>Must admit I'm not very versed in ascertaining the true sender from header >information, so thought I would post this to the group with the questions: >Who is the real sender?
It's impossible to know for sure, without cooperation from the administrators of the remote mailserver. > And how do I block them? That's easier; you can block them on their IP (using the Control Access file) or the return address (using the Kill List), both found in the SMTP Security settings. >Received: from excite.com [127.0.0.1] by tonerworld.com > (SMTPD32-7.07) id A7E52110104; Fri, 07 Jun 2002 11:13:57 -0700 Umm... That's bad. Very, very bad! The first Received: header is the only one you can certainly trust, and all you can trust is the IP. In this case, IMail received the E-mail from your local server. That's sometimes OK, but in this case, it was from a process claiming to be excite.com! It sounds like you have a spammer that has compromised your server, and has software of his own running on it. >Received: from unknown (HELO rly-xw05.oxyeli.com) (169.37.77.114) > by n7.groups.huyahoo.com with NNFMP; 07 Jun 0102 22:15:29 -0000 >Received: from unknown (HELO smtp-server.tampabayr.com) (84.201.229.144) > by m10.grp.snv.yahui.com with asmtp; Fri, 07 Jun 0102 22:14:58 -0400 Whatever software they have added these headers, but they are completely untrustworthy. I repeat: YOUR SERVER IS PROBABLY COMPROMISED. If you had another mailserver running on the server, it should have "better" headers than those -- it should identify itself, and at least have the IP address in the headers (IPs in parentheses are considered comments, not IPs). >Reply-To: ><<mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]> >Message-ID: ><<mailto:011a67d80a3a$3174b0c8$3da83ab1@pxlswf>011a67d80a3a$3174b0c8$3da83ab1@pxlswf> >From: ><<mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]> The From: header is almost always forged in spam, and likely isn't valid. To find the return address (also commonly forged in spam, but one that you can block on if necessary), you can look in the IMail SMTP log file for the "MAIL FROM:" line. -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
