On 6/14/02 6:23 AM, Pam Lefkowitz deftly typed out: > Return-Path: <[EMAIL PROTECTED]> > Received: from $domain ([63.87.117.9]) > by thrush (EarthLink SMTP Server) with SMTP id 17iKsbCO3NZFoB0 > for <[EMAIL PROTECTED]>; Thu, 13 Jun 2002 23:20:57 -0700 (PDT) > From: [EMAIL PROTECTED] > X-Encoding: MIME > Received: from corecomputing.com by 22499U.corecomputing.com with SMTP for > [EMAIL PROTECTED]; Fri, 14 Jun 2002 02:25:52 -0500
This is how I read the above headers (bottom up). A message is received from a machine calling itself "corecomputing.com" (it's not) by a host calling itself "22499U.corecomputing.com" (it's not) and the receiving host stamps the first Received header on the message. The host that calls itself 22499U.corecomputing.com passes the message on to your mail server, an Earthlink server (I'm assuming they are hosting your domain). Earthlink's mail server then stamps the second Received header indicating the IP of the host it received the message from (63.87.117.9) which is the machine that actually sent the spam. Most likely corecomputing.com and 22499U.corecomputing.com are the same host which is running some software to spoof the hostname in the first Received header by using a hostname that is equal to the domain part of your email address ([EMAIL PROTECTED] produces a host corecomputing.com). My theory is further reinforced by the fact that the software seems misconfigured and that the host in question identified itself as "$domain" (a variable name, not a hostname). You can further track the bugger down by typing: whois -h whois.arin.net 63.87.117.9 At the command line (Since you're using OS X). This will query the ARIN database for the organization that the IP address is assigned to. If the result indicates that the IP space in question has been reassigned or if it is outside of ARIN's control (Managed by APNIC, RIPE, etc.) you may have to replace whois.arin.net with the appropriately listed whois or rwhois server. If it is an rwhois server, there's a web interface to rwhois at <http://www.rwhois.net/rwhois/prwhois.html>. Eventually you can drill down to the ISP that is responsible for that IP address and either the whois/rwhois answer or the ISP's website will indicate an email address to report network abuse to. I manage a couple of mail servers and this little exercise has become my favorite idle time activity. If I track the IP space to a company selling marketing services I just block their whole IP space at the mail server. -Remo Del Bello -- Do not meddle in the affairs of sysadmins, for they are subtle and quick to anger. -- To unsubscribe: <mailto:[EMAIL PROTECTED]> archives: <http://www.mail-archive.com/entourage-talk%40lists.letterrip.com/> old-archive: <http://www.mail-archive.com/entourage-talk%40lists.boingo.com/>
