Short Q - I'm asking for help deciphering the email header below in the text so I can track down the offending spammer (user or computer). but any and all general input on what to do when placed on blacklists is welcome.
Now the whole story:
This started when two days ago when a large number of external domains - say 30 or 40 - started refusing our emails. Our users started getting delay notifications, then finally Message undeliverables after two days of trying. I can see the emails with trouble in our exchange queue.
Using mxtoolbox, I discovered yesterday that our mail server ip address was listed on a few blacklists - CASA-CBL, CASA-CBL+, Lashback. Using another tool, I found that we were listed on SORBS anti-spam db. Now when i run my ip again through mxtoolbox, if find that all the sorbs databases list my ip.
I verified that our mx record is pointing to the correct ip and that a reverse lookup is pointing to the correct name. (I also used the mxtoolbox diagnostics to confirm.)
Yesterday I delisted myself through Lashback's website. I'm momentarily ignoring the Chinese CASA-CBL lists. I made email contact with SORBS who sent me the following header of an offending spam that was sent to there spamtrap.
I deleted my mail server name and ip address, because I'm mildly paranoid right now! The email server name and ip address were correct.
Return-path: <okkos1960@nexus.on.ca>
Received: from mail.xxx.org (mail.xxx.org [198.xxx.xxx.xxx])
by x (Postfix) with ESMTP id 5CA8211436
for <x>; Sat, 10 May 2008 04:47:36 +1000 (EST)
Date: Fri, 09 May 2008 13:47:35 -0500
From: Harmie Stokell <okkos1960@nexus.on.ca>
Subject: omagnese
To: x
Message-id: <000901c8b205$25cef580$0a5
bd8c6@TOSH
IBA6100>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
Content-type: multipart/alternative;
boundary="--------=_NextPa
rt_000_000
5_01C8B1DB
.3CF8ED80"
X-Priority: 3
X-MSMail-priority: Normal
Please help me decipher the header and gleen what information might lead me to the source.
It would seem that it is a Toshiba6100 laptop that caused the problem. A likely suspect is a retired computer that someone brought my tech to fix because it had a virus on it. I believe the tech hooked it up to our network (not sure if it was logged on to the domain) to download spybot to it. After some attempts, the tech used the system restore disks to wipe the computer and start over. I can certainly see some best practices to follow here, but looking forward, how can I identify if this was the culprit or if there is another out there.
thanks
Start Free Trial
