Spammers routinely spoof the source *email address* of messages. I'm
having trouble with that at the moment myself -- some spammer out there has
decided that I should get all his "bounce" messages. That's NOT what you're
seeing.
Spammers often exploit intermediate email servers if they are "open
relays", which will forward third-party email. What you've been told is
that your email server cannot be used this wayby spammers.
Spammers have been known to insert a fake Received: header into messages,
to make it look like their sending machine was just a relay forwarding a
message from somewhere else. They're rarely very convincing.
I've never heard of a spammer managing to forge a convincing Rewceived:
header line AND a corresponding message ID. I think it's extremely likely
that this spam message really did get sent by that machine in your office.
An awful lot of current spam is sent by infected/compromised machines. So
you need to check that machine thoroughly for viruses/spyware/etc. It might
not hurt to check the whole office....
David Gillett
On 9 May 2006 at 16:12, rizal sharif wrote:
> Dear All,
>
> I got a remainder from our ISP that they received a complaint of spam email
> coming from our IP Address (219.93.x.x).
>
> From the log report I can see our IP Address was in the header "Received:
> from friend (unknown [219.93.x.x])"
>
> Since our e-mail server setting is "close relay", could it be one of the PCs
> was infected by worms/etc which generates the SPAM. In the header
> "Message-ID: <000001c65e0d$a310a280$0100007f@IP3104_XP1>, IP3104_XP1 in one
> of the PCs in my office.
>
> Or could it be that our IP Address was spoofed in the mail header?
>
> Thank you for your help.
>
> Rizal Sharif
>
>
> ***********************
> Your mail has been scanned by InterScan MSS.
> ***********-***********
>
> Login Status Netmask IP Address
> username 1 255.255.255.252 219.93.x.x
>
> [Spam-RBL] Spam from 219.93.x.x
>
> *******************************************
>
> [Traduction francaise plus bas]
>
> Hello,
>
> We have received a complaint for a SPAM which has been sent through your
> SMTP server or transiting through your network.
> The IP address is 219.93.x.x.
>
> 219.93.x.x: 1 complaint(s), IP address is not blacklisted
>
> You will find below the related spam with its headers enclosed.
>
> After resolving the issue, you will be able to cancel this complaint by
> visiting : http://www.spam-rbl.com/unblacklist.cgi?id=3FQVK54JVAKD9IRV15RA
>
> If you prefer use e-mail to cancel this complaint:
> After resolving the issue, you can send your message to
> [log in to unmask]
> If you can not resolve the issue but want to inform us that you will
> investigate, you can send a message to
> [log in to unmask]
>
> Finally, if this complaint was sent to you by error (forged headers for
> example), you can inform our team by sending your message to
> [log in to unmask]
> (and the complaint will be canceled)
>
>
> Sincerely,
> The Spam-RBL team.
>
> =====================================================================
>
> Bonjour,
>
> Nous avons recu une plainte pour Spam provenant de votre reseau ou ayant
> transite par celui-ci. L'adresse IP incriminee est 219.93.x.x.
>
> Statistiques de 219.93.x.x : 1 plainte(s), IP non blacklistee
>
> Vous trouverez ci-apres le mail en question, accompagne de ses en-tetes.
>
> Pour lever la plainte : apres avoir resolu le probleme, vous devez vous
> connecter sur
> http://www.spam-rbl.com/unblacklist.cgi?id=3FQVK54JVAKD9IRV15RA
>
> Si vous preferez utiliser l'e-mail pour lever la plainte :
> Apres avoir resolu le probleme, envoyez votre messagee
> [log in to unmask]
> Si vous ne pouvez pas resoudre le probleme mais souhaitez informer de
> sa prise en compte, envoyez votre message a
> [log in to unmask]
>
> Finallement, si cette plainte vous a ete adressee par erreur (en-tetes
> 'forgees' par exemple), vous pouvez informer notre equipe en envoyant
> votre message a
> [log in to unmask]
> (et la plainte sera levee)
>
>
> Cordialement,
> L'equipe de Spam-RBL.
>
> ===8<======================Debut du spam=============================
>
> This is a multi-part message in MIME format.
> --DeathToSpamDeathToSpamDeathToSpam
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
>
> --DeathToSpamDeathToSpamDeathToSpam
> Content-Type: message/rfc822
> Content-Disposition: attachment
>
> Return-Path: <>
> Delivered-To: spam-quarantine
> X-Envelope-From: <[log in to unmask]>
> X-Envelope-To: <[log in to unmask]>
> X-Quarantine-ID: <wpL5QHLlZ4-d>
> X-Spam-Flag: YES
> X-Spam-Score: 30.818
> X-Spam-Level: ******************************
> X-Spam-Status: Yes, score=30.818 tag=2 tag2=6.31 kill=6.31
> tests=[BAYES_99=3.5, DATE_IN_FUTURE_06_12=1.668,
> EXTRA_MPART_TYPE=1.091, HTML_90_100=0.113, HTML_IMAGE_ONLY_08=3.126,
> HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_1=0.948,
> MIME_HTML_MOSTLY=1.102, RCVD_IN_XBL=3.897, URIBL_JP_SURBL=4.087,
> URIBL_OB_SURBL=3.008, URIBL_SBL=1.639, URIBL_SC_SURBL=4.498,
> URIBL_WS_SURBL=2.14]
> Received: from home.ellmout.net ([127.0.0.1])
> by localhost (home.ellmout.net [127.0.0.1]) (amavisd-new, port
> 10024)
> with ESMTP id wpL5QHLlZ4-d for <[log in to unmask]>;
> Wed, 12 Apr 2006 10:48:03 +0200 (CEST)
> Received: from friend (unknown [219.93.x.x])
> by home.ellmout.net (Postfix) with ESMTP id 17AE7394003
> for <[log in to unmask]>; Wed, 12 Apr 2006 10:48:00 +0200 (CEST)
> Message-ID: <000001c65e0d$a310a280$0100007f@IP3104_XP1>
> From: "Rogert" <[log in to unmask]>
> To: <[log in to unmask]>
> Subject: We cure any desease!
> Date: Wed, 12 Apr 2006 16:46:49 +0100
> MIME-Version: 1.0
> Content-Type: multipart/related;
> type="multipart/alternative";
> boundary="------------ms000207000805070105030707"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.2180
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>
> This is a multi-part message in MIME format.
>
> --------------ms000207000805070105030707
> Content-Type: multipart/alternative;
> boundary="------------ms080700060901090400070406"
>
>
> --------------ms000207000805070105030707
> Content-Type: image/jpeg;
> name="p.jpg"
> Content-Transfer-Encoding: base64
> Content-ID: <000301c634d3$5e87f4f0$aa0fa8c0@sanya>
>
> Curious about the people moderating your
> messages? Visit our staff web site:
> http://freepctech.com/staff.shtml
>
Curious about the people moderating your
messages? Visit our staff web site:
http://freepctech.com/staff.shtml
|