Clears it up alot. thanks. In the bounced email in the subject line it tells me the ips 203.197.117.195 220.71.28.199
but not in the bounced messages. Just what I posted here. ----- Original Message ----- From: "Cybertime Hostmaster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 12, 2003 3:22 PM Subject: [IMGate] Re: my imgate IP in the HELO > > > I am assuming its a spammer forging my stuff. However I want to insure > that > > Just to recap: > > Yes, this is forged: > > > In: HELO 68.156.89.114 > > Note, this is IN, not OUT. > > If you are on mx666.wirelesscommunitynetworks.com [68.156.89.114], and a > HELO comes in saying it is from 68.156.89.114 to 68.156.89.114, it is very > obvious what is happening, and only requires one thing to check, the > logged IP of the client. > > In your logs, you should have the IP of what connected to you. Not the > HELO, but the actual IP. > > Let me try and put it another way. > > Lets say your phone number is 555-1212. > > Someone calls and says, "Hi, this is Joe at 555-1212, and I am calling > you, Mark at 555-1212 to sell you some garbage." > > You then look at your caller ID box and see the number they called from. > Lets say it is 555-9999. Well, 555-9999 is not 555-1212! > > They are lying. > > Now on the segment you pasted into the email, you started with the second > part of the connection. I am not sure if you are seeing the first part. > > The first part would be their IP hooking up to your IP to open a > connection between you. That is when you see their real IP. > > (Or in my example, they dialed your phone number. It does not ring till > they call you.) > > After that inbound connection happens, your server sends out the banner, > which is "mx666.wirelesscommunitynetworks.com - ESMTP - Postfix - Attn: > UCE trespassers will be pursued." in your case. > > (You pick up the phone and say, "This is Mark.") > > That is the missing piece that I think is eluding you. > > Your server does not just broadcast "mx666.wirelesscommunitynetworks.com - > ESMTP..." all day long to every machine on the net. Instead it waits for > a connection to be opened, an inbound request. Then it sends out the > banner. > > (You do not call everyone in the world and ask them if they need to > telephone to you.) > > What you see after that in the section you posted is a forged HELO, how > naughty of them. Then there is a little chatter back and forth. Finally, > you punish them for using an IP in the HELO. > > Now, you are NOT punishing them for using YOUR IP. You do not care if it > is your IP or any other IP. It is an IP in the HELO. It is bad. By by. > > I hope that helps clear up the concept a little. > > --Eric > > ps. Fortunately I has more than 3 hours sleep last night, so I am thinking > clearly today. The above should be accurate. Too many long days and > short nights this last.... herm, I don't know how long. Weeks? Months? >
