We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
10 days, 4 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
SPAM how to determine the originator? Exchange 2003
Posted on 2010-09-10
I have two users who have been recieving messages like these for the last couple of days. I don't think that they are coming from my server. How do I determine where they are originating from?
Your message did not reach some or all of the intended recipients.
Subject: smiling to you, dear
Sent: 9/10/2010 7:33 AM
The following recipient(s) could not be reached:
dta77@hotmail.com on 9/10/2010 7:33 AM
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<SNT0-MC3-F30.Snt0.hotmail
Your message did not reach some or all of the intended recipients.
Subject: smiling to you, dear
Sent: 9/10/2010 7:33 AM
The following recipient(s) could not be reached:
dta77@hotmail.com on 9/10/2010 7:33 AM
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<SNT0-MC3-F30.Snt0.hotmail
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4
4
3- +1
13 Comments
right click on the message and select message options
review the header to determine the origin
the first entry at the top should be your server receiving it and as you go down the last will be the source
review the header to determine the origin
the first entry at the top should be your server receiving it and as you go down the last will be the source
Active 2 days ago
view > options > header info.
Copy paste the entire contents into notepad
check the message-id: field
Message-ID: <76131413fe3ae29312fea96dd
If its a exchange server - the part after the @ sign is the mailbox servername.
If its java etc - it is probably scripted through some Java/PHP mailer
now look for this field
Received: from TIFA-5FA7CBAF0B.Local (tifadc05@112.105.178.186 with login)
by smtp109.mail.tp2.yahoo.com
--
what I do is
a) Find the originating server - TIFA in this case.
b) Search for TIFA in the header field.
The IP address next to that = source of spam
--
But these things can be spoofed too.
Copy paste the entire contents into notepad
check the message-id: field
Message-ID: <76131413fe3ae29312fea96dd
If its a exchange server - the part after the @ sign is the mailbox servername.
If its java etc - it is probably scripted through some Java/PHP mailer
now look for this field
Received: from TIFA-5FA7CBAF0B.Local (tifadc05@112.105.178.186 with login)
by smtp109.mail.tp2.yahoo.com
--
what I do is
a) Find the originating server - TIFA in this case.
b) Search for TIFA in the header field.
The IP address next to that = source of spam
--
But these things can be spoofed too.
Active 1 day ago
I can insert fake from's to make it look like my SMTP server was the middle of the stream instead of the originator of the stream.
Active 1 day ago
If you beleive everything the 1st entry point is:
Received: from FILESERVER (LRouen-152-83-1-113.w80-1
by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
Fri, 10 Sep 2010 11:00:34 +0200 (CEST)
Which means a computer with the IP address of 80.13.64.113 sent them e-mail thru the smtp server mwinf2721.orange.fr
Now are these the header from the e-mail telling you it was rejected? Or are these the headers from the rejected e-mail?
Received: from FILESERVER (LRouen-152-83-1-113.w80-1
by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
Fri, 10 Sep 2010 11:00:34 +0200 (CEST)
Which means a computer with the IP address of 80.13.64.113 sent them e-mail thru the smtp server mwinf2721.orange.fr
Now are these the header from the e-mail telling you it was rejected? Or are these the headers from the rejected e-mail?
Active 2 days ago
all of these headers can be spoofed.
They even have a x- header with spam assassin signature as clean.
------------------
Microsoft Mail Internet Headers Version 2.0
Received: from mail.spamserver.net ([x.x.x.x]) by exchange.myserver.com with Microsoft SMTPSVC(6.0.3790.4675);
Resent-To: info@exchange.myserver.com
Resent-From: info@myserver.com
Resent-Message-Id: <B0534444566@mail.spamserv
Resent-Date: Fri, 10 Sep 2010 05:05:57 -0400
X-Modus-Audit: FALSE;0;0;0
Received: from mailin-1.spamserver.net (unverified [x.x.x.x]) by mail.spamserver.net (Vircom SMTPRS 5.0.916.0)
with ESMTP id <B0534444564@mail.spamserv
X-Modus-BlackList: x.x.x.x=OK;=OK
X-Modus-Trusted: x.x.x.x=NO
X-Modus-Audit: FALSE;0;0;0
Received: from snt0-omc4-s43.snt0.hotmail
by mailin-1.spamserver.net (Postfix) with ESMTP id 4E1EAC30356
for <info@myserver.com>; Fri, 10 Sep 2010 05:00:36 -0400 (EDT)
Received: from SNT0-MC3-F14.Snt0.hotmail.
