Looking for help in the best place... Normally, when I look at the header for an email, the first line is the receive: from line. Granted that spammers can forge most of that line, you can still see the last place that forwarded the message to your server. I just looked at a couple of messages and found that line missing. I was wondering how this happened and what it means.
We had a client complain about excessive spam, and they forwarded some samples to us. These are the messages I found missing the receive: from line. Assuming they're receiving the mail from our server, shouldn't that line be there? Or could they have a program on their desktop PCs that is cutting it out? Here is a typical header for spam arriving in my mailbox (which, alas, failed to score any points with Declude): Received: from seebest.com.tw [82.103.142.175] by bcw6.bcwebhost.net with ESMTP (SMTPD32-7.15) id AD2AB67011E; Wed, 23 Mar 2005 14:26:50 -0800 From: "Kim" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: This watch is Hot MIME-Version: 1.0 Precedence: bulk Errors-To: [EMAIL PROTECTED] Content-type: text/html Message-Id: <[EMAIL PROTECTED]> Date: Wed, 23 Mar 2005 21:48:52 +0000 (GMT) X-Declude-Sender: [EMAIL PROTECTED] [82.103.142.175] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: None [-5] X-Note: This E-mail was sent from (timeout) ([82.103.142.175]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 408426782 Here is one of the samples headers our client sent to us: From: "Monotony R. Sleeper" <[EMAIL PROTECTED]> To: "Office" <[EMAIL PROTECTED]> Subject: Fw: Seecrt e-book on how to have sex with any woman instanlty Date: Thu, 24 Mar 2005 07:13:06 -0800 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000C_01C53049.9DC35FE0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Declude-Sender: [EMAIL PROTECTED] [83.46.16.131] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: None [0] X-RCPT-TO: <[EMAIL PROTECTED]> X-UIDL: 366430157 X-RAV-AntiVirus: This message has been scanned for viruses on 131.Red-83-46-16.pooles.rima-tde.net Importance: Normal This second header is missing the received: from line, and has this extra "X-RAV-AntiVirus" line, which I don't recognize. Any ideas? I would almost think the mail is passing through someone else's mail server, but there is our tage line about being spanned by Declude JunkMail. Thanks, Ben To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
