Email header question
I have a user getting 10 - 20 spam emails a day that are not getting detected by the Vipre Email Security on their SBS box. The subject and the body are about 4 letters long. Is there a way to better trace this to be able to stop it? There are also X-AntiAbuse fields in this header that I am not familiar with.
I have traced the first IP address to Indonesia but how should I proceed?
Any help would be greatly appreciated.
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from mop100.hostmop.com ([203.217.173.100]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 3 Sep 2010 02:37:05 -0400
Received: from gspiacid by mop100.hostmop.com with local (Exim 4.69)
(envelope-from <gspiacid@mop100.hostmop.c
id 1OrPtY-0005KP-HF
for myemail@mydomian.com; Fri, 03 Sep 2010 13:37:04 +0700
To: myemail@mydomain.com
Subject: gsp
X-PHP-Script: gsp-international.ac.id/xe
From: remo <defi@ikler.com>
Message-Id: <1307464001.136@ikler.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 13:37:04 +0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mop100.hostmop.com
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [674 671] / [47 12]
X-AntiAbuse: Sender Address Domain - mop100.hostmop.com
Return-Path: gspiacid@mop100.hostmop.co
X-OriginalArrivalTime: 03 Sep 2010 06:37:06.0374 (UTC) FILETIME=[6D42E660:01CB4B3
I have traced the first IP address to Indonesia but how should I proceed?
Any help would be greatly appreciated.
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from mop100.hostmop.com ([203.217.173.100]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 3 Sep 2010 02:37:05 -0400
Received: from gspiacid by mop100.hostmop.com with local (Exim 4.69)
(envelope-from <gspiacid@mop100.hostmop.c
id 1OrPtY-0005KP-HF
for myemail@mydomian.com; Fri, 03 Sep 2010 13:37:04 +0700
To: myemail@mydomain.com
Subject: gsp
X-PHP-Script: gsp-international.ac.id/xe
From: remo <defi@ikler.com>
Message-Id: <1307464001.136@ikler.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 13:37:04 +0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mop100.hostmop.com
X-AntiAbuse: Original Domain - mydomain.com
X-AntiAbuse: Originator/Caller UID/GID - [674 671] / [47 12]
X-AntiAbuse: Sender Address Domain - mop100.hostmop.com
Return-Path: gspiacid@mop100.hostmop.co
X-OriginalArrivalTime: 03 Sep 2010 06:37:06.0374 (UTC) FILETIME=[6D42E660:01CB4B3
ASKER
Unfortunately they are all different addresses and domains everytime. Here are some more headers I have:
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from sparkle.superdomainzone.co
Fri, 3 Sep 2010 02:28:25 -0400
Received: from wwwseoe by sparkle.superdomainzone.co
(envelope-from <wwwseoe@sparkle.superdoma
id 1OrPlK-0008R7-R7
for cfontana@ars-llc.com; Fri, 03 Sep 2010 01:28:34 -0500
To: cfontana@ars-llc.com
Subject: seos
X-PHP-Script: seoestodo.com.ar/xern.php for 41.125.60.128
From: naki <cedi@reso.com>
Message-Id: <1307464001.136@reso.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 01:28:34 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sparkle.superdomainzone.co
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [1235 1235] / [47 12]
X-AntiAbuse: Sender Address Domain - sparkle.superdomainzone.co
Return-Path: wwwseoe@sparkle.superdomai
X-OriginalArrivalTime: 03 Sep 2010 06:28:25.0118 (UTC) FILETIME=[36918BE0:01CB4B3
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from anson.webserversystems.com
Fri, 3 Sep 2010 02:22:50 -0400
Received: from holgroup by anson.webserversystems.com
(envelope-from <holgroup@anson.webservers
id 1OrPfl-0001kG-Uz
for cfontana@ars-llc.com; Fri, 03 Sep 2010 01:22:49 -0500
To: cfontana@ars-llc.com
Subject: chri
X-PHP-Script: www.chrishollowaygroup.com/site//xern.php for 41.125.60.128
From: mena <deci@weci.com>
