On Tuesday 25 May 2004 19:02, Ken.McAllister wrote: > Received: from omr-m01.mx.aol.com (omr-m01.mx.aol.com [64.12.138.1]) by > mx2.clear.net.nz (CLEAR Net Mail) with ESMTP id > <[EMAIL PROTECTED]> for [EMAIL PROTECTED]; Tue, > 25 May 2004 18:27:57 +1200 (NZST) > Received: from rly-xh03.mx.aol.com (rly-xh03.mail.aol.com > [172.20.115.232]) by omr-m01.mx.aol.com (v98.19) with ESMTP id > RELAYIN8-940b2e75f3bb; Tue, 25 May 2004 02:27:43 -0400 > Received: from localhost (localhost) by rly-xh03.mx.aol.com > (8.8.8/8.8.8/AOL-5.0.0) with internal id CAH09361; Tue, 25 May 2004 > 02:27:43 -0400 (EDT)
Ignore the rest for now. Clear (mx2.clear.net.nz) got it from AOL (omr-m01.mx.aol.com) who got it from AOL (rly-xh03.mail.aol.com) who relayed it for localhost at Tue, 25 May 2004 02:27:43 -0400 (EDT) [EMAIL PROTECTED]:~$ dig rly-xh03.mail.aol.com -snip- ;; QUESTION SECTION: ;rly-xh03.mail.aol.com. IN A ;; ANSWER SECTION: rly-xh03.mail.aol.com. 3600 IN A 172.20.115.232 ;; AUTHORITY SECTION: mail.aol.com. 3600 IN NS dns-02.ns.aol.com. mail.aol.com. 3600 IN NS dns-01.ns.aol.com. -snip So the server that relayed the message is a legit part of AOL. The whois database doesn't list an abuse entry for aol.com although there usually is one. In this case I'd forward the original message complete with a copy of the full headers to [EMAIL PROTECTED] Since it really did originate from within their system they might be able to identify the machine/user by time and ID. Realistically though they are probably not going to do anything. A more binding option might be to simply block all email from the aol.com domain. Many people do if they've no friends or family on that domain. BTW check out $ whois aol.com It looks like someone has cracked their whois records. Rob
