> >>Received: from arodal-wa.com (HELO gtmo.net) (206.159.55.2) <<<This is
>our server!!!
>
> >Hmmm... that's not an IMail server! Either that, or the person submitting
>the spam made major alterations to the headers.<<
>
>When it came out of our server it was through the imail server. But I
>think the header modification did occur.
That's not just a minor point to overlook. Altering or removing a
Received: header is kind of like forging a check. It just ain't right.
If the alteration took place on your end, you *must* identify what is
causing that to happen. If the alteration took place on the other end, you
can't take their spam complaint seriously (in that case, I would suggest
responding and asking for the complete unaltered headers).
> >So this Received: header comes from an untrusted source, and is 100%
>unreliable. We can't assume that 206.159.55.2 is really the IP address
>that sent the E-mail.<<
>
>It didn't originate there, but it DID get through us but NOT from a local
>account.
There are two separate issues. From the log files you posted, it's clear
that someone was relaying through your server. That's the primary
issue. The other is why someone sent you an E-mail that was missing
headers, and whether or not that E-mail really came through your
server. Depending on where the header disappeared, that may or may not be
something to be worried about.
> >Note that there are no more Received: headers. This spam didn't come from
>an IMail server, or is missing headers.<<
>That is all I ever saw.
>
> >Let me guess, you run two mail servers on the same machine?
>
>NO. ONLY Imail.
>
> >>12:30 08:25 SMTPD(0B5200D6) [206.159.55.2] connect 206.159.55.2 port 1388
> >
> >... and note that the same thing is happening here, but with a local IP
>rather than the loopback IP. I'm a bit worried that two different IPs
>would be used, but that isn't your primary concern now.<<
>
>But, is it possible they altered their IP address and came in looking like
>a local account?
It is technically possible, but extremely rare, and difficult to pull
off. Not even the professional spammers-for-hire seem to do this.
More likely is that they hacked into IIS and have a spamware program
running on the server that is doing this. I would check your IIS logs at
around that time, and look for cgi-bin type programs running.
Still, it doesn't explain why IMail would accept the E-mail in the first
place, given the SMTP security settings you have in place (it shouldn't
accept mail both from and to non-local addresses).
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
