Here's another example: 03:12 15:59 SMTPD(2842009C) [10.9.8.51] connect 169.207.38.237 port 4345 03:12 15:59 SMTPD(2842009C) [169.207.38.237] HELO 208.253.112.160 03:12 15:59 SMTPD(2842009C) [169.207.38.237] MAIL FROM: <[EMAIL PROTECTED]> 03:12 15:59 SMTPD(2842009C) [169.207.38.237] RCPT TO: <[EMAIL PROTECTED]> 03:12 15:59 SMTPD(2842009C) [169.207.38.237] RCPT TO: <[EMAIL PROTECTED]> 03:12 15:59 SMTPD(2842009C) [169.207.38.237] ERR richmond.com invalid user <[EMAIL PROTECTED] 03:12 15:59 SMTPD(2842009C) [169.207.38.237] RCPT TO: <[EMAIL PROTECTED]> 03:12 15:59 SMTPD(2842009C) [169.207.38.237] ERR richmond.com invalid user <[EMAIL PROTECTED]
He's using multiple RCPT TO addresses. b ---------- Original Message ---------------------------------- From: "R. Scott Perry" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 12 Mar 2003 19:11:04 -0500 > >>Here's an example of the email he's trying to relay through: > >The key information isn't in the headers in this case -- it's in the IMail >SMTP log file. Most importantly are the "RCPT TO:" lines, which will show >who the E-mail was actually addressed to, and whether or not some hack was >used to relay the E-mail. If you post the IMail SMTP log file entries, I >should be able to let you know what is going on. > -Scott > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail was scanned for Viruses and Spam by Richmond.com] > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
