At 11:49 PM -0600 8/30/2003, LuKreme (List User Kreme) wrote:On Aug 30, 2003, at 11:19 PM, Warren Michelsen wrote:
Received: from smtp01.infoave.net ([165.166.0.26] verified)
by mail.MDCCLXXVI.com (Stalker SMTP Server 1.8b9d14)
with ESMTP id S.0003132321 for <[EMAIL PROTECTED]>; Sat, 23 Aug 2003 08:45:36 -0700
Received: from TRAVELER ([209.164.228.118])
by SMTP00.InfoAve.Net (PMDF V6.1-1IA5 #30771)
with ESMTP id <[EMAIL PROTECTED]> for [EMAIL PROTECTED]; Sat,
If so, then given:
Received: from [209.194.92.34] (HELO ARLSAUCER)
by mail.MDCCLXXVI.com (Stalker SMTP Server 1.8b9d14)
with ESMTP id S.0003181674 for <[EMAIL PROTECTED]>; Sat, 30 Aug 2003 07:40:54 -0700
None of this has anything to do with Mesage-IDs
So, in the first instance, "S.0003132321" and "<[EMAIL PROTECTED]>" are not the message IDs (for the respective servers), nor "S.0003181674" in the second?
Message ID means something specific in email, and it means the contents of the Message-ID: header. Those strings are local to the mailserver and do not have any meaning other than providing some logging detail to that mailserver's admin. You would refer to them as SMTP IDs (or ESMTP IDs in this case).
is it safe to assume that 209.194.92.34 is the originating host and not a relay?
The only received header you can trust 100% is the one SIMS adds (the last one). How much you trust above that depends.
209.194.92.34 has been belching out sobig virus laden email and I've been the recipient. There's no PTR record for this host, which tends to make me think it's a workstation, not a mail server.
blacklist it. Whether it is the originator of the virus or a relay doesn't really matter at this point, does it?
Matter? Not much. But I am curious. I thought I'd use the occasion to better understand mail headers.
sims received the message from smtp01.infoave.net ([165.166.0.26] verified), which is a properly configured mailserver that resolves correctly (thus "verified").
InfoAve.net received the message from TRAVELER ([209.164.228.118]) and you don't have any way of verifying if any of that information is correct.
Your only recourse is to blacklist 165.166.0.26. If you want to complain to someone, see if infoave.net has an abuse address. Failing that contact the email addresses for the whois record:
Administrative Contact:
Domain, Administrator [EMAIL PROTECTED]
Info Avenue Internet Services d/b/a Spirit Telecom
3545 Centre Circle Drive
P.O. Box 698
Fort Mill, SC 29716 US
+1.803.802.4600 Ext:6555 (FAX) +1.803.802.4700
Technical Contact:
Administrator, Site [EMAIL PROTECTED]Or call them and complain.
BTW, the IP address of "TRAVELLER" is owned by a Georgia ISP:
OrgName: Plant Telephone Company OrgID: PLTE Address: PO Box 187 City: Tifton StateProv: GA PostalCode: 31793 Country: US
NetRange: 209.164.224.0 - 209.164.239.255 [ ... ]
TechHandle: RL2354-ARIN TechName: Lumpkin, Ralph TechPhone: +1-912-382-4227 TechEmail: [EMAIL PROTECTED]
so maybe start with an email to [EMAIL PROTECTED] including a FULL copy of the virus laden email would be in order?
--
I said pretend you've got no money, she just laughed and said, 'Eh, you're so funny.' I said, 'Yeah? Well I can't see anyone else smiling in here.'
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
