bmsjeff
asked on
SPAM how to determine the originator? Exchange 2003
I have two users who have been recieving messages like these for the last couple of days. I don't think that they are coming from my server. How do I determine where they are originating from?
Your message did not reach some or all of the intended recipients.
Subject: smiling to you, dear
Sent: 9/10/2010 7:33 AM
The following recipient(s) could not be reached:
dta77@hotmail.com on 9/10/2010 7:33 AM
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<SNT0-MC3-F30.Snt0.hotmail .com #5.5.0 smtp;550 Requested action not taken: mailbox unavailable (1044235902:3448:-21474672 59)>
Your message did not reach some or all of the intended recipients.
Subject: smiling to you, dear
Sent: 9/10/2010 7:33 AM
The following recipient(s) could not be reached:
dta77@hotmail.com on 9/10/2010 7:33 AM
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<SNT0-MC3-F30.Snt0.hotmail
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
This assumes that somebody has not forged any of the SMTP header information.
this is for the hops, not the from
view > options > header info.
Copy paste the entire contents into notepad
check the message-id: field
Message-ID: <76131413fe3ae29312fea96dd 9fbf5@tifa -5fa7cbaf0 b>
If its a exchange server - the part after the @ sign is the mailbox servername.
If its java etc - it is probably scripted through some Java/PHP mailer
now look for this field
Received: from TIFA-5FA7CBAF0B.Local (tifadc05@112.105.178.186 with login)
by smtp109.mail.tp2.yahoo.com with SMTP; 03 Sep 2010 22:32:18 -0700 PDT
--
what I do is
a) Find the originating server - TIFA in this case.
b) Search for TIFA in the header field.
The IP address next to that = source of spam
--
But these things can be spoofed too.
Copy paste the entire contents into notepad
check the message-id: field
Message-ID: <76131413fe3ae29312fea96dd
If its a exchange server - the part after the @ sign is the mailbox servername.
If its java etc - it is probably scripted through some Java/PHP mailer
now look for this field
Received: from TIFA-5FA7CBAF0B.Local (tifadc05@112.105.178.186 with login)
by smtp109.mail.tp2.yahoo.com
--
what I do is
a) Find the originating server - TIFA in this case.
b) Search for TIFA in the header field.
The IP address next to that = source of spam
--
But these things can be spoofed too.
I can insert fake from's to make it look like my SMTP server was the middle of the stream instead of the originator of the stream.
True @ giltjr
ASKER
Message-ID: <LbIUndNXh0000e41f@SNT0-MC 3-F14.Snt0 .hotmail.c om>
spam
spam
most likely someone using hotmail for their relay
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
all of these headers can be spoofed.
They even have a x- header with spam assassin signature as clean.
------------------
Microsoft Mail Internet Headers Version 2.0
Received: from mail.spamserver.net ([x.x.x.x]) by exchange.myserver.com with Microsoft SMTPSVC(6.0.3790.4675);
Resent-To: info@exchange.myserver.com
Resent-From: info@myserver.com
Resent-Message-Id: <B0534444566@mail.spamserv er.net>
Resent-Date: Fri, 10 Sep 2010 05:05:57 -0400
X-Modus-Audit: FALSE;0;0;0
Received: from mailin-1.spamserver.net (unverified [x.x.x.x]) by mail.spamserver.net (Vircom SMTPRS 5.0.916.0)
with ESMTP id <B0534444564@mail.spamserv er.net> for <info@myserver.com>;
X-Modus-BlackList: x.x.x.x=OK;=OK
X-Modus-Trusted: x.x.x.x=NO
X-Modus-Audit: FALSE;0;0;0
Received: from snt0-omc4-s43.snt0.hotmail .com (snt0-omc4-s43.snt0.hotmai l.com [65.54.51.94])
by mailin-1.spamserver.net (Postfix) with ESMTP id 4E1EAC30356
for <info@myserver.com>; Fri, 10 Sep 2010 05:00:36 -0400 (EDT)
Received: from SNT0-MC3-F14.Snt0.hotmail. com ([65.55.90.199]) by snt0-omc4-s43.snt0.hotmail .com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 10 Sep 2010 02:00:36 -0700
Message-ID: <LbIUndNXh0000e41f@SNT0-MC 3-F14.Snt0 .hotmail.c om>
Subject: Delivery Status Notification (Failure)
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,
required 7, autolearn=disabled, RCVD_IN_DNSWL_NONE -0.00)
Received: from smtp27.orange.fr ([80.12.242.96]) by SNT0-MC3-F14.Snt0.hotmail. com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 10 Sep 2010 02:00:36 -0700
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 22C8F1C00042;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 14E071C00280;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from FILESERVER (LRouen-152-83-1-113.w80-1 3.abo.wana doo.fr [80.13.64.113])
by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
Fri, 10 Sep 2010 11:00:34 +0200 (CEST)
They even have a x- header with spam assassin signature as clean.
------------------
Microsoft Mail Internet Headers Version 2.0
Received: from mail.spamserver.net ([x.x.x.x]) by exchange.myserver.com with Microsoft SMTPSVC(6.0.3790.4675);
Resent-To: info@exchange.myserver.com
Resent-From: info@myserver.com
Resent-Message-Id: <B0534444566@mail.spamserv
Resent-Date: Fri, 10 Sep 2010 05:05:57 -0400
X-Modus-Audit: FALSE;0;0;0
Received: from mailin-1.spamserver.net (unverified [x.x.x.x]) by mail.spamserver.net (Vircom SMTPRS 5.0.916.0)
with ESMTP id <B0534444564@mail.spamserv
X-Modus-BlackList: x.x.x.x=OK;=OK
X-Modus-Trusted: x.x.x.x=NO
X-Modus-Audit: FALSE;0;0;0
Received: from snt0-omc4-s43.snt0.hotmail
by mailin-1.spamserver.net (Postfix) with ESMTP id 4E1EAC30356
for <info@myserver.com>; Fri, 10 Sep 2010 05:00:36 -0400 (EDT)
Received: from SNT0-MC3-F14.Snt0.hotmail.
Fri, 10 Sep 2010 02:00:36 -0700
Message-ID: <LbIUndNXh0000e41f@SNT0-MC
Subject: Delivery Status Notification (Failure)
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,
required 7, autolearn=disabled, RCVD_IN_DNSWL_NONE -0.00)
Received: from smtp27.orange.fr ([80.12.242.96]) by SNT0-MC3-F14.Snt0.hotmail.
Fri, 10 Sep 2010 02:00:36 -0700
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 22C8F1C00042;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2721.orange.fr (SMTP Server) with ESMTP id 14E071C00280;
Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from FILESERVER (LRouen-152-83-1-113.w80-1
by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
Fri, 10 Sep 2010 11:00:34 +0200 (CEST)
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
This is the header from the e-mail telling you it was rejected.
I have not record of sending the email.
I have not record of sending the email.