bmsjeff
asked on
SPAM how to determine the originator? Exchange 2003
I have two users who have been recieving messages like these for the last couple of days. I don't think that they are coming from my server. How do I determine where they are originating from?
Your message did not reach some or all of the intended recipients.
Subject: smiling to you, dear
Sent: 9/10/2010 7:33 AM
The following recipient(s) could not be reached:
dta77@hotmail.com on 9/10/2010 7:33 AM
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<SNT0-MC3-F30.Snt0.hotmail .com #5.5.0 smtp;550 Requested action not taken: mailbox unavailable (1044235902:3448:-21474672 59)>
Your message did not reach some or all of the intended recipients.
Subject: smiling to you, dear
Sent: 9/10/2010 7:33 AM
The following recipient(s) could not be reached:
dta77@hotmail.com on 9/10/2010 7:33 AM
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<SNT0-MC3-F30.Snt0.hotmail
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This assumes that somebody has not forged any of the SMTP header information.
this is for the hops, not the from
view > options > header info.
Copy paste the entire contents into notepad
check the message-id: field
Message-ID: <76131413fe3ae29312fea96dd 9fbf5@tifa -5fa7cbaf0 b>
If its a exchange server - the part after the @ sign is the mailbox servername.
If its java etc - it is probably scripted through some Java/PHP mailer
now look for this field
Received: from TIFA-5FA7CBAF0B.Local (tifadc05@112.105.178.186 with login)
by smtp109.mail.tp2.yahoo.com with SMTP; 03 Sep 2010 22:32:18 -0700 PDT
--
what I do is
a) Find the originating server - TIFA in this case.
b) Search for TIFA in the header field.
The IP address next to that = source of spam
--
But these things can be spoofed too.
Copy paste the entire contents into notepad
check the message-id: field
Message-ID: <76131413fe3ae29312fea96dd
If its a exchange server - the part after the @ sign is the mailbox servername.
If its java etc - it is probably scripted through some Java/PHP mailer
now look for this field
Received: from TIFA-5FA7CBAF0B.Local (tifadc05@112.105.178.186 with login)
by smtp109.mail.tp2.yahoo.com
--
what I do is
a) Find the originating server - TIFA in this case.
b) Search for TIFA in the header field.
The IP address next to that = source of spam
--
But these things can be spoofed too.
I can insert fake from's to make it look like my SMTP server was the middle of the stream instead of the originator of the stream.
True @ giltjr
ASKER
Message-ID: <LbIUndNXh0000e41f@SNT0-MC 3-F14.Snt0 .hotmail.c om>
spam
spam
most likely someone using hotmail for their relay
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
all of these headers can be spoofed.
They even have a x- header with spam assassin signature as clean.
------------------
Microsoft Mail Internet Headers Version 2.0
Received: from mail.spamserver.net ([x.x.x.x]) by exchange.myserver.com with Microsoft SMTPSVC(6.0.3790.4675);
Resent-To: info@exchange.myserver.com
Resent-From: info@myserver.com
Resent-Message-Id: <B0534444566@mail.spamserv er.net>
Resent-Date: Fri, 10 Sep 2010 05:05:57 -0400
X-Modus-Audit: FALSE;0;0;0
Received: from mailin-1.spamserver.net (unverified [x.x.x.x]) by mail.spamserver.net (Vircom SMTPRS 5.0.916.0)
with ESMTP id <B0534444564@mail.spamserv er.net> for <info@myserver.com>;
X-Modus-BlackList: x.x.x.x=OK;=OK
X-Modus-Trusted: x.x.x.x=NO
X-Modus-Audit: FALSE;0;0;0
Received: from snt0-omc4-s43.snt0.hotmail .com (snt0-omc4-s43.snt0.hotmai l.com [65.54.51.94])
by mailin-1.spamserver.net (Postfix) with ESMTP id 4E1EAC30356
for <info@myserver.com>; Fri, 10 Sep 2010 05:00:36 -0400 (EDT)
Received: from SNT0-MC3-F14.Snt0.hotmail. com ([65.55.90.199]) by snt0-omc4-s43.snt0.hotmail .com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 10 Sep 2010 02:00:36 -0700
Message-ID: <LbIUndNXh0000e41f@SNT0-MC 3-F14.Snt0 .hotmail.c om>
Subject: Delivery Status Notification (Failure)
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,
required 7, autolearn=disabled, RCVD_IN_DNSWL_NONE -0.00)
Received: from smtp27.orange.fr ([80.12.242.96]) by SNT0-MC3-F14.Snt0.hotmail. com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 10 Sep 2010 02:00:36 -0700
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 22C8F1C00042;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 14E071C00280;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from FILESERVER (LRouen-152-83-1-113.w80-1 3.abo.wana doo.fr [80.13.64.113])
by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
Fri, 10 Sep 2010 11:00:34 +0200 (CEST)
They even have a x- header with spam assassin signature as clean.
------------------
Microsoft Mail Internet Headers Version 2.0
Received: from mail.spamserver.net ([x.x.x.x]) by exchange.myserver.com with Microsoft SMTPSVC(6.0.3790.4675);
Resent-To: info@exchange.myserver.com
Resent-From: info@myserver.com
Resent-Message-Id: <B0534444566@mail.spamserv
Resent-Date: Fri, 10 Sep 2010 05:05:57 -0400
X-Modus-Audit: FALSE;0;0;0
Received: from mailin-1.spamserver.net (unverified [x.x.x.x]) by mail.spamserver.net (Vircom SMTPRS 5.0.916.0)
with ESMTP id <B0534444564@mail.spamserv
X-Modus-BlackList: x.x.x.x=OK;=OK
X-Modus-Trusted: x.x.x.x=NO
X-Modus-Audit: FALSE;0;0;0
Received: from snt0-omc4-s43.snt0.hotmail
by mailin-1.spamserver.net (Postfix) with ESMTP id 4E1EAC30356
for <info@myserver.com>; Fri, 10 Sep 2010 05:00:36 -0400 (EDT)
Received: from SNT0-MC3-F14.Snt0.hotmail.
Fri, 10 Sep 2010 02:00:36 -0700
Message-ID: <LbIUndNXh0000e41f@SNT0-MC
Subject: Delivery Status Notification (Failure)
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,
required 7, autolearn=disabled, RCVD_IN_DNSWL_NONE -0.00)
Received: from smtp27.orange.fr ([80.12.242.96]) by SNT0-MC3-F14.Snt0.hotmail.
Fri, 10 Sep 2010 02:00:36 -0700
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 22C8F1C00042;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 14E071C00280;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from FILESERVER (LRouen-152-83-1-113.w80-1
by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
Fri, 10 Sep 2010 11:00:34 +0200 (CEST)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is the header from the e-mail telling you it was rejected.
I have not record of sending the email.
I have not record of sending the email.