Email Headers

Discuss Networking
Post Reply
agent007
administrator
administrator
Posts: 254
Joined: Wed Feb 12, 2003 11:26 pm

Email Headers

Post by agent007 » Tue May 11, 2004 4:10 am

hi,

Would it be possible to know where this SPAM originated from? Gohip.com is a form of spyware, collegeclub.com harvest email addresses and 218.65.110.93 resolves to Chinese address....

TIA
Received: from unknown (HELO 64.46.101.4) (218.65.110.93) by mail.relio.com with SMTP; 11 May
2004 05:06:34 -0000
X-Message-Info:
09expHMZmlkDMO698ILXflWQ9TGG917QozxMjgzcpELyDHWfwz9GM
Received: from collegeclub.com ([42.85.181.220]) by fc064-iyn9.collegeclub.com with Microsoft
SMTPSVC(6.4.5313.1806); Tue, 11 May 2004 08:12:08 +0300
Received: from collegeclub.com (collegeclub.com [158.134.112.37]) by collegeclub.com (8.12.10/8.12.9)
with ESMTP id hf863BMK6599 for
<subscribe@****.com>; Tue, 11 May 2004 02:15:08 -0300 (EST)
(envelope-from JLSCLUWED@gohip.com)
Received: from CVK8[5
Content-Length: 0

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue May 11, 2004 9:26 am

The address the message came from is 42.85.181.220. This is not necessarily the originating address (probably isn't) but it is the server that directly delivered the message to your mail server (these are the addresses that I block). All of the names in this particular message are illusions. The first address within the "[]" (brackets) in the received line is the address of the server that made the final delivery to your machine. Again, anythin else you see in there can be forged. Now, if there was a name *within* the "()" parens along with the "[]" then it most likely is an accurate host name, but I have also seen it forged. For instance if you see this in the "received" line:

(somehost.somedomain.com [123.123.123.123])

It usually is a correct name and address (although the name isn't necessarily the official publicly registered in DNS name, but at least an accurate name from the actual machine that passed the message on to you). If the name is outside of the ()'s (like in your example) then it most definitely is a fake designed to fool the recipient.

agent007
administrator
administrator
Posts: 254
Joined: Wed Feb 12, 2003 11:26 pm

Post by agent007 » Tue May 11, 2004 9:58 am

Void,

Just a small question....

What about the 1st line? Isin't it possible that 42.85.181.220 delivered the mail to 218.65.110.93 [this could be an open relay] which then finally sent it to the mail server [relio]? I thought this is the line which shows my server receiving the mail..

thanks..

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue May 11, 2004 11:08 am

It *could* be but usually the first line is the originating machine which is usually a person's desktop or laptop where the message originated from and I believe it to be easily spoofed. You want to block the machines that connected directly to your mail server to deliver the message and they certainly don't do enough checking as to the validity of the message that they pass on.

Post Reply