>I am getting hit with a bunch of spam from an IP block that includes >addresses 204.127.131.24 thru 204.127.131.52 (these are the ones I am >seeing) . When I check these blocks are swiped to ATT.net. If I block the >entire class C it appears that we block ATT.Net's mail servers. When I look >more closely at the headers - I see that worldnet.att.net appears to be >relaying for spammers. This particular piece of mail appears to go from IP >202.182.5.80 to IP 64.230.77.251 to IP 209.226.175.35 to IP 204.127.131.27 >which is really confusing to me.
You can ignore the 202.182.5.80 to IP 64.230.77.251 to IP 209.226.175.35 part. The only information from the headers you can normally trust completely is the IP address of the mail server that connected to yours (204.127.131.27 in this case). The other IPs may be real, or they may be fake. Examining the headers may give you a good idea of whether or not the others are real, but you can't say with 100% certainly. >My primary question - is this IP block part of some spamhaus >deal with ATT.net where they will relay spam for a price. Possibly, but unlikely. Those IPs only seem to be listed by XBL, which lists lots more IPs than anyone else. If it was a "pink contract" (AT&T knowingly allowing spam), a few of the other spam databases might have picked up those IPs. >The header below is just a sample - I am catching 20 to 30 a day from >those IPs with >different offers, etc. From my review of the logs, it appears that AT&T's >mail servers are relaying - does anyone have an explanation for this? Let's take a look: >Received: from mtiwgwc24.worldnet.att.net [204.127.131.27] by >mail.integrated-systems.cc with ESMTP > (SMTPD32-6.06) id AE5169060278; Tue, 09 Apr 2002 11:01:08 -0600 The only piece of information in the first header (regarding the remote server) that is trustworthy is the IP: 204.127.131.27. Doing a reverse DNS lookup and IPWHOIS lookup at http://www.DNSstuff.com shows that it is an AT&T IP address. >Received: from tomts14-srv.bellnexxia.net ([209.226.175.35]) > by mtiwgwc24.worldnet.att.net > (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP > id ><[EMAIL PROTECTED] >net>; > Mon, 8 Apr 2002 21:26:21 +0000 Assuming that AT&T's mailserver recorded the IP correctly (which is a good assumption), they got the mail from 209.226.175.35. That's listed as belonging to Bell Canada, which may be why AT&T allows the E-mail. However, a spam database lookup of that IP shows that it is in several spam databases. One suggests that it is part of a "multihop relay" (IE it accepts mail from another mail server, which is an open relay). >Received: from sympatico.ca ([64.230.77.251]) by tomts14-srv.bellnexxia.net > (InterMail vM.4.01.03.23 201-229-121-123-20010418) with ESMTP > id ><[EMAIL PROTECTED]>; > Mon, 8 Apr 2002 17:26:20 -0400 And here's the key. 64.230.77.251 (which can't be trusted as definitely being a source of the E-mail, but it likely is) has lots of hits on spam databases, including SPAMCOP. The IP is owned by Bell Nexxia, and appears to be a PPP connection given the true reverse DNS of it. >Received: from mx07.hotmail.com ([202.182.5.80]) by sympatico.ca with >Microsoft SMTPSVC(5.0.2195.3779); > Mon, 8 Apr 2002 17:31:06 -0400 This is probably a forged header. 202.182.5.80 is an IP from Thailand, and certainly isn't mx07.hotmail.com. However, the date/time in the header closely matches the others, and 202.182.5.80 is listed in SPAMCOP, so it may be the actual source. But this far down in the headers is just a guessing game. Another possibility when receiving spam from a (somewhat) legitimate source like AT&T is that someone there has an account that forwarded the mail. But, this looks like a case of AT&T accepting mail from Bell Canada who accepts mail from Bell Nexxia, who runs an insecure mail server. -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
