No Received: line past the top one (or the last one, counting down, outside of your domain or one you absolutely trust) can be trusted at all. They can be completely and utterly forged, and usually are.
They get stacked from the bottom up, so in a legitimate email the first one is the bottom, the next one above that, and so on. The very last one, the top-most one, should be the one that got it to you. Those received lines you gave look all garbled anyways; you should be able to see a clear line of succession through them. The host listed as "by" in the bottom-most one should be the same as the host listed as "from" in the one above it. I would generally consider the three Received: lines you singled out to be equally bogus. As we'll see, they are. Look at your original undisturbed headers again: [line 1]> Return-path: <[EMAIL PROTECTED]> Means nothing at all. [line 2]> Received: from pd4mr1so.prod.shaw.ca pd4mr1so-qfe2.prod.shaw.ca [10.0.162.212]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.6 (built Apr 26 2002)) with ESMTP id <0GVV00C3FYBBS1@l-daemon> for dmehus@ims-ms-daemon (ORCPT [EMAIL PROTECTED]); Fri, 10 May 2002 02:02:07 -0600 (MDT) You're [EMAIL PROTECTED] This is where your mail server packaged it up for you, and can be totally trusted. Looks like your mailserver is set up funky, though. Like no rDNS, for starters. But still, that's a RFC compliance issue, not a spam issue. [line 3]> Received: from pd4mi3so.prod.shaw.ca (pd4mi3so-qfe3.prod.shaw.ca [10.0.121.196]) by l-daemon (iPlanet Messaging Server 5.1 (built May 7 2001)) with ESMTP id <0GVV0009LYBDPY@l-daemon> for [EMAIL PROTECTED] (ORCPT [EMAIL PROTECTED]); Fri, 10 May 2002 02:02:01 -0600 (MDT) This is also shaw.ca. We trust shaw.ca, since it's you. Why this was handed off twice I don't know, but no one's lying to us yet. [line 4]> Received: from 211.22.252.2 ([211.34.23.194]) by l-daemon (iPlanet Messaging Server 5.1 (built May 7 2001)) with SMTP id <0GVV00EHQYAM7T@l-daemon> for [EMAIL PROTECTED]; Fri, 10 May 2002 02:02:01 -0600 (MDT) Here's your spammer. l-daemon is you guys, iPlanet is the name of your messaging server, and should really be reporting according to the standards instead of in this weird shorthand, but it's you. The spam arrived as an SMTP connection from 211.34.23.194, no rDNS, and calling itself 211.22.252.2 in the helo string (a big no-no right off; it's one thing to configure this wrong, but this is flat-out lying. 211.34.23.194 is Korea. Good luck. I take it back; it probably wasn't deliberately set up as a lie; it was just set up by an incompetent non-English-speaking Korean administrator using an illegally-pirated copy of Exchange Server set up as an open relay. Their machine sent you the spam; of that there is no possibility of doubt. Also known for certain is that no one in Korea gives a damn or is capable of doing anything about it if they did. All you can do is block their IPS from your mailserver. You can send an abuse report to somebody at KRNIC if you want, but no one will ever read it. It is impossible to tell a damn thing from this point down. All could be and probably is a lie. The Korean blokes didn't send you the spam; their machine did, because it allows mail connections from anywhere to anywhere. The real spammer hides his identity by forging all that follows. Let's check the next line. [line 5]> Received: from 82.49.149.76 ([82.49.149.76]) by hd.regsoft.net with asmtp; May, 10 2002 3:41:20 -0300 If this was legit, it would say "211.34.23.194" instead of "hd.regsoft.net". There is in fact a regsoft.net -- a Rackspace outfit, probably spammers, could even be the ones who sent this one -- but you can't prove it like you can the above. 82.49.149.76 you KNOW is bogus -- it's an illegal address, reserved by ICANN. Nobody has that IP address, and could not. I'm going to stop, because there's no point in even looking any further; it's just there to confuse you. You'll never get any satisfaction from the Koreans, so you have to go the other way, and hit the web page that the spam is advertising. They're the ones who sent the spam, really, regardless of whose mail server they sent it through. I've included the raw HTML of your spam below so you can see what it is. In there, we see http://%77%77w.%6e%65%74m%61i%6cs%2e%63%6f%6d/%6De%6D%62%65r%73%2F%77e%62c%61% 6Dz/%6F%75%72%63am.