Everything but the topmost received from header can be forged, so I think that's what your looking at here.  So look at that top line, and compare with the Declude REVDNS variable to see where it's really coming from.
 
Note also that the X-Mailer header could be forged too, so it may or may not have actually been sent from that mail client.

Darin.
 
 
----- Original Message -----
From: Serge
Sent: Friday, September 22, 2006 1:43 AM
Subject: Re: [Declude.JunkMail] Help: Delivery failures

For those of you who can read headers better than me, here is a more interesting one
this time, we have some ips, "Received: from 217.170.144.6 (HELO mail.cefib.com)" can be valid, but
1- there is no traces in my logs of sending this message
2- second part of the header says cwmagic.com received from  217.170.144.6, but first part says 196.205.224.128,
either i am missing something, or there is contradiction
is "the bat" faking the header ?
please help
 
Received: from host-196-205-224-128.static.link.com.eg ([196.205.224.128]) by SERVER.Compuwizards.local with Microsoft SMTPSVC(5.0.2195.6713);
  Thu, 21 Sep 2006 10:52:36 -0700
Return-Path: <[EMAIL PROTECTED]>
Received: from 217.170.144.6 (HELO mail.cefib.com)
     by cwmagic.com with esmtp (DA5X015JX7 X0Z5)
     id 5K23MB-BX0IOM-7E
     for [EMAIL PROTECTED]; Tue, 21 Mar 2006 18:33:33 -0120
Date: Tue, 21 Mar 2006 18:33:33 -0120
From: "Mario Hamlin" <[EMAIL PROTECTED].com>
X-Mailer: The Bat! (v3.51) Home
X-Priority: 3 (Normal)
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: THURSDAY.rq
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------6E54096EC8425409"
X-Spam: Not detected
X-OriginalArrivalTime: 21 Sep 2006 17:52:37.0671 (UTC) FILETIME=[B9B6C370:01C6DDA6]
 
 
----- Original Message -----
From: Serge
Sent: Friday, September 22, 2006 2:13 AM
Subject: [Declude.JunkMail] Help: Delivery failures

I am beiing bombarded by delivery failures
The heading of the returned messages are of the form below
Can't find any ip in the headings
somename and [EMAIL PROTECTED] are not valid user or adresses on my server
in my logs, can't find any "MAIL FROM:<[EMAIL PROTECTED]>
 
apparently, some spamer is using [EMAIL PROTECTED] in his from address.
 
What is going on ? and how can invetigate this any further ?
 
TIA
 
 
Message-ID: <[EMAIL PROTECTED]>
From: somename <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: The president's so-called 2
Date: Thu, 21 Sep 2006 21:00:07 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
X-MS-Embedded-Report:
X-Mailer: The Bat! (v3.71.04) Professional
Content-Type: multipart/mixed;
 boundary="----_=_NextPart_002_01C6DDD7.7CB7171E"
 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.

Reply via email to