Hi rajiv, Couple of thoughts.
> I have attached the header, the guy has set up a mail server on a > linux machine, i guess its fedora. How do you guess it is fedora. I could'nt figure out from the headers though. > > His IP Address is - 210.210.74.150 (which is sify broadband or leased line) > > I cant make out which one is his ipaddress provided by SIFY, it can be > either 10.54.51.16 or 10.11.117.43 or something else. Both of them are non-routable ip address of internal networks. They also belong to different subnetwork. So, the mail must have been routed through two boxes before it has hit the external routable sify box (210.210.74.150). So, from sify you should be able to get which box it is assigned to and the gory details. > > X-Gmail-Received: 1fd05570cbe204e3a6822bf17a432ff370ea2dca > Delivered-To: [EMAIL PROTECTED] > Received: by 10.54.51.16 with SMTP id y16cs5805wry; > Sun, 16 Jan 2005 01:52:49 -0800 (PST) > Received: by 10.11.117.43 with SMTP id p43mr390223cwc; > Sun, 16 Jan 2005 01:52:49 -0800 (PST) > Return-Path: <[EMAIL PROTECTED]> > Received: from station3.example.com (210-210-74-150.lan.sify.net > [210.210.74.150]) > by mx.gmail.com with ESMTP id p77si1036593cwc.2005.01.16.01.52.44; > Sun, 16 Jan 2005 01:52:49 -0800 (PST) > Received-SPF: neutral (gmail.com: 210.210.74.150 is neither permitted > nor denied by domain of [EMAIL PROTECTED]) > Received: from station3.example.com (localhost.localdomain [127.0.0.1]) > by station3.example.com (8.12.10/8.12.10) with ESMTP id j0GBMVn9024974 > for <[EMAIL PROTECTED]>; Sun, 16 Jan 2005 16:52:31 +0530 > Received: (from [EMAIL PROTECTED]) The originating box is sending it as root user. Why somebody who owns a box should use root user to send anonymous mass mails. I doubt this originating mahcine might have been compromised. In that case it would be hard to track down the actual culprit. However, at least the compromised machine could be stopped from spreading the annoyance. <snipped> -siddhartha -- To unsubscribe, send mail to [EMAIL PROTECTED] with the body "unsubscribe ilug-cal" and an empty subject line. FAQ: http://www.ilug-cal.org/node.php?id=3