%68t%6D%6C first. That's Unicode, oh lovely. That instantly tells you you're not dealing with clueless marketdroids, you're dealing with hardcore scumbag spam experts, skilled in munging. What that REALLY is, in English or at least ascii, is http://211.34.23.194. OK, that's our Korean open relay. Hmm, maybe not an open relay; maybe an honest-to-goodness porn spammer hosting on a Korean website? That's very weird. Huh. Let's go look, using a secure (raw html) browser: well, you get "Test Page for Red Hat Linux's Apache Installation" What that means is if there used to be a porn spammer there, he's gone now. Hacker? Who knows. Linux (not Exchange, I guessed wrong before) has been reinstalled and there's no content there at all. What I guess is it was some bozo who left his site open, and someone dumped a bunch of porn there, and he's been caught, so it's wiped off. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Doug Mehus Sent: Friday, May 10, 2002 11:54 AM To: [EMAIL PROTECTED] Subject: [spamcon-general] SPAM REPORTING HELP> Where have you been??? Okay, folks ... I need a bit of help reporting this nasty spammer. You'll notice there are multiple "Received:" lines, and I'm unsure which one to report it to so any information you might have would really help. I've figured out that one of these three "Received:" lines is the source, but not sure which one: <Begin> Received: from 82.49.149.76 ([82.49.149.76]) by hd.regsoft.net with asmtp; May, 10 2002 3:41:20 -0300 Received: from 157.139.128.128 ([157.139.128.128]) by mta6.snfc21.pbi.net with asmtp; May, 10 2002 2:50:08 -0700 Received: from 131.159.235.104 ([131.159.235.104]) by rly-yk05.mx.aol.com with local; May, 10 2002 1:47:17 +1200 </End> I've also attached a copy of the original spam message in question, with full message headers. :) Regards, Doug Mehus [EMAIL PROTECTED] Help stop spam -- Join SpamCon Foundation, http://www.spamcon.org ----------begin forwarded spam--------- Return-path: <[EMAIL PROTECTED]> Received: from pd4mr1so.prod.shaw.ca (pd4mr1so-qfe2.prod.shaw.ca [10.0.162.212]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.6 (built Apr 26 2002)) with ESMTP id <0GVV00C3FYBBS1@l-daemon> for dmehus@ims-ms-daemon (ORCPT [EMAIL PROTECTED]); Fri, 10 May 2002 02:02:07 -0600 (MDT) Received: from pd4mi3so.prod.shaw.ca (pd4mi3so-qfe3.prod.shaw.ca [10.0.121.196]) by l-daemon (iPlanet Messaging Server 5.1 (built May 7 2001)) with ESMTP id <0GVV0009LYBDPY@l-daemon> for [EMAIL PROTECTED] (ORCPT [EMAIL PROTECTED]); Fri, 10 May 2002 02:02:01 -0600 (MDT) Received: from 211.22.252.2 ([211.34.23.194]) by l-daemon (iPlanet Messaging Server 5.1 (built May 7 2001)) with SMTP id <0GVV00EHQYAM7T@l-daemon> for [EMAIL PROTECTED]; Fri, 10 May 2002 02:02:01 -0600 (MDT) Received: from 82.49.149.76 ([82.49.149.76]) by hd.regsoft.net with asmtp; May, 10 2002 3:41:20 -0300 Received: from 157.139.128.128 ([157.139.128.128]) by mta6.snfc21.pbi.net with asmtp; May, 10 2002 2:50:08 -0700 Received: from 131.159.235.104 ([131.159.235.104]) by rly-yk05.mx.aol.com with local; May, 10 2002 1:47:17 +1200 Date: Fri, 10 May 2002 04:01:57 -0400 From: Jennifer <[EMAIL PROTECTED]> Subject: Where have you been??? Sender: Jennifer <[EMAIL PROTECTED]> To: Undislcosed Recipient Cc: Message-id: <0GVV00EI1YBA7T@l-daemon> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Content-type: text/html; charset=iso-8859-1 THE BEST LIVE WEB CAMS AVAILABLE CLICK HERE TO GET ACCESS Tanya, Joyce, Melissa, Laura, Claudia and more are all waiting for you. STOP WAITING!!!! CLICK HERE This following pages contain adult material. Do not enter if you are not at least 18 years of age!!! unsubscribe -----------end forwarded spam---------- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>THE BEST LIVE WEB CAMS AVAILABLE</TITLE> <META content=en-us http-equiv=Content-Language> <META content="MSHTML 5.00.3314.2100" name=GENERATOR> <META content=FrontPage.Editor.Document name=ProgId> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2>Okay, folks ... I need a bit of help reporting this nasty spammer. You'll notice there are multiple "Received:" lines, and I'm unsure which one to report it to so any information you might have would really help. I've figured out that one of these three "Received:" lines is the source, but not sure which one:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2><Begin></FONT></DIV> <DIV><FONT