At 08:48 AM 12/31/01 -0500, R. Scott Perry wrote: >>Received: from arodal-wa.com (HELO gtmo.net) (206.159.55.2) <<<This is our server!!!
>Hmmm... that's not an IMail server! Either that, or the person submitting the spam made major alterations to the headers.<< When it came out of our server it was through the imail server. But I think the header modification did occur. >>That's a very poor header anyways, as it doesn't clearly identify who or what connected to where. At the *very* least, a Received: header should have the IP address that connected to it (it should be in the form "[192.168.100.1]", with the brackets around it).<< Exactly. This is why we are puzzled as to exactly what they did. >So this Received: header comes from an untrusted source, and is 100% unreliable. We can't assume that 206.159.55.2 is really the IP address that sent the E-mail.<< It didn't originate there, but it DID get through us but NOT from a local account. >Note that there are no more Received: headers. This spam didn't come from an IMail server, or is missing headers.<< That is all I ever saw. >Let me guess, you run two mail servers on the same machine? NO. ONLY Imail. >>12:30 08:25 SMTPD(0B5200D6) [206.159.55.2] connect 206.159.55.2 port 1388 > >... and note that the same thing is happening here, but with a local IP rather than the loopback IP. I'm a bit worried that two different IPs would be used, but that isn't your primary concern now.<< But, is it possible they altered their IP address and came in looking like a local account? Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
