Need some help from you spam fighters out there.
I am getting hit with a bunch of spam from an IP block that includes
addresses 204.127.131.24 thru 204.127.131.52 (these are the ones I am
seeing) . When I check these blocks are swiped to ATT.net. If I block the
entire class C it appears that we block ATT.Net's mail servers. When I look
more closely at the headers - I see that worldnet.att.net appears to be
relaying for spammers. This particular piece of mail appears to go from IP
202.182.5.80 to IP 64.230.77.251 to IP 209.226.175.35 to IP 204.127.131.27
which is really confusing to me. I was hoping that someone here could help
figure it out. My primary question - is this IP block part of some spamhaus
deal with ATT.net where they will relay spam for a price. The header below
is just a sample - I am catching 20 to 30 a day from those IPs with
different offers, etc. From my review of the logs, it appears that AT&T's
mail servers are relaying - does anyone have an explanation for this?
Thanks for the help!!!
Chuck Schick
Warp 8, Inc.
303-421-5140
www.warp8.com
<-----------------------------------Header
Sample----------------------------------------------------------------------
-------->
Received: from mtiwgwc24.worldnet.att.net [204.127.131.27] by
mail.integrated-systems.cc with ESMTP
(SMTPD32-6.06) id AE5169060278; Tue, 09 Apr 2002 11:01:08 -0600
Received: from tomts14-srv.bellnexxia.net ([209.226.175.35])
by mtiwgwc24.worldnet.att.net
(InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
id
<[EMAIL PROTECTED]
net>;
Mon, 8 Apr 2002 21:26:21 +0000
Received: from sympatico.ca ([64.230.77.251]) by tomts14-srv.bellnexxia.net
(InterMail vM.4.01.03.23 201-229-121-123-20010418) with ESMTP
id
<[EMAIL PROTECTED]>;
Mon, 8 Apr 2002 17:26:20 -0400
Received: from mx07.hotmail.com ([202.182.5.80]) by sympatico.ca with
Microsoft SMTPSVC(5.0.2195.3779);
Mon, 8 Apr 2002 17:31:06 -0400
Message-ID: <00005e2178fd$0000400a$[EMAIL PROTECTED]>
To: <Undisclosed Recipients>
From: [EMAIL PROTECTED]
Subject: Guaranteed human growth hormone (hgh) ,#1 in the Market!7974
Date: Tue, 09 Apr 2002 04:27:38 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Reply-To: [EMAIL PROTECTED]
1: X-Mailer: Microsoft Outlook Express 5.50.4522.1200
2: X-Mailer: The Bat! (v1.52f) Business
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 08 Apr 2002 21:31:11.0957 (UTC)
FILETIME=[B458C050:01C1DF44]
X-RBL-Warning: This entry was last confirmed open on 3/25/2002
X-RBL-Warning: Your mailserver is an open relay -- see
<http://ordb.org/lookup/?host=64.230.77.251>
X-RBL-Warning: Blocked - see http://spamcop.net/bl.shtml?64.230.77.251
X-RBL-Warning: Not supporting null originator (DSN)
X-RBL-Warning: Not supporting abuse@domain
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
<------------------------------------End
Header---------------------------------------------------------------->
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit the Knowledge Base for answers to frequently asked
questions: http://www.ipswitch.com/support/IMail/
