No...it's not an open relay...double-checked the Exchange Server settings and the RBL (Realtime Blackhole List).
And yes, that REALLY is just one mail header. It takes 2-1/2 pages to print it out in it's entirety. In the process of triple-checking my relay settings again by reading the article below. Jim Blunt -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 10:30 AM To: Exchange Discussions Subject: RE: Internet Mail Header Investigation Is your server an open relay? <http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696> also available here: <http://downloads.members.tripod.com/ladysun1969/misc/relay.tif> ps. are you sure that's all from one message? It looks like 3 different message headers.... -Michèle Immigration site: <http://LadySun1969.tripod.com> The Miata: <http://members.cardomain.com/bpituley> Tiggercam: <http://www.tiggercam.co.uk> --------------------------------------------------------- Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works. - RFC1925 --------------------------------------------------------- -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:17 PM To: Exchange Discussions Subject: RE: Internet Mail Header Investigation There you have it...that's the header file. You actually want to start reading the header file from the bottom of this post up... TIA for the help. JB -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 10:14 AM To: Exchange Discussions Subject: RE: Internet Mail Header Investigation Part 3... Message-ID: <[EMAIL PROTECTED]> From: fellow_american@pride_of_america To: Subject: FREE American Flag Pin - No purchase necessary 15615 Date: Tue, 27 Nov 2001 23:33:37 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: text/plain; charset="iso-8859-1" ------_=_NextPart_000_01C1780F.8D84D950-- --==IFJRGLKFGIR46408UHRUHIHD-- -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 10:12 AM To: Exchange Discussions Subject: FW: Internet Mail Header Investigation Part 2... Received: from IMS.ourcompany.gov ([xxx.xxx.xxx.xxx]) by nis.lapha.com (Lotus Domino Release 5.0.6a) with ESMTP id 2001112822195643:24 ; Wed, 28 Nov 2001 22:19:56 +0900 Received: by IMS.ourcompany.gov with Internet Mail Service (5.5.2653.19) id <XVZ0JKH3>; Wed, 28 Nov 2001 05:21:14 -0800 Message-ID: <[EMAIL PROTECTED]> From: System Administrator <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Undeliverable: FREE American Flag Pin - No purchase necessary 15615 Date: Wed, 28 Nov 2001 05:21:13 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: X-MIMETrack: Itemize by SMTP Server on nis/Lapha(Release 5.0.6a |January 17, 2001) at 2001-11-28 10:19:58 PM, Serialize by Router on nis/Lapha(Release 5.0.6a |January 17, 2001) at 2001-11-29 11:02:11 AM, Serialize complete at 2001-11-29 11:02:11 AM This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 10:05 AM To: Exchange Discussions Subject: RE: Internet Mail Header Investigation Ok...let's try sending this in pieces... Received: from mr.ourcompany.com ([xxx.xxx.xxx.xxx]) by IMS.ourcompany.gov with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id XVZ0J31D; Wed, 28 Nov 2001 18:03:42 -0800 Received: (qmail 4027 invoked by uid 104); 29 Nov 2001 00:34:16 -0000 Received: from by mr-new.ourcompany.com with qmail-scanner-0.94 (. Clean. Processed in 9.100323 secs); 28/11/2001 16:34:07 Received: from unknown (HELO nis.lapha.com) (211.52.19.18) by mr.ourcompany.com with SMTP; 29 Nov 2001 00:34:06 -0000 Received: from IMS.ourcompany.gov ([xxx.xxx.xxx.xxx]) by nis.lapha.com (Lotus Domino Release 5.0.6a) with ESMTP id 2001112822195643:24 ; Wed, 28 Nov 2001 22:19:56 +0900 Received: by IMS.ourcompany.gov with Internet Mail Service (5.5.2653.19) id <XVZ0JKH3>; Wed, 28 Nov 2001 05:21:14 -0800 Message-ID: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] To: System Administrator <[EMAIL PROTECTED]> Subject: =?euc-kr?B?uei03iC9x8bQOiBVc2VyIGZlbGxvd19hbWVyaWNhbiVwcmlkZV9vZg==?= =?us-ascii?Q?=5Famerica?= ([EMAIL PROTECTED]) not listed in public Name & Address Book Date: Wed, 28 Nov 2001 05:21:13 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: X-MIMETrack: Itemize by SMTP Server on nis/Lapha(Release 5.0.6a |January 17, 2001) at 2001-11-28 10:19:58 PM, Serialize by Router on nis/Lapha(Release 5.0.6a |January 17, 2001) at 2001-11-29 11:02:11 AM, Serialize complete at 2001-11-29 11:02:11 AM Content-Type: multipart/report; report-type=delivery-status; boundary="==IFJRGLKFGIR46408UHRUHIHD" -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 8:56 AM To: Exchange Discussions Subject: Internet Mail Header Investigation Folks, I have a slight SPAM problem I would like some help with if possible, so put on your thinking caps. I have read several RFC's and Technet articles about how things are supposed to work, but none of them seem to cover interpreting the sequence of events. Also, several things just don't make sense to me. I've only been an MS Exchange Admin for about 1-1/2 years, so I still have a lot to learn. This message is a little long, but you folks are always clamoring for details, so I thought I would be as detailed as I could. The header for the e-mail in question is going to come in the next post (having problems posting). Three copies of this e-mail were sent directly to my postmaster mailbox from an account in Japan (+0900 GMT puts it in this timezone). This didn't concern me that much, because RFC822 states that all mail orgs are supposed to have a postmaster account that people can send complaints to, so it would be easy to guess. If one person in our mail org got themselves on a list they shouldn't, then they just had to add the postmaster account to the front of the domain name. However, when I started taking a closer look, that's when I began to get worried. Let me explain our configuration here: 1. The ISP has an MX record that says our mail server is located at ourcompany.com or IMS.ourcompany.com 2. Our MX record states that ourcompany.com is equal to internal addresses of ourcompany.gov or IMS.ourcompany.gov. 3. Internet mail comes in through a boundary router, through the firewall to the Mail Relayer (named mr.ourcompany.com in the header below). 4. MR is a Linux 7.0 workstation, running Qmail 1.03 and QmailScanner 0.94. 5. MR checks to make sure that mail is being sent to a legitimate domain extension. If legit, sends it on to the IMS. If not, drops it in a holdmail queue. It also blocks mail based on attachment or subject type. 6. Once to the IMS, delivered to client. Client mail goes from client to IMS, IMS to Proxy Server and out through the boundary router. 7. Mail servers are Win2k, SP2 servers running Ex5.5, SP4+3 (MTA, IS and Q282533). Here are my concerns: 1. In the 5th and 6th "Received:" lines down, it looks like the IMS was the first machine to process this mail. The original IP address next to the name was actually the external interface to the Proxy Server. This would suggest to me, that it actually took the reverse route in through the Proxy/IMS, instead of through the Firewall/MR. How is this possible? 2. In the first "From:" field of the header, it shows as coming from [EMAIL PROTECTED] However, in the second "From:" field of the header, it shows as coming from [EMAIL PROTECTED] Is this guy spamming thousands of people and making it look like it came from me? 3. In the original header, the IMS.ourcompany.com contained the actual internal server name of our IMS. How does someone in Japan find out the internal name of one of our servers, without a security leak on our end? I appreciate any help you folks can give me...please don't flame me too bad. I have to be recognizable to my wife and kids when I get home, or they won't let me in the door to eat dinner...and I'm starved! ;O) Thanks in advance, James H (Jim) Blunt Network / Exchange Admin Network & Infrastructure Group Bechtel Hanford, Inc. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
