Keep in mind that "Received" lines are written in reverse order, so the top 
line always the newest.  Also, "Received" lines are trivial to fake and 
spammers often do insert fake lines to throw off scanners.

But assuming all the lines you sent are genuine, it looks like user 3048 
invoked a qmail command somehow (e.g. command line, webmail, spambot) and 
created a message (line 6), which then connected to a qmail daemon over a 
network socket and delivered it (line 5).  Line 4 shows it arriving at from  That IP is not, even 
though its reverse DNS claims it is.  Also, connecting to on 
port 465 shows a Sendmail greeting banner, not qmail, so it's unlikely lines 5 
and 6 were generated by that server.  Line 3 shows the message arriving at from  The rest of this line seems to match the 
Sendmail version in the greeting banner on  Line 2 shows the 
message arriving on from -- I'm guessing 
this is where your edge server delivered to your internal server.  Line 1 shows 
qmail on the internal server accepting the message.

Personally, I think lines 3-6 are bogus.  The timestamps don't make sense (the 
message seems to travel forwards and backwards in time), the order of 
deliveries don't make sense and the DNS records don't match up.  If line 4 is 
correct and the message really passed through twice, the logs 
on that server should show it.  I'd trust your logs, not the message headers.

-- Sam Clippinger

On Aug 22, 2017, at 2:00 PM, Pablo Murillo <> wrote:

> Hi
> I´m a little confuse
> We have 4 MXs, the names are to mx4, every one has the same 
> spamdyke.conf and deliver the valid emails using the internal network to the 
> correspondig server
> So ... I have these headers of an email that is SPAM, and now, I´m lost
> For what I see in the 1st Received, the email is generated for the UID of the 
> user assigned to the domain (this is right, the UID belong to the user we 
> assigned to the domain)
> The 3rd Received is for receiving an email from my MX2 server ?
> Is this right ? or  I'm misreading the headers ?
> -------------------------------------------------------------
> Received: (qmail 5105 invoked from network); 22 Aug 2017 13:18:28 -0000
> Received: from unknown (HELO (
> by with SMTP; 22 Aug 2017 13:22:18 -0000
> Received: from ( [])
> (authenticated bits=0)
> by (8.14.4/8.14.4) with ESMTP id v7MDVVfi011904
> (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
> for <>; Tue, 22 Aug 2017 06:32:22 -0700
> Received: from unknown (HELO (
> by with SMTP; 22 Aug 2017 13:18:28 -0000
> Received: (qmail 60824 invoked from network); 22 Aug 2017 13:22:18 -0000
> Received: (qmail 60837 invoked by uid 3048); 22 Aug 2017 13:22:18 -0000
> From: <>
> To: <>
> Date: Tue, 22 Aug 2017 11:32:24 -0300
> Message-ID:
> ------------------------------------------------------------- 

spamdyke-users mailing list

Reply via email to