Fri, 10 Sep 2010 02:00:36 -0700
Message-ID: <LbIUndNXh0000e41f@SNT0-MC
Subject: Delivery Status Notification (Failure)
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,
required 7, autolearn=disabled, RCVD_IN_DNSWL_NONE -0.00)
Received: from smtp27.orange.fr ([80.12.242.96]) by SNT0-MC3-F14.Snt0.hotmail.
Fri, 10 Sep 2010 02:00:36 -0700
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 22C8F1C00042;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 14E071C00280;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from FILESERVER (LRouen-152-83-1-113.w80-1
by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
Fri, 10 Sep 2010 11:00:34 +0200 (CEST)
They even have a x- header with spam assassin signature as clean.
------------------
Microsoft Mail Internet Headers Version 2.0
Received: from mail.spamserver.net ([x.x.x.x]) by exchange.myserver.com with Microsoft SMTPSVC(6.0.3790.4675);
Resent-To: info@exchange.myserver.com
Resent-From: info@myserver.com
Resent-Message-Id: <B0534444566@mail.spamserv
Resent-Date: Fri, 10 Sep 2010 05:05:57 -0400
X-Modus-Audit: FALSE;0;0;0
Received: from mailin-1.spamserver.net (unverified [x.x.x.x]) by mail.spamserver.net (Vircom SMTPRS 5.0.916.0)
with ESMTP id <B0534444564@mail.spamserv
X-Modus-BlackList: x.x.x.x=OK;=OK
X-Modus-Trusted: x.x.x.x=NO
X-Modus-Audit: FALSE;0;0;0
Received: from snt0-omc4-s43.snt0.hotmail
by mailin-1.spamserver.net (Postfix) with ESMTP id 4E1EAC30356
for <info@myserver.com>; Fri, 10 Sep 2010 05:00:36 -0400 (EDT)
Received: from SNT0-MC3-F14.Snt0.hotmail.
Fri, 10 Sep 2010 02:00:36 -0700
Message-ID: <LbIUndNXh0000e41f@SNT0-MC
Subject: Delivery Status Notification (Failure)
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,
required 7, autolearn=disabled, RCVD_IN_DNSWL_NONE -0.00)
Received: from smtp27.orange.fr ([80.12.242.96]) by SNT0-MC3-F14.Snt0.hotmail.
Fri, 10 Sep 2010 02:00:36 -0700
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 22C8F1C00042;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 14E071C00280;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from FILESERVER (LRouen-152-83-1-113.w80-1
by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
Fri, 10 Sep 2010 11:00:34 +0200 (CEST)
Active 2 days ago
To answer your question
This is the source and then it got routed through others (Received From fields)
--------
Received: from FILESERVER (LRouen-152-83-1-113.w80-1
by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
---------
Can you download a trial of VamSoft ORF
www.vamsoft.com/orfee_features.asp
It provides a before/after scenario and out of the box functionality for backscatter and other spam attacks.
This is the source and then it got routed through others (Received From fields)
--------
Received: from FILESERVER (LRouen-152-83-1-113.w80-1
by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
---------
Can you download a trial of VamSoft ORF
www.vamsoft.com/orfee_features.asp
It provides a before/after scenario and out of the box functionality for backscatter and other spam attacks.
Featured Post
Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Mail Flow >> Rules tab.: To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups.
The components of this video include:
1. Automatic Failover
2. Failover Clustering
3. Active Manager
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month10 days, 4 hours left to enroll
Earn Certification
MTA - Cloud Fundamentals - 98-369
$59.00$53.10
624 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.