?
Solved

Email header question

Posted on 2010-09-14
9
Medium Priority
?
1,385 Views
Last Modified: 2012-05-10
I have a user getting 10 - 20 spam emails a day that are not getting detected by the Vipre Email Security on their SBS box.  The subject and the body are about 4 letters long.  Is there a way to better trace this to be able to stop it?  There are also X-AntiAbuse fields in this header that I am not familiar with.  

I have traced the first IP address to Indonesia but how should I proceed?

Any help would be greatly appreciated.


Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from mop100.hostmop.com ([203.217.173.100]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
                 Fri, 3 Sep 2010 02:37:05 -0400
Received: from gspiacid by mop100.hostmop.com with local (Exim 4.69)
                (envelope-from <gspiacid@mop100.hostmop.com>)
                id 1OrPtY-0005KP-HF
                for myemail@mydomian.com; Fri, 03 Sep 2010 13:37:04 +0700
To: myemail@mydomain.com
Subject: gsp
X-PHP-Script: gsp-international.ac.id/xern.php for 41.125.60.128
From: remo <defi@ikler.com>
Message-Id: <1307464001.136@ikler.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Date: Fri, 03 Sep 2010 13:37:04 +0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mop100.hostmop.com
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [674 671] / [47 12]
X-AntiAbuse: Sender Address Domain - mop100.hostmop.com
Return-Path: gspiacid@mop100.hostmop.com
X-OriginalArrivalTime: 03 Sep 2010 06:37:06.0374 (UTC) FILETIME=[6D42E660:01CB4B32]
0
Comment
Question by:kloux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 8

Expert Comment

by:Camy
ID: 33672416
Do they come from different sending addresses?
Do all the headers show different sending servers? (mop100.hostmop.com ([203.217.173.100])
0
 
LVL 4

Author Comment

by:kloux
ID: 33672442
Unfortunately they are all different addresses and domains everytime.  Here are some more headers I have:


Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from sparkle.superdomainzone.com ([69.175.84.174]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
                 Fri, 3 Sep 2010 02:28:25 -0400
Received: from wwwseoe by sparkle.superdomainzone.com with local (Exim 4.69)
                (envelope-from <wwwseoe@sparkle.superdomainzone.com>)
                id 1OrPlK-0008R7-R7
                for cfontana@ars-llc.com; Fri, 03 Sep 2010 01:28:34 -0500
To: cfontana@ars-llc.com
Subject: seos
X-PHP-Script: seoestodo.com.ar/xern.php for 41.125.60.128
From: naki <cedi@reso.com>
Message-Id: <1307464001.136@reso.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Date: Fri, 03 Sep 2010 01:28:34 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sparkle.superdomainzone.com
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [1235 1235] / [47 12]
X-AntiAbuse: Sender Address Domain - sparkle.superdomainzone.com
Return-Path: wwwseoe@sparkle.superdomainzone.com
X-OriginalArrivalTime: 03 Sep 2010 06:28:25.0118 (UTC) FILETIME=[36918BE0:01CB4B31]



Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from anson.webserversystems.com ([74.54.107.134]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
                 Fri, 3 Sep 2010 02:22:50 -0400
Received: from holgroup by anson.webserversystems.com with local (Exim 4.69)
                (envelope-from <holgroup@anson.webserversystems.com>)
                id 1OrPfl-0001kG-Uz
                for cfontana@ars-llc.com; Fri, 03 Sep 2010 01:22:49 -0500
To: cfontana@ars-llc.com
Subject: chri
X-PHP-Script: www.chrishollowaygroup.com/site//xern.php for 41.125.60.128
From: mena <deci@weci.com>
Message-Id: <1307464001.136@weci.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Date: Fri, 03 Sep 2010 01:22:49 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - anson.webserversystems.com
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [2689 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - anson.webserversystems.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/holgroup/public_html/site/xern.php
X-Source-Dir: chrishollowaygroup.com:/public_html/site
Return-Path: holgroup@anson.webserversystems.com
X-OriginalArrivalTime: 03 Sep 2010 06:22:50.0551 (UTC) FILETIME=[6F26AC70:01CB4B30]





Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from djpro.djpro-hosting.com ([95.211.127.21]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
                 Fri, 3 Sep 2010 02:22:09 -0400
Received: from rovinjro by djpro.djpro-hosting.com with local (Exim 4.69)
                (envelope-from <rovinjro@djpro.djpro-hosting.com>)
                id 1OrPf1-0000ut-76
                for cfontana@ars-llc.com; Fri, 03 Sep 2010 08:22:03 +0200
To: cfontana@ars-llc.com
Subject: rov
From: leke <revo@piok.com>
Message-Id: <1307464001.136@piok.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Date: Fri, 03 Sep 2010 08:22:03 +0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - djpro.djpro-hosting.com
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [524 520] / [47 12]
X-AntiAbuse: Sender Address Domain - djpro.djpro-hosting.com
Return-Path: rovinjro@djpro.djpro-hosting.com
X-OriginalArrivalTime: 03 Sep 2010 06:22:09.0332 (UTC) FILETIME=[56952740:01CB4B30]





Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from nurburgring.webserversystems.com ([174.121.79.98]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
                 Fri, 3 Sep 2010 02:09:30 -0400
Received: from sheyoumy by nurburgring.webserversystems.com with local (Exim 4.69)
                (envelope-from <sheyoumy@nurburgring.webserversystems.com>)
                id 1OrPSr-0005VE-CL
                for cfontana@ars-llc.com; Fri, 03 Sep 2010 01:09:29 -0500
To: cfontana@ars-llc.com
Subject: shey
X-PHP-Script: sheyoumy.in/xern.php for 41.125.60.128
From: youm <sheds@redi.com>
Message-Id: <1307464001.136@redi.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Date: Fri, 03 Sep 2010 01:09:29 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - nurburgring.webserversystems.com
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [2397 2383] / [47 12]
X-AntiAbuse: Sender Address Domain - nurburgring.webserversystems.com
Return-Path: sheyoumy@nurburgring.webserversystems.com
X-OriginalArrivalTime: 03 Sep 2010 06:09:31.0128 (UTC) FILETIME=[92A86780:01CB4B2E]



Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from n33.c03.server-system.net ([72.47.224.33]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
                 Fri, 3 Sep 2010 01:26:00 -0400
Received: from thehockeydepot.com by n33.c03.server-system.net with local (Exim 4.63)
                (envelope-from <serveradmin@thehockeydepot.com>)
                id 1OrOmj-0004rH-Iw
                for cfontana@ars-llc.com; Thu, 02 Sep 2010 22:25:57 -0700
X-MT-MESSAGEID: U1Ti9BLE4vQSxOL0E=
To: cfontana@ars-llc.com
Subject: theh
From: getu <seci@keji.com>
Message-Id: <1307464001.136@keji.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Date: Thu, 02 Sep 2010 22:25:57 -0700
Return-Path: serveradmin@thehockeydepot.com
X-OriginalArrivalTime: 03 Sep 2010 05:26:00.0673 (UTC) FILETIME=[7EB49510:01CB4B28]




Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from cf5.hc.ru ([89.111.176.226]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
                 Fri, 3 Sep 2010 01:21:19 -0400
Received: from dogostro by cf5.hc.ru with local (Exim 4.69)
                (envelope-from <dogostro@cf5.hc.ru>)
                id 1OrOiC-0005Gp-Qv
                for cfontana@ars-llc.com; Fri, 03 Sep 2010 09:21:16 +0400
To: cfontana@ars-llc.com
Subject: dogo
From: namhe <feri@weis.com>
Message-Id: <1307464001.136@weis.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Date: Fri, 03 Sep 2010 09:21:16 +0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cf5.hc.ru
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [1109 1109] / [47 12]
X-AntiAbuse: Sender Address Domain - cf5.hc.ru
Return-Path: dogostro@cf5.hc.ru
X-OriginalArrivalTime: 03 Sep 2010 05:21:19.0841 (UTC) FILETIME=[D7510510:01CB4B27]



0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 33672451
Does VIPRE allow Reverse DNS checks in it's Anti-Spam settings anywhere.
If it does, it would have failed the email you posted headers for:
Answer:
203.217.173.100 PTR record: 100-173-217-203.static.imb.sw2.jkt.imediabiz.com. [TTL 38400s] [A=None] *ERROR* There is no A record for 100-173-217-203.static.imb.sw2.jkt.imediabiz.com. (may be negatively cached).
Failing that - rip out Vipre and install Vamsoft ORF - www.vamsoft.com ($239 per server) and use that instead - it should get rid of the problem for you.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33672488
Are you also using IP Blacklists to check against?  I use the barracuda IP blacklist (amongst others) and at least one of the emails you just posted is listed on Barracuda (95.211.127.21)
0
 
LVL 4

Author Comment

by:kloux
ID: 33672756
Changed some settings in Vipre in accordance with their documentation.  There was an option under antispam to Add X-Headers that I didn't have checked.  I will see if this worked.  The other settings seemed to be correct.  I have all the RBL and SPF settings correct as per their best practices.  Thanks for the help.  I'll keep you posted.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 2000 total points
ID: 33672773
Does it have the ability to reject based on Reverse DNS failing?
That will eliminate a handful of the ones you have posted?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33672787
Just RTFM'd and it seems that SPF check caters for Reverse DNS!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33672809
I would also add b.barracudacentral.org to the RBL list (don't forget to register on their website which is free)..
http://www.barracudacentral.org/rbl 
0
 
LVL 4

Author Comment

by:kloux
ID: 33684100
No more spam.  Problems looks to be resolved.  I think it was the checkbox for X-Headers that added what I needed since the RBL and SPF settings were in place.  

Thanks!
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
This video discusses moving either the default database or any database to a new volume.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question