Message-Id: <1307464001.136@weci.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 01:22:49 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - anson.webserversystems.com
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [2689 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - anson.webserversystems.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/holgroup/public_html
X-Source-Dir: chrishollowaygroup.com:/pu
Return-Path: holgroup@anson.webserversy
X-OriginalArrivalTime: 03 Sep 2010 06:22:50.0551 (UTC) FILETIME=[6F26AC70:01CB4B3
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from djpro.djpro-hosting.com ([95.211.127.21]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 3 Sep 2010 02:22:09 -0400
Received: from rovinjro by djpro.djpro-hosting.com with local (Exim 4.69)
(envelope-from <rovinjro@djpro.djpro-host
id 1OrPf1-0000ut-76
for cfontana@ars-llc.com; Fri, 03 Sep 2010 08:22:03 +0200
To: cfontana@ars-llc.com
Subject: rov
From: leke <revo@piok.com>
Message-Id: <1307464001.136@piok.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 08:22:03 +0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - djpro.djpro-hosting.com
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [524 520] / [47 12]
X-AntiAbuse: Sender Address Domain - djpro.djpro-hosting.com
Return-Path: rovinjro@djpro.djpro-hosti
X-OriginalArrivalTime: 03 Sep 2010 06:22:09.0332 (UTC) FILETIME=[56952740:01CB4B3
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from nurburgring.webserversyste
Fri, 3 Sep 2010 02:09:30 -0400
Received: from sheyoumy by nurburgring.webserversyste
(envelope-from <sheyoumy@nurburgring.webs
id 1OrPSr-0005VE-CL
for cfontana@ars-llc.com; Fri, 03 Sep 2010 01:09:29 -0500
To: cfontana@ars-llc.com
Subject: shey
X-PHP-Script: sheyoumy.in/xern.php for 41.125.60.128
From: youm <sheds@redi.com>
Message-Id: <1307464001.136@redi.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 01:09:29 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - nurburgring.webserversyste
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [2397 2383] / [47 12]
X-AntiAbuse: Sender Address Domain - nurburgring.webserversyste
Return-Path: sheyoumy@nurburgring.webse
X-OriginalArrivalTime: 03 Sep 2010 06:09:31.0128 (UTC) FILETIME=[92A86780:01CB4B2
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from n33.c03.server-system.net ([72.47.224.33]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 3 Sep 2010 01:26:00 -0400
Received: from thehockeydepot.com by n33.c03.server-system.net with local (Exim 4.63)
(envelope-from <serveradmin@thehockeydepo
id 1OrOmj-0004rH-Iw
for cfontana@ars-llc.com; Thu, 02 Sep 2010 22:25:57 -0700
X-MT-MESSAGEID: U1Ti9BLE4vQSxOL0E=
To: cfontana@ars-llc.com
Subject: theh
From: getu <seci@keji.com>
Message-Id: <1307464001.136@keji.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Thu, 02 Sep 2010 22:25:57 -0700
Return-Path: serveradmin@thehockeydepot
X-OriginalArrivalTime: 03 Sep 2010 05:26:00.0673 (UTC) FILETIME=[7EB49510:01CB4B2
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from cf5.hc.ru ([89.111.176.226]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 3 Sep 2010 01:21:19 -0400
Received: from dogostro by cf5.hc.ru with local (Exim 4.69)
(envelope-from <dogostro@cf5.hc.ru>)
id 1OrOiC-0005Gp-Qv
for cfontana@ars-llc.com; Fri, 03 Sep 2010 09:21:16 +0400
To: cfontana@ars-llc.com
Subject: dogo
From: namhe <feri@weis.com>
Message-Id: <1307464001.136@weis.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 09:21:16 +0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cf5.hc.ru
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [1109 1109] / [47 12]
X-AntiAbuse: Sender Address Domain - cf5.hc.ru
Return-Path: dogostro@cf5.hc.ru
X-OriginalArrivalTime: 03 Sep 2010 05:21:19.0841 (UTC) FILETIME=[D7510510:01CB4B2
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from sparkle.superdomainzone.co
Fri, 3 Sep 2010 02:28:25 -0400
