Keep in mind that "Received" lines are written in reverse order, so the top line always the newest. Also, "Received" lines are trivial to fake and spammers often do insert fake lines to throw off scanners.
But assuming all the lines you sent are genuine, it looks like user 3048 invoked a qmail command somehow (e.g. command line, webmail, spambot) and created a message (line 6), which then connected to a qmail daemon over a network socket and delivered it (line 5). Line 4 shows it arriving at mx2.serversur.net from 204.58.254.207. That IP is not smtp.wpac.com, even though its reverse DNS claims it is. Also, connecting to 204.58.254.207 on port 465 shows a Sendmail greeting banner, not qmail, so it's unlikely lines 5 and 6 were generated by that server. Line 3 shows the message arriving at smtp.wpac.com from 188.33.156.68. The rest of this line seems to match the Sendmail version in the greeting banner on 204.58.254.207. Line 2 shows the message arriving on rng031.serversur.net from 192.168.0.103 -- I'm guessing this is where your edge server delivered to your internal server. Line 1 shows qmail on the internal server accepting the message. Personally, I think lines 3-6 are bogus. The timestamps don't make sense (the message seems to travel forwards and backwards in time), the order of deliveries don't make sense and the DNS records don't match up. If line 4 is correct and the message really passed through mx2.serversur.net twice, the logs on that server should show it. I'd trust your logs, not the message headers. -- Sam Clippinger On Aug 22, 2017, at 2:00 PM, Pablo Murillo <p...@rednetgroup.com> wrote: > Hi > > I´m a little confuse > We have 4 MXs, the names are mx1.serversur.net to mx4, every one has the same > spamdyke.conf and deliver the valid emails using the internal network to the > correspondig server > So ... I have these headers of an email that is SPAM, and now, I´m lost > > For what I see in the 1st Received, the email is generated for the UID of the > user assigned to the domain (this is right, the UID belong to the user we > assigned to the domain) > The 3rd Received is for 204.58.254.207 receiving an email from my MX2 server ? > Is this right ? or I'm misreading the headers ? > > ------------------------------------------------------------- > Received: (qmail 5105 invoked from network); 22 Aug 2017 13:18:28 -0000 > Received: from unknown (HELO mx2.serversur.net) (192.168.0.103) > by rng031.serversur.net with SMTP; 22 Aug 2017 13:22:18 -0000 > Received: from 10.0.0.40 (user-188-33-156-68.play-internet.pl [188.33.156.68]) > (authenticated bits=0) > by smtp.wpac.com (8.14.4/8.14.4) with ESMTP id v7MDVVfi011904 > (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) > for <siste...@xxxxxxxx.com.ar>; Tue, 22 Aug 2017 06:32:22 -0700 > Received: from unknown (HELO smtp.wpac.com) (204.58.254.207) > by mx2.serversur.net with SMTP; 22 Aug 2017 13:18:28 -0000 > Received: (qmail 60824 invoked from network); 22 Aug 2017 13:22:18 -0000 > Received: (qmail 60837 invoked by uid 3048); 22 Aug 2017 13:22:18 -0000 > From: <danielplace...@xxxxxxxx.com.ar> > To: <siste...@xxxxxxxx.com.ar> > Date: Tue, 22 Aug 2017 11:32:24 -0300 > Message-ID: 198706278.2017822133...@xxxxxxxx.com.ar > -------------------------------------------------------------
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
