I figured out how they were able to authenticate. But I still don't know who they are. Somehow they must have picked the password for one of the users on the physical host (i.e. our administrators)
This is because the message headers show the physical host name: Received: from 66.46.145.35 [212.13.72.2] by imail9 (SMTPD32-7.12) id A712151400C8; Tue, 08 Oct 2002 15:50:42 -0400 If it were a customer the headers would show the customer domain name instead of imail9 -----Original Message----- From: Mark [Support] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002 2:44 PM To: Andrey Fyodorov Subject: Re: [IMail Forum] Need HELP with rules Here might be some help. If the GOOD customer always send's from the same IP address, then use the logs and track the e-mail that is "sent from him", NOT at that IP address. Then track that IP back. If it is one of your customers, then you will be able to match the IP with a login time for a user account. Then suspend that user for spamming. If it's not an IP of a customer then change the GOOD users password and check to make sure IMail is secure. Or block that IP that they are sending from. -- Cheers Mark mailto:[EMAIL PROTECTED] Orillia ProNet Inc. 705-329-3949 Wednesday, October 9, 2002, 12:55:11 PM, you wrote: AF> I can only see one way to stop this impersonation - AF> to create a rule that will check the From and the IP address in the header. AF> The good customer always sends mail from the same static IP address. --- [This E-mail scanned for viruses by Orillia ProNet with Declude AntiVirus] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