Received: from wwwseoe by sparkle.superdomainzone.co
(envelope-from <wwwseoe@sparkle.superdoma
id 1OrPlK-0008R7-R7
for cfontana@ars-llc.com; Fri, 03 Sep 2010 01:28:34 -0500
To: cfontana@ars-llc.com
Subject: seos
X-PHP-Script: seoestodo.com.ar/xern.php for 41.125.60.128
From: naki <cedi@reso.com>
Message-Id: <1307464001.136@reso.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 01:28:34 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sparkle.superdomainzone.co
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [1235 1235] / [47 12]
X-AntiAbuse: Sender Address Domain - sparkle.superdomainzone.co
Return-Path: wwwseoe@sparkle.superdomai
X-OriginalArrivalTime: 03 Sep 2010 06:28:25.0118 (UTC) FILETIME=[36918BE0:01CB4B3
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from anson.webserversystems.com
Fri, 3 Sep 2010 02:22:50 -0400
Received: from holgroup by anson.webserversystems.com
(envelope-from <holgroup@anson.webservers
id 1OrPfl-0001kG-Uz
for cfontana@ars-llc.com; Fri, 03 Sep 2010 01:22:49 -0500
To: cfontana@ars-llc.com
Subject: chri
X-PHP-Script: www.chrishollowaygroup.com/site//xern.php for 41.125.60.128
From: mena <deci@weci.com>
Message-Id: <1307464001.136@weci.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 01:22:49 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - anson.webserversystems.com
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [2689 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - anson.webserversystems.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/holgroup/public_html
X-Source-Dir: chrishollowaygroup.com:/pu
Return-Path: holgroup@anson.webserversy
X-OriginalArrivalTime: 03 Sep 2010 06:22:50.0551 (UTC) FILETIME=[6F26AC70:01CB4B3
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from djpro.djpro-hosting.com ([95.211.127.21]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 3 Sep 2010 02:22:09 -0400
Received: from rovinjro by djpro.djpro-hosting.com with local (Exim 4.69)
(envelope-from <rovinjro@djpro.djpro-host
id 1OrPf1-0000ut-76
for cfontana@ars-llc.com; Fri, 03 Sep 2010 08:22:03 +0200
To: cfontana@ars-llc.com
Subject: rov
From: leke <revo@piok.com>
Message-Id: <1307464001.136@piok.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 08:22:03 +0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - djpro.djpro-hosting.com
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [524 520] / [47 12]
X-AntiAbuse: Sender Address Domain - djpro.djpro-hosting.com
Return-Path: rovinjro@djpro.djpro-hosti
X-OriginalArrivalTime: 03 Sep 2010 06:22:09.0332 (UTC) FILETIME=[56952740:01CB4B3
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from nurburgring.webserversyste
Fri, 3 Sep 2010 02:09:30 -0400
Received: from sheyoumy by nurburgring.webserversyste
(envelope-from <sheyoumy@nurburgring.webs
id 1OrPSr-0005VE-CL
for cfontana@ars-llc.com; Fri, 03 Sep 2010 01:09:29 -0500
To: cfontana@ars-llc.com
Subject: shey
X-PHP-Script: sheyoumy.in/xern.php for 41.125.60.128
From: youm <sheds@redi.com>
Message-Id: <1307464001.136@redi.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 01:09:29 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - nurburgring.webserversyste
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [2397 2383] / [47 12]
X-AntiAbuse: Sender Address Domain - nurburgring.webserversyste
Return-Path: sheyoumy@nurburgring.webse
X-OriginalArrivalTime: 03 Sep 2010 06:09:31.0128 (UTC) FILETIME=[92A86780:01CB4B2
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from n33.c03.server-system.net ([72.47.224.33]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 3 Sep 2010 01:26:00 -0400
Received: from thehockeydepot.com by n33.c03.server-system.net with local (Exim 4.63)
(envelope-from <serveradmin@thehockeydepo
id 1OrOmj-0004rH-Iw
for cfontana@ars-llc.com; Thu, 02 Sep 2010 22:25:57 -0700
X-MT-MESSAGEID: U