Kami,
I'll give it a shot.
I am assuming the headers haven't been changed and that they are in
the actual order received. Of course that's not necessarily true
depending upon the software used along the way.
In this case it is almost certainly untrue.
Headers normally are in the most recent received order descending.
For instance the topmost header line on your message I received from
the list to my server is:
Received: from declude.com [66.189.58.123] by smartbusiness.net
with ESMTP
My server is smartbusiness.net.
Now we'll have a go at reading the headers you submitted (I'm starting
at the bottom):
KR> Received: from [135.12.72.250] by ssymail.ssy.co.kr with SMTP;
KR> Nov, 03 2002 11:27:47 AM -0300
This header reports the message originated from 135.12.72.250 -
(which is allocated to Lucent Technologies per ARIN) and received
by a server identifying itself as ssymail.ssy.co.kr. Note that
the time received is 11/3/2002 11:27 3 hours west of Greenwich.
SMTP was the protocol used in the dialogue between the 2 servers.
KR> Received: from [198.250.227.71] by m10.grp.snv.yahoo.com with
KR> QMQP; Nov, 03 2002 11:59:28 AM +0400
Now the next server says it is m10.grp.snv.yahoo.com and it says
it received the message from 198.250.227.71 which is owned by the
Army Office for Defense Medical. So sysmail.ssy.co.kr is likely
forged and 198.250.227.71 could be forged as well. And supposedly
this server is 4 hours west of Greenwich. Also interesting is the
fact that it says used QMQP: Quick Mail Queueing Protocol to
receive the message.
KR> Received: from sparc.isl.net ([45.55.85.241]) by
KR> anther.webhostingtalk.com with NNFMP; Nov, 03 2002 1:21:28 PM
KR> -0100
Now anther.wbhostingtalk.com says it talked NNFMP to sparc.isl.net
which is supposedly at 45.55.85.241 (assigned to Interop Show
Network) and 1 hour west of Greenwich.
KR> Received: from unknown (6.61.10.17) by rly-xr02.mx.aol.com with
KR> NNFMP; Nov, 03 2002 2:08:31 PM -0000
Finally your server (or maybe I should say the destination server
since you don't seem to know that you are using AOL) says it
received the message via NNFMP from 6.61.10.17 (assigned to
NS01.ARMY.MIL) and that it is right in the middle of Greenwich.
KR> The reason for the question is the domain "webhostingtalk.com" is
KR> appearing in a lot of SPAMs lately. The company appears to be a
KR> legitimate company. Does anyone know about these folks..?
Well webhostingtalk.com has one MX record that points to
207.218.223.171 which appears nowhere in these headers.
But honestly to me these headers appear to be either totally
forged or copied from several other messages and cobbled together.
I don't think there is any information in these headers that is
reliable. Either information is missing or this is just garbage.
KR> & how can AOL allow spam to be sent out like this? Isn't the first
KR> record from AOL?
Unless you've changed the headers yourself, or unless you're
reporting something that's not the headers, or unless a program
has changed the headers, that should be your server.
Since it isn't then either these aren't the headers or they've
been seriously forged.
Best thing to do is study the headers on known good messages. It is
not complicated to read them but does take some practice.
I see you're using Outlook. I'm afraid this doesn't really make your
work any easier.
Happy hunting.
Terry Fritts
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
