On 01/06/03 at 10:19, Chris Wagner opined:
> So, that said,
>
> does this mean that in this message header that the message came from
> our mail server, since the time stamp appears to be earlier than the
> entry for the mkc-65-30-67-139.kc.rr.com server?
In addition to what Neil has said, also keep in mind that the 'Received'
header that was written last (i.e., the _top_ one) is the only one that was
written by your server and, consequently, is generally the only one that
you can trust to be true. The fact that the first (bottom) 'Received'
header has a time stamp that appears to be later than that written by your
server (which handled the message last) could indicate that either the
clock on the machine that wrote that line is set incorrectly (a possibly
innocent configuration error) or that particular header line is forged (a
less innocent possibility).
> ====================================================================
> Return-Path: [EMAIL PROTECTED]
> Received: from 10.1.1.33 ([10.1.1.33] verified)
> by atchisonkansas.net (Stalker SMTP Server 1.8b9d14)
> with SMTP id S.0000198408; Sat, 04 Jan 2003 11:42:55 -0600
> Received: from [207.241.128.21] (HELO smtp01.journey.com)
> by atchisonkansas.net (Stalker SMTP Server 1.8b9d14)
> with ESMTP id S.0000198407 for <[EMAIL PROTECTED]>;
> Sat, 04 Jan 2003 11:40:38 -0600
> Received: from Cpuarwpsq (mkc-65-30-67-139.kc.rr.com
> [65.30.67.139])
> by smtp01.journey.com (Postfix) with SMTP id 313F97343B
> for <[EMAIL PROTECTED]>; Sat, 4 Jan 2003 13:05:32
> -0500 (EST)
> ====================================================================
>
> Thing is, I don't get how the virus could have replicated itself on our
> network, unless it came from one of our own PCs and I haven't seen any
> indication of this otherwise.
>
> The machine that it came in on was my Mac.
In regard to the Return-Path, it comes from the argument to the MAIL FROM
command that was given by the relaying server in its SMTP conversation with
your server. It only shows who the sending server wants your server to
_think_ sent the message. It doesn't necessarily reflect the actual sender
(nor does the 'From' header line, for that matter). Spammers commonly use
forged Return-Paths. In particular, they lately seem to like to use the
recipient's address, or at least the recipient's domain, as an attempt to
get past some servers' Return-Path checking routines.
--
Christopher Bort | [EMAIL PROTECTED]
Webmaster, Global Homes | [EMAIL PROTECTED]
<http://www.globalhomes.com/>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
