> Return-Path: <[EMAIL PROTECTED]> > Delivered-To: [email protected] > Received: from lists.gnac.net (lists.gnac.net [209.182.195.144]) > by ns2.worldgatein.com (Postfix) with ESMTP id B9E02BDF2 > for <[EMAIL PROTECTED]>; Fri, 18 Jan 2002 23:49:13 +0530 (IST) > Received: from lists.gnac.net (localhost [127.0.0.1]) > by lists.gnac.net (Postfix) with ESMTP > id E7CAE10A53; Fri, 18 Jan 2002 10:24:28 -0800 (PST) > Delivered-To: [EMAIL PROTECTED] > Received: from ebony.nbnet.nb.ca (smtp2.nbnet.nb.ca [198.164.30.5]) > by lists.gnac.net (Postfix) with ESMTP id CB178109D7 > for <[EMAIL PROTECTED]>; Fri, 18 Jan 2002 10:23:54 -0800 (PST) > Received: from matt ([142.166.162.82]) by ebony.nbnet.nb.ca > (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) > with SMTP id ca for <[EMAIL PROTECTED]>; > Fri, 18 Jan 2002 14:23:36 -0400 > Reply-To: <[EMAIL PROTECTED]> > From: "Matt Gorham" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: spam headers > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0020_01C1A02B.07591100" > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) > Importance: Normal > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 > Sender: [EMAIL PROTECTED] > Errors-To: [EMAIL PROTECTED] > X-BeenThere: [EMAIL PROTECTED] > X-Mailman-Version: 2.0.5 > Precedence: bulk > List-Help: <mailto:[EMAIL PROTECTED]?subject=help> > List-Post: <mailto:[EMAIL PROTECTED]> > List-Subscribe: <http://lists.gnac.net/mailman/listinfo/firewalls>, > <mailto:[EMAIL PROTECTED]?subject=subscribe> > List-Id: Firewalls <firewalls.lists.gnac.net> > List-Unsubscribe: <http://lists.gnac.net/mailman/listinfo/firewalls>, > <mailto:[EMAIL PROTECTED]?subject=unsubscribe> > List-Archive: <http://lists.gnac.net/pipermail/firewalls/> > Date: Fri, 18 Jan 2002 14:18:41 -0400 > Content-Length: 3167 > Lines: 115 > > How do you track a spam message to see where it cam from. How do you stop > spam if you do not have your own exchange server. > Look at the hedaers of the mail you sent. These headers are present in every mail. You don't need an exchange server for this, any good MUA will let you see the headers.
Analysis: I have deleted internal headers that trace the path this mail takes in my internal LAN. Return Path is set to <[EMAIL PROTECTED]> This is where bounces should go to. Delivered to: This is a header added by Postfix. The next headers are important, and have to be read in reverse order. Basically, top to bottom, you trace from your MTA to the originating MTA. lists.gnac.net delivered to ns2.worldgatein.com (lists ips of lists.gnac.net, who it was sent to, what time it was recieved and a queue ID which is given in the logs). This was injected into the lists.gnac.net mail queue from the same machine (localhost) by the MLM. The mail was delivered to the MLM, originating from a machine claiming to be ebony.nbnet.nb.ca, while the reverse DNS lookup says that it is smtp2.nbnet.nb.ca. ebony.nbnet.nb.ca received this mail from a machine named matt with the ip address 142.166.162.82 running postoffice , which in turn got the mail from an OutLook client. These are the important headers, though you might want to filter on some more headers (X-bulk-mailer, or something else to catch spamware). Now you know how to trace back these spammers. Figuring out how to send complaints is left as an exercise for the reader (hint: postmaster and abuse addresses exist for a reason). Devdas Bhagat [EMAIL PROTECTED] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
