On Mon, Feb 13, 2012 at 5:45 PM, Eric Shubert <[email protected]> wrote:
> On 02/13/2012 04:19 PM, Robert Van Dresar wrote: > >> Here's the "evidence" from one of the block lists: >> >> Return-Path: <[email protected] <mailto:[email protected]>> >> >> X-Original-To: [email protected] >> >> Received: frommail.airplexus.com <http://mail.airplexus.com> ( >> mail.airplexus.com <http://mail.airplexus.com> [65.245.57.15]) >> bymail.ixlab.de <http://mail.ixlab.de> (Spamtrap) with ESMTP >> >> >> for [email protected]; Mon, 13 Feb 2012 21:38:50 +0100 (CET) >> Received: (qmail 9460 invoked by uid 89); 13 Feb 2012 18:16:22 -0000 >> Received: by simscan 1.4.0 ppid: 8048, pid: 9438, t: 0.7778s >> >> scanners: attach: 1.4.0 clamav: 0.97.3 >> /m:54/d:14401 >> Received: >> from184-82-61-166.static.**hostnoc.net<http://from184-82-61-166.static.hostnoc.net> >> < >> http://184-82-61-166.static.**hostnoc.net<http://184-82-61-166.static.hostnoc.net>> >> (HELO User) ("email address >> removed"@[email protected].**61.166<[email protected]> <mailto: >> [email protected].**61.166 <[email protected]>>) >> >> bymail.airplexus.com <http://mail.airplexus.com> with ESMTPA; 13 Feb >> 2012 18:16:22 -0000 >> Reply-To:<emma.thompson67@**ymail.com <[email protected]> <mailto: >> emma.thompson67@ymail.**com <[email protected]>>> >> From: "Rose Brown"<[email protected] <mailto:[email protected]>> >> >> Subject: Offers : Marks& Spencer >> >> Date: Mon, 13 Feb 2012 19:16:18 -0800 >> MIME-Version: 1.0 >> Content-Type: text/plain; >> charset="Windows-1251" >> Content-Transfer-Encoding: 7bit >> X-Priority: 3 >> >> X-MSMail-Priority: Normal >> X-Mailer: Microsoft Outlook Express 6.00.2600.0000 >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 >> X-NiX-Spam-Hash2: d36eed170eb389bf1a5ab832cf972a**4b >> X-NiX-Spam-Source-IP:65.245.**57.15 >> >> X-NiX-Spam-MX:mail.ixlab.de <http://mail.ixlab.de> >> >> X-NiX-Spam-Listed: yes >> >> >> I've left our mail server stuff intact, but removed her email address >> >> >> Looks to me as though the address in the Received: from184 line contains > the ip address of the culprit. If that's a random/widespread address, then > it would appear to be a distributed source all right. > > It would be nice find the IP of the host which originated the message, > either from the headers of the original message (which you may or may not > be able to see in the bounce - I'm not sure), or you might use qmlog to > search through your smtp and submission logs to see if you can find the IP > address of the original sender. qmlog's -lc (logs containing) flag is > useful for that. Once you know this address, you should feel comfortable > whether the messages are coming from legitimate clients or not. > > -- > -Eric 'shubes' > > > Those addresses are not in my address space. I'll check the logs to see what I find????? > > ------------------------------**------------------------------** > --------------------- > Qmailtoaster is sponsored by Vickers Consulting Group ( > www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > ------------------------------**------------------------------** > --------------------- > Please visit qmailtoaster.com for the latest news, updates, and > packages. > To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@** > qmailtoaster.com <[email protected]> > For additional commands, e-mail: qmailtoaster-list-help@** > qmailtoaster.com <[email protected]> > > >
