Ok...this is starting to hack me off. It's not my e-mail client or the web page. The list bot will not let me paste the mail header in this e-mail...I have tried 4x now and keep getting rejection notices from internet.com.
Being a male computer geek, you'd think I'd be used to rejection by now...darn list bot must be female. ;0P Any help would be appreciated. JB -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 8:56 AM To: Exchange Discussions Subject: Internet Mail Header Investigation Folks, I have a slight SPAM problem I would like some help with if possible, so put on your thinking caps. I have read several RFC's and Technet articles about how things are supposed to work, but none of them seem to cover interpreting the sequence of events. Also, several things just don't make sense to me. I've only been an MS Exchange Admin for about 1-1/2 years, so I still have a lot to learn. This message is a little long, but you folks are always clamoring for details, so I thought I would be as detailed as I could. The header for the e-mail in question is going to come in the next post (having problems posting). Three copies of this e-mail were sent directly to my postmaster mailbox from an account in Japan (+0900 GMT puts it in this timezone). This didn't concern me that much, because RFC822 states that all mail orgs are supposed to have a postmaster account that people can send complaints to, so it would be easy to guess. If one person in our mail org got themselves on a list they shouldn't, then they just had to add the postmaster account to the front of the domain name. However, when I started taking a closer look, that's when I began to get worried. Let me explain our configuration here: 1. The ISP has an MX record that says our mail server is located at ourcompany.com or IMS.ourcompany.com 2. Our MX record states that ourcompany.com is equal to internal addresses of ourcompany.gov or IMS.ourcompany.gov. 3. Internet mail comes in through a boundary router, through the firewall to the Mail Relayer (named mr.ourcompany.com in the header below). 4. MR is a Linux 7.0 workstation, running Qmail 1.03 and QmailScanner 0.94. 5. MR checks to make sure that mail is being sent to a legitimate domain extension. If legit, sends it on to the IMS. If not, drops it in a holdmail queue. It also blocks mail based on attachment or subject type. 6. Once to the IMS, delivered to client. Client mail goes from client to IMS, IMS to Proxy Server and out through the boundary router. 7. Mail servers are Win2k, SP2 servers running Ex5.5, SP4+3 (MTA, IS and Q282533). Here are my concerns: 1. In the 5th and 6th "Received:" lines down, it looks like the IMS was the first machine to process this mail. The original IP address next to the name was actually the external interface to the Proxy Server. This would suggest to me, that it actually took the reverse route in through the Proxy/IMS, instead of through the Firewall/MR. How is this possible? 2. In the first "From:" field of the header, it shows as coming from [EMAIL PROTECTED] However, in the second "From:" field of the header, it shows as coming from [EMAIL PROTECTED] Is this guy spamming thousands of people and making it look like it came from me? 3. In the original header, the IMS.ourcompany.com contained the actual internal server name of our IMS. How does someone in Japan find out the internal name of one of our servers, without a security leak on our end? I appreciate any help you folks can give me...please don't flame me too bad. I have to be recognizable to my wife and kids when I get home, or they won't let me in the door to eat dinner...and I'm starved! ;O) Thanks in advance, James H (Jim) Blunt Network / Exchange Admin Network & Infrastructure Group Bechtel Hanford, Inc. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]