[Modus] Strange Email Header

Thu, 18 Dec 2003 10:40:09 -0800

OK, all you mail gurus; here's today's challenge.
 
Here's an email header that has me puzzled.  It is a piece of spam "returned" to a customer of ours([EMAIL PROTECTED]), as their email address is fraudulently being used as the reply to address.
 
Here is the original email header, as the entire email was returned by the destination mail server (I have also pasted their header  below the spam header).  The private ip addresses are what puzzles me.  I don't think I've ever seen this before.  Even SpamCop choked on this header:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Received: from hendrix.westell.com ([10.16.16.58])
          by hendrix.westell.com (Lotus Domino Release 5.0.12)
          with SMTP id 2003121521424461:252437 ;
          Mon, 15 Dec 2003 21:42:44 -0600
Received: from westell-fc-cp.westell.com (10.16.16.11 [10.16.16.11]) by hendrix.westell.com with SMTP (Lyris MailShield WIN32 version 3.1); Mon, 15 Dec 2003 21:42:44 -0600
Return-Path: <XXXXX@desoto.net>
To: Rgutt <[EMAIL PROTECTED]>
From: XXXXX@desoto.net
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
X-Mailer: OutLook Express 3.14159
Subject: Re: Rgutt, i don't think so                                                             kQdre
MIME-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on Hendrix/Westell/EIT(Release 5.0.12  |February 13, 2003) at
 12/15/2003 09:42:44 PM,
 Serialize by Router on Hendrix/Westell/EIT(Release 5.0.12  |February 13, 2003) at
 12/15/2003 09:42:47 PM
Date: Mon, 15 Dec 2003 21:42:44 -0600
Message-ID: <[EMAIL PROTECTED]>
Content-type: text/html
Content-Transfer-Encoding: base64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Here is the bounce header, if it helps:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Received: from cambridge1-smrly1.gtei.net (unverified [199.94.215.245]) by vmail.nationwideinc.com
 (Vircom SMTPRS 3.0.273) with ESMTP id <[EMAIL PROTECTED]> for <XXXXX@desoto.net>;
 Mon, 15 Dec 2003 22:44:02 -0500
Received: from westell-fc-cp.westell.com (mail1.westell.com [4.23.144.6])
 by cambridge1-smrly1.gtei.net (Postfix) with SMTP id 60848C854
 for <XXXXX@desoto.net>; Tue, 16 Dec 2003 03:41:52 +0000 (GMT)
To: [EMAIL PROTECTED]
From: XXXXX@desoto.net
Reply-To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
X-Mailer: OutLook Express 3.14159
Subject: DELIVERY FAILURE: User rgutt ([EMAIL PROTECTED]) not listed in public Name
 & Address Book
MIME-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on Hendrix/Westell/EIT(Release 5.0.12  |February 13, 2003) at
 12/15/2003 09:42:44 PM,
 Serialize by Router on Hendrix/Westell/EIT(Release 5.0.12  |February 13, 2003) at
 12/15/2003 09:42:47 PM,
 Serialize complete at 12/15/2003 09:42:47 PM
Date: Mon, 15 Dec 2003 21:42:44 -0600
Message-ID: <[EMAIL PROTECTED]>
Content-Type: multipart/report; report-type=delivery-status; boundary="==IFJRGLKFGIR49659UHRUHIHD"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Has anyone seen anything like this before?
 
Eddie Stauble
Nationwide Computer Systems

Reply via email to