Re: Duplicate messages

[Brooke Clarke]

Hi Mac: I've run Sam Spade on the header of a duplicate email. And am adding my comments in Red. It looks like G2 Solutions Inc. has a couple of servers called:    DNS0.STAR.CO.UK              195.216.16.129    DNS1.STAR.CO.UK              195.216.16.65 For more on G2 Solutions see below.  Most likley one of the Sundial list subscribers is using them as an ISP.  G2 solutions is improperly reflecting the email back to the list causing the duplicate postings. Have Fun, Brooke Clarke 04/14/05 13:47:11 Input The Received: headers are the important ones to read My comments are just hints, and should be considered only (My here means the Sam Spade Program) an opinion. I may have guessed wrong, or things may have changed since I was written >From - Thu Apr 14 09:45:19 2005   Hmmm from isn't a header I recognise X-UIDL: f3-!!U'~"!2#1"!_^5"! X-Mozilla-Status: 0011 X-Mozilla-Status2: 00000000 Return-Path: <[EMAIL PROTECTED]> Received: from mailfilter.pacific.net     (mailfilter.pacific.net [63.162.241.9]) by mail.pacific.net     (8.12.0/8.12.1) with ESMTP id j3EGN6EN027432 for     <[EMAIL PROTECTED]>; Thu, 14 Apr 2005 09:23:07 -0700     (PDT)   This received header was added by your mailserver   mail.pacific.net received this from mailfilter.pacific.net   (IP addresses match) Received: from psmtp.com (exprod5mx86.postini.com     [64.18.0.74]) by mailfilter.pacific.net (8.12.9/8.12.9)     with SMTP id j3EGNQTf001020 for <[EMAIL PROTECTED]>; Thu,     14 Apr 2005 09:23:26 -0700   mailfilter.pacific.net received this from someone claiming   to be psmtp.com   This doesn't match the IP address in the headers, so this   may be a relay point. If so all headers below are probably   forged.   It really came from exprod5mx86.postini.com Received: from source ([134.95.100.208]) (using TLSv1) by     exprod5mx86.postini.com ([64.18.4.10]) with SMTP; Thu, 14     Apr 2005 12:23:16 EDT   exprod5mx86.postini.com received this from someone claiming   to be source   This doesn't match the IP address in the headers, so this   may be a relay point. If so all headers below are probably   forged.   It really came from mail1.rrz.uni-koeln.de All of the above relates to getting the email from the Sundials list to me. Received: from mail1.rrz.Uni-Koeln.DE (localhost     [127.0.0.1]) by mail1.rrz.Uni-Koeln.DE (8.13.1/8.13.1) with     ESMTP id j3EGIV2G000295 (version=TLSv1/SSLv3     cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for     <[EMAIL PROTECTED]>; Thu, 14 Apr 2005     18:18:32 +0200 (MEST)   mail1.rrz.Uni-Koeln.DE received this from someone claiming   to be mail1.rrz.Uni-Koeln.DE   but really from 127.0.0.1(localhost)   All headers below may be forged Received: (from [EMAIL PROTECTED]) by mail1.rrz.Uni-Koeln.DE     (8.13.1/8.13.1/Submit) id j3EGIVhU000292 for sundial-out;     Thu, 14 Apr 2005 18:18:31 +0200 (MEST)   Comment before any parameter. Perfectly legal, but unusual   mail1.rrz.Uni-Koeln.DE received this, but doesn't tell us   where from.   (Without a from parameter it's hard to verify later    received headers. Treat with caution) Received: from server01.Smith-Gardner.local     ([217.154.181.6]) by mail1.rrz.Uni-Koeln.DE (8.13.1/8.13.1)     with ESMTP id j3EGIQTO000250 for     <sundial@rrz.uni-koeln.de>; Thu, 14 Apr 2005 18:18:30 +0200     (MEST)   mail1.rrz.Uni-Koeln.DE received this from someone claiming   to be server01.Smith-Gardner.local   This host doesn't exist, so all headers below this one   are probably forged Received: from server01.Smith-Gardner.local ([10.2.0.240])     by server01.Smith-Gardner.local with Microsoft     SMTPSVC(5.0.2195.6713);  Thu, 14 Apr 2005 17:16:20 +0100   server01.Smith-Gardner.local received this from someone claiming   to be server01.Smith-Gardner.local   This host doesn't exist, so all headers below this one   are probably forged Received: by server01.Smith-Gardner.local (Microsoft     Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global     POP3 Download)  id     [EMAIL PROTECTED]; Thu, 14     Apr 2005 17:16:15 +0100   server01.Smith-Gardner.local received this, but doesn't tell us   where from.   (Without a from parameter it's hard to verify later    received headers. Treat with caution) Delivered-To: [EMAIL PROTECTED] Received: (qmail 21400 invoked from network); 14 Apr 2005     16:08:37 -0000   Just a qmail status line Received: from unknown (HELO smtp-in-2.star.net.uk)     (10.200.12.2)  by welly-5.star.net.uk with SMTP; 14 Apr     2005 16:08:37 -0000   welly-5.star.net.uk received this from someone claiming   to be unknown   (welly-5.star.net.uk doesn't record the senders IP    address in any way I recognise, so it's impossible to be    sure. All received headers after this one should be    treated with suspicion) Received: (qmail 15268 invoked from network); 14 Apr 2005     16:08:37 -0000   Just a qmail status line Received: from mail35.messagelabs.com (62.231.131.195)  by     smtp-in-2.star.net.uk with SMTP; 14 Apr 2005 16:08:37 -0000   smtp-in-2.star.net.uk received this from mail35.messagelabs.com   (IP addresses match) X-VirusChecked: Checked X-Env-Sender: [EMAIL PROTECTED] X-Msg-Ref: server-12.tower-35.messagelabs.com!1113494916!0!1 X-StarScan-Version: 5.4.11; banners=-,-,euromacs.com X-Originating-IP: [134.95.100.208] Received: (qmail 30713 invoked from network); 14 Apr 2005     16:08:37 -0000   Just a qmail status line Received: from mail1.rrz.uni-koeln.de (134.95.100.208)  by     server-12.tower-35.messagelabs.com with SMTP; 14 Apr 2005     16:08:37 -0000   server-12.tower-35.messagelabs.com received this from mail1.rrz.uni-koeln.de   (IP addresses match) Received: from mail1.rrz.Uni-Koeln.DE (localhost     [127.0.0.1]) by mail1.rrz.Uni-Koeln.DE (8.13.1/8.13.1) with     ESMTP id j3EG5oVe023080 (version=TLSv1/SSLv3     cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for     <[EMAIL PROTECTED]>; Thu, 14 Apr 2005     18:05:50 +0200 (MEST)   mail1.rrz.Uni-Koeln.DE received this from someone claiming   to be mail1.rrz.Uni-Koeln.DE   but really from 127.0.0.1(localhost)   All headers below may be forged Received: (from [EMAIL PROTECTED]) by mail1.rrz.Uni-Koeln.DE     (8.13.1/8.13.1/Submit) id j3EG5oiT023079 for sundial-out;     Thu, 14 Apr 2005 18:05:50 +0200 (MEST)   Comment before any parameter. Perfectly legal, but unusual   mail1.rrz.Uni-Koeln.DE received this, but doesn't tell us   where from.   (Without a from parameter it's hard to verify later    received headers. Treat with caution) Received: from mail.gravitymedia.com     (user-6.utah2.fiber.net [209.90.77.6]) by     mail1.rrz.Uni-Koeln.DE (8.13.1/8.13.1) with ESMTP id     j3EG5gQJ023021 (version=TLSv1/SSLv3     cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for     <sundial@rrz.uni-koeln.de>; Thu, 14 Apr 2005 18:05:47 +0200     (MEST)   mail1.rrz.Uni-Koeln.DE received this from mail.gravitymedia.com   (IP addresses match) Received: from PDK (ns2.digis.net     [208.186.134.102]) (authenticated bits=0) by     mail.gravitymedia.com (8.12.8/8.12.8) with ESMTP id     j3EFLmG4017838; Thu, 14 Apr 2005 09:21:48 -0600   mail.gravitymedia.com received this from someone claiming   to be PDK   This doesn't match the IP address in the headers, so this   may be a relay point. If so all headers below are probably   forged.   