face=Arial size=2>Received: from 82.49.149.76 ([82.49.149.76]) by hd.regsoft.net with asmtp; May,<BR> 10 2002 3:41:20 -0300<BR>Received: from 157.139.128.128 ([157.139.128.128]) by mta6.snfc21.pbi.net with<BR> asmtp; May, 10 2002 2:50:08 -0700<BR>Received: from 131.159.235.104 ([131.159.235.104]) by rly-yk05.mx.aol.com with<BR> local; May, 10 2002 1:47:17 +1200</FONT></DIV> <DIV><FONT face=Arial size=2></End></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>I've also attached a copy of the original spam message in question, with full message headers. :)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Regards,<BR>Doug Mehus<BR></FONT><A href="mailto:[EMAIL PROTECTED]";><FONT face=Arial size=2>[EMAIL PROTECTED]</FONT></A></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Help stop spam -- Join SpamCon Foundation, </FONT><A href="http://www.spamcon.org";><FONT face=Arial size=2>http://www.spamcon.org</FONT></A></DIV> <DIV style="FONT: 10pt arial"> <DIV> </DIV> <DIV>----------begin forwarded spam---------</DIV> <DIV>Return-path: <<A href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A>><BR>Received: from pd4mr1so.prod.shaw.ca<BR> (pd4mr1so-qfe2.prod.shaw.ca [10.0.162.212]) by l-daemon<BR> (iPlanet Messaging Server 5.1 HotFix 0.6 (built Apr 26 2002))<BR> with ESMTP id <0GVV00C3FYBBS1@l-daemon> for dmehus@ims-ms-daemon<BR> (ORCPT <A href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A>); Fri, 10 May 2002 02:02:07 -0600 (MDT)<BR>Received: from pd4mi3so.prod.shaw.ca<BR> (pd4mi3so-qfe3.prod.shaw.ca [10.0.121.196]) by l-daemon<BR> (iPlanet Messaging Server 5.1 (built May 7 2001))<BR> with ESMTP id <0GVV0009LYBDPY@l-daemon> for <A href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A><BR> (ORCPT <A href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A>); Fri, 10 May 2002 02:02:01 -0600 (MDT)<BR>Received: from 211.22.252.2 ([211.34.23.194])<BR> by l-daemon (iPlanet Messaging Server 5.1 (built May 7 2001))<BR> with SMTP id <0GVV00EHQYAM7T@l-daemon> for <A href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A>; Fri,<BR> 10 May 2002 02:02:01 -0600 (MDT)<BR>Received: from 82.49.149.76 ([82.49.149.76]) by hd.regsoft.net with asmtp; May,<BR> 10 2002 3:41:20 -0300<BR>Received: from 157.139.128.128 ([157.139.128.128]) by mta6.snfc21.pbi.net with<BR> asmtp; May, 10 2002 2:50:08 -0700<BR>Received: from 131.159.235.104 ([131.159.235.104]) by rly-yk05.mx.aol.com with<BR> local; May, 10 2002 1:47:17 +1200<BR>Date: Fri, 10 May 2002 04:01:57 -0400<BR>From: Jennifer <<A href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A>><BR>Subject: Where have you been???<BR>Sender: Jennifer <<A href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A>><BR>To: Undislcosed Recipient<BR>Cc:<BR>Message-id: <0GVV00EI1YBA7T@l-daemon><BR>MIME-version: 1.0<BR>X-Mailer: Microsoft Outlook Express 5.00.2919.6700<BR>Content-type: text/html; charset=iso-8859-1</DIV></DIV> <DIV><BR></DIV> <P align=center><FONT color=#0000ff size=6><B>THE BEST LIVE WEB CAMS AVAILABLE</B></FONT></P> <P align=center><FONT color=#ff0000 size=5><B><A href="http://%77%77w.%6e%65%74m%61i%6cs%2e%63%6f%6d/%6De%6D%62%65r%73%2F%77e%6 2c%61%6Dz/%6F%75%72%63am.%68t%6D%6C">CLICK HERE TO GET ACCESS</A></B></FONT></P> <P align=center><FONT color=#ff0000 size=5>Tanya, Joyce, Melissa, Laura, Claudia and more are all waiting for you.</FONT></P> <P align=center><FONT face="Arial Black" size=5>STOP WAITING!!!!</FONT></P> <P align=center><SPAN style="BACKGROUND-COLOR: #ffff00"><A href="http://%77%77w.%6e%65%74m%61i%6cs%2e%63%6f%6d/%6De%6D%62%65r%73%2F%77e%6 2c%61%6Dz/%6F%75%72%63am.%68t%6D%6C"><FONT color=#ff0000 size=7>CLICK HERE</FONT></A></SPAN></P> <P align=center> </P> <P align=center> </P> <P align=center> </P> <P align=center> </P> <P align=center> </P> <P align=center>This following pages contain adult material. Do not enter if you are not at least 18 years of age!!!</P> <DIV><FONT color=#000000>unsubscribe</FONT></DIV> <DIV><FONT face=Arial size=2>-----------end forwarded spam----------</FONT></A></B></FONT></DIV></BODY></HTML> _______________________________________________ spamcon-general mailing list [EMAIL PROTECTED] http://mail.spamcon.org/mailman/listinfo/spamcon-general#subscribers Subscribe, unsubscribe, etc: Use the URL above or send "help" in body of message to [EMAIL PROTECTED] Contact administrator: [EMAIL PROTECTED]
