Thanks Sam
I thought the same, surely lines 3 to 6 are just to "mislead"
Thanks again
----- Original Message -----
From: "Sam Clippinger via spamdyke-users" <spamdyke-users@spamdyke.org>
To: "spamdyke users" <spamdyke-users@spamdyke.org>
Sent: Wednesday, August 23, 2017 10:35 AM
Subject: Re: [spamdyke-users] Question about headers
Keep in mind that "Received" lines are written in reverse order, so the top
line always the newest. Also, "Received" lines are trivial to fake and
spammers often do insert fake lines to throw off scanners.
But assuming all the lines you sent are genuine, it looks like user 3048
invoked a qmail command somehow (e.g. command line, webmail, spambot) and
created a message (line 6), which then connected to a qmail daemon over a
network socket and delivered it (line 5). Line 4 shows it arriving at
mx2.serversur.net from 204.58.254.207. That IP is not smtp.wpac.com, even
though its reverse DNS claims it is. Also, connecting to 204.58.254.207 on
port 465 shows a Sendmail greeting banner, not qmail, so it's unlikely lines
5 and 6 were generated by that server. Line 3 shows the message arriving at
smtp.wpac.com from 188.33.156.68. The rest of this line seems to match the
Sendmail version in the greeting banner on 204.58.254.207. Line 2 shows the
message arriving on rng031.serversur.net from 192.168.0.103 -- I'm guessing
this is where your edge server delivered to your internal server. Line 1
shows qmail on the internal server accepting the message.
Personally, I think lines 3-6 are bogus. The timestamps don't make sense
(the message seems to travel forwards and backwards in time), the order of
deliveries don't make sense and the DNS records don't match up. If line 4
is correct and the message really passed through mx2.serversur.net twice,
the logs on that server should show it. I'd trust your logs, not the
message headers.
-- Sam Clippinger
On Aug 22, 2017, at 2:00 PM, Pablo Murillo <p...@rednetgroup.com> wrote:
Hi
I´m a little confuse
We have 4 MXs, the names are mx1.serversur.net to mx4, every one has the
same spamdyke.conf and deliver the valid emails using the internal network
to the correspondig server
So ... I have these headers of an email that is SPAM, and now, I´m lost
For what I see in the 1st Received, the email is generated for the UID of
the user assigned to the domain (this is right, the UID belong to the user
we assigned to the domain)
The 3rd Received is for 204.58.254.207 receiving an email from my MX2
server ?
Is this right ? or I'm misreading the headers ?
-------------------------------------------------------------
Received: (qmail 5105 invoked from network); 22 Aug 2017 13:18:28 -0000
Received: from unknown (HELO mx2.serversur.net) (192.168.0.103)
by rng031.serversur.net with SMTP; 22 Aug 2017 13:22:18 -0000
Received: from 10.0.0.40 (user-188-33-156-68.play-internet.pl
[188.33.156.68])
(authenticated bits=0)
by smtp.wpac.com (8.14.4/8.14.4) with ESMTP id v7MDVVfi011904
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <siste...@xxxxxxxx.com.ar>; Tue, 22 Aug 2017 06:32:22 -0700
Received: from unknown (HELO smtp.wpac.com) (204.58.254.207)
by mx2.serversur.net with SMTP; 22 Aug 2017 13:18:28 -0000
Received: (qmail 60824 invoked from network); 22 Aug 2017 13:22:18 -0000
Received: (qmail 60837 invoked by uid 3048); 22 Aug 2017 13:22:18 -0000
From: <danielplace...@xxxxxxxx.com.ar>
To: <siste...@xxxxxxxx.com.ar>
Date: Tue, 22 Aug 2017 11:32:24 -0300
Message-ID: 198706278.2017822133...@xxxxxxxx.com.ar
-------------------------------------------------------------
--------------------------------------------------------------------------------
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