It really came from ns2.digis.net Message-ID: <[EMAIL PROTECTED]> From: "Sundial Alarms" <[EMAIL PROTECTED]> To: "Mac Oglesby" <[EMAIL PROTECTED]>,   "Sundial Mail     List" <sundial@rrz.uni-koeln.de> References: <[EMAIL PROTECTED]> Subject: Re: Duplicate messages Date: Thu, 14 Apr 2005 09:23:01 -0600 MIME-Version: 1.0 Content-Type:     text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Scanned: by amavisd-new X-Spam-Status: 0 X-Spam-Status: 0 X-Spam-Report: FORGED_RCVD_HELO X-Spam-Report: FORGED_RCVD_HELO X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1 X-Scanned-By: MIMEDefang 2.48 on 134.95.19.103 X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1 X-Scanned-By: MIMEDefang 2.48 on 134.95.19.103 X-OriginalArrivalTime: 14 Apr 2005 16:16:20.0515 (UTC)     FILETIME=[4B63F730:01C5410D] Sender: [EMAIL PROTECTED] Precedence: bulk Reply-To: "Sundial Alarms" <[EMAIL PROTECTED]> X-pstn-levels: (S:99.90000/99.90000 R:95.9108 P:95.9108     M:97.0232 C:98.7678 ) X-pstn-settings: 5 (2.0000:2.0000) s gt3 gt2 gt1 r p m c X-pstn-addresses: from <[EMAIL PROTECTED]> [2169/95] X-MailScanner-Information: Please contact the ISP for more     information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted),     SpamAssassin (score=4.524, required 5.5, RCVD_IN_SORBS     1.10, RCVD_IN_SORBS_WEB 2.80, SARE_RECV_MANYMX 0.62) X-MailScanner-From: [EMAIL PROTECTED] X-UIDL: f3-!!U'~"!2#1"!_^5"! Status: U A Whois on  [EMAIL PROTECTED] returns the following: 04/14/05 13:59:01 whois euromacs.com .com is a domain of USA & International Commercial Searches for .com can be run at http://www.crsnic.net/ whois -h whois.crsnic.net euromacs.com ... Redirecting to NETWORK SOLUTIONS, LLC. whois -h whois.networksolutions.com euromacs.com ... NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS database through the use of high-volume, automated, electronic processes. The Data in Network Solutions' WHOIS database is provided by Network Solutions for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. Network Solutions does not guarantee its accuracy. By submitting a WHOIS query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to Network Solutions (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of Network Solutions. You agree not to use high-volume, automated, electronic processes to access or query the WHOIS database. Network Solutions reserves the right to terminate your access to the WHOIS database in its sole discretion, including without limitation, for excessive querying of the WHOIS database or for failure to otherwise abide by this policy. Network Solutions reserves the right to modify these terms at any time. Registrant: G2 Solutions Ltd    Ground Floor    St Johns House    Spitfire Close    Ermine Business Centre, Huntingdon pe29 6xy    UK    Domain Name: EUROMACS.COM    Administrative Contact, Technical Contact:       G2 Solutions Ltd  [EMAIL PROTECTED]       Ground Floor       St Johns House       Spitfire Close       Ermine Business Centre, Huntingdon pe29 6xy       UK       01480 451190    Record expires on 28-Apr-2005.    Record created on 28-Apr-2000.    Database last updated on 14-Apr-2005 16:59:03 EDT.    Domain servers in listed order:    DNS0.STAR.CO.UK              195.216.16.129    DNS1.STAR.CO.UK              195.216.16.65