Below are the header lines of a piece of spam. I am certain that my mail server (65.38.154.56) delivered the e-mail to mail.tahoemountainclub.com (an exchange server).
Is the mail.com server (63.243.127.170) sending spam to [EMAIL PROTECTED]
Most likely, since that is the address in the "To:" header.
To find out for certain, you can check the IMail SMTP log file, and look for the "RCPT TO:" lines.
I noticed mail.com is a free web based e-mail service with free mail forwarding. Can I trust these lines in the header indicating that mail.com is sending to ewparnters.com?
Trust which lines? The only lines that you normally can trust are the Received: headers that IMail adds, unless the E-mail came from another source that you trust (for example, if the IMail Received: header shows that it came from an IP that belongs to Hotmail, you can then probably trust the X-Originating-IP:(?) header that Hotmail adds.
Can I determine with certainty who sent this to ewpartners.com?
Yes:
Received: from ewpartners.com ([65.38.154.56]) by mail.tahoemountainclub.com with Microsoft SMTPSVC(5.0.2195.5329);...
Fri, 20 Jun 2003 20:23:56 -0700
Received: from SMTP32-FWD by ewpartners.com
(SMTP32) id A0000062C; Fri, 20 Jun 2003 21:13:48 -0600
Received: from mail.com [63.243.127.170] by ewpartners.com
(SMTPD32-7.07) id AD65A000DC; Fri, 20 Jun 2003 21:13:41 -0600
The top Received: header is the one that Microsoft added before delivering the E-mail. That just shows the IP of the IMail server.
The bottom two are the ones added by IMail (the "SMTP32-FWD" means that IMail forwarded the E-mail, accounting for the two headers; you can skip over that header to the next one).
So you have "Received: from mail.com [63.243.127.170] ...", which means that the E-mail came from 63.243.127.170 (a mailserver *claiming* to be mail.com). http://www.dnsstuff.com/tools/ptr.ch?ip=63.243.127.170 shows that the IP has a reverse DNS entry of uslec-63-243-127-170.cust.uslec.net, which sounds like a dialup/DSL/cable/etc. connection.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
