On 02/13/2012 04:19 PM, Robert Van Dresar wrote:
Here's the "evidence" from one of the block lists:
Return-Path: <[email protected] <mailto:[email protected]>>
X-Original-To: [email protected]
Received: frommail.airplexus.com <http://mail.airplexus.com> (mail.airplexus.com
<http://mail.airplexus.com> [65.245.57.15])
bymail.ixlab.de <http://mail.ixlab.de> (Spamtrap) with ESMTP
for [email protected]; Mon, 13 Feb 2012 21:38:50 +0100 (CET)
Received: (qmail 9460 invoked by uid 89); 13 Feb 2012 18:16:22 -0000
Received: by simscan 1.4.0 ppid: 8048, pid: 9438, t: 0.7778s
scanners: attach: 1.4.0 clamav: 0.97.3
/m:54/d:14401
Received: from184-82-61-166.static.hostnoc.net <http://184-82-61-166.static.hostnoc.net>
(HELO User) ("email address removed"@[email protected]
<mailto:[email protected]>)
bymail.airplexus.com <http://mail.airplexus.com> with ESMTPA; 13 Feb 2012
18:16:22 -0000
Reply-To:<[email protected] <mailto:[email protected]>>
From: "Rose Brown"<[email protected] <mailto:[email protected]>>
Subject: Offers : Marks& Spencer
Date: Mon, 13 Feb 2012 19:16:18 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-NiX-Spam-Hash2: d36eed170eb389bf1a5ab832cf972a4b
X-NiX-Spam-Source-IP:65.245.57.15
X-NiX-Spam-MX:mail.ixlab.de <http://mail.ixlab.de>
X-NiX-Spam-Listed: yes
I've left our mail server stuff intact, but removed her email address
Looks to me as though the address in the Received: from184 line contains
the ip address of the culprit. If that's a random/widespread address,
then it would appear to be a distributed source all right.
It would be nice find the IP of the host which originated the message,
either from the headers of the original message (which you may or may
not be able to see in the bounce - I'm not sure), or you might use qmlog
to search through your smtp and submission logs to see if you can find
the IP address of the original sender. qmlog's -lc (logs containing)
flag is useful for that. Once you know this address, you should feel
comfortable whether the messages are coming from legitimate clients or not.
--
-Eric 'shubes'
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
