Michael Moyse wrote on Fri, 08 Jul 2005 17:55:32 +0100: > To me it looks like a duck and sounds like a duck I'm probably wrong > and missing something here because I'm no expert so I'm happy to be > enlightened.
Ok, I enlighten you ;-) I hope I'm not wrong. Now that I look again at the headers it turns out I was wrong as well, see below. >From the headers: Received: (qmail 10812 invoked by uid 567); 5 Jul 2005 12:03:20 -0000 Received: from 65.33.195.76 by host1 (envelope-from <[EMAIL PROTECTED]>, uid 502) with qmail-scanner-1.25 (clamdscan: 0.86.1/967. spamassassin: 3.0.4. Clear:RC:0(65.33.195.76):SA:0(0.0/1.5):. Processed in 0.44071 secs); 05 Jul 2005 12:03:20 -0000 Received: from unknown (HELO ss) (65.33.195.76) by 0 with SMTP; 5 Jul 2005 12:03:19 -0000 >> 65.33.195.76 = 76.195.33.65.cfl.res.rr.com ! Received: from vitalmex.com.mx (mail1.vitalmex.com.mx [148.223.241.181]) by 76.195.33.65.cfl.res.rr.com (Pastfix) with ESMTP id 0456EDBA28 for <[EMAIL PROTECTED]>; Tue, 05 Jul 2005 05:21:23 -0700 The mail went: vitalmex -> Roadrunner (Po/astfix) -> boom-edv.de (qmail) The last Received line looks forged (Pastfix), there's also no SMTP running at 76.195.33.65.cfl.res.rr.com (=no open/abusable relay). This suggests that the mail was sent out directly from that roadrunner account and the last Received plus all vitalmex stuff is completely forged. Also, a spammer which abused a Roadrunner account would obviously not send openly from his own MX and giving you a return-path which leads back to him. So, what you actually have to block is .rr.com and not .vitalmex.com.mx or .mx. This mail would have never reached us, because we already block all of .rr.com :-) Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
