Re: [Declude.JunkMail] Help: Delivery failures

[Darin Cox]

Everything but the topmost received from header can be forged, so I think that's what your looking at here.  So look at that top line, and compare with the Declude REVDNS variable to see where it's really coming from.   Note also that the X-Mailer header could be forged too, so it may or may not have actually been sent from that mail client. Darin.     ----- Original Message ----- From: Serge To: declude.junkmail@declude.com Sent: Friday, September 22, 2006 1:43 AM Subject: Re: [Declude.JunkMail] Help: Delivery failures For those of you who can read headers better than me, here is a more interesting one this time, we have some ips, "Received: from 217.170.144.6 (HELO mail.cefib.com)" can be valid, but 1- there is no traces in my logs of sending this message 2- second part of the header says cwmagic.com received from  217.170.144.6, but first part says 196.205.224.128, either i am missing something, or there is contradiction is "the bat" faking the header ? please help   Received: from host-196-205-224-128.static.link.com.eg ([196.205.224.128]) by SERVER.Compuwizards.local with Microsoft SMTPSVC(5.0.2195.6713);   Thu, 21 Sep 2006 10:52:36 -0700 Return-Path: <[EMAIL PROTECTED]> Received: from 217.170.144.6 (HELO mail.cefib.com)      by cwmagic.com with esmtp (DA5X015JX7 X0Z5)      id 5K23MB-BX0IOM-7E      for [EMAIL PROTECTED]; Tue, 21 Mar 2006 18:33:33 -0120 Date: Tue, 21 Mar 2006 18:33:33 -0120 From: "Mario Hamlin" <[EMAIL PROTECTED].com> X-Mailer: The Bat! (v3.51) Home X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: THURSDAY.rq MIME-Version: 1.0 Content-Type: multipart/mixed;   boundary="----------6E54096EC8425409" X-Spam: Not detected X-OriginalArrivalTime: 21 Sep 2006 17:52:37.0671 (UTC) FILETIME=[B9B6C370:01C6DDA6]     ----- Original Message ----- From: Serge To: declude.junkmail@declude.com Sent: Friday, September 22, 2006 2:13 AM Subject: [Declude.JunkMail] Help: Delivery failures I am beiing bombarded by delivery failures The heading of the returned messages are of the form below Can't find any ip in the headings somename and [EMAIL PROTECTED] are not valid user or adresses on my server in my logs, can't find any "MAIL FROM:<[EMAIL PROTECTED]>   apparently, some spamer is using [EMAIL PROTECTED] in his from address.   What is going on ? and how can invetigate this any further ?   TIA     Message-ID: <[EMAIL PROTECTED]> From: somename <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: The president's so-called 2 Date: Thu, 21 Sep 2006 21:00:07 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) X-MS-Embedded-Report: X-Mailer: The Bat! (v3.71.04) Professional Content-Type: multipart/mixed;  boundary="----_=_NextPart_002_01C6DDD7.7CB7171E"   --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.