr55.nardeen.com.sa with SMTP
> (Microsoft Exchange Internet Mail Service Version 5.5.
> 2653.13) id MZCDTKRV; Wed, 12 Jun 2002 19:39:04 -0700
is correct, but the spammer sent his mail from a machine claiming to be a
hotmail.com mailserver. But if you check the IP address (the only
information in a Received: header that is likely to be trustworthy, but
isn't always correct after the first Received: header), it is
209.248.175.2. A reverse DNS lookup of that IP shows
209.248.175.2.nw.nuvox.net. So it didn't really come from Hotmail.
>Question: Will have this action any consequence for the tests un
>junkmail?
That depends. If the mailserver you received the E-mail from is listed in
an open relay database (which it should), it could get caught with the
default Declude JunkMail settings. If the only IP that is listed in any
spam databases is the 209.248.175.2 IP, then Declude JunkMail would only
catch it with a HOPHIGH 3 setting (which would scan 3 hops after the
original hop). That uses a lot of extra resources though (as it typically
requires 2-3 times as many DNS lookups).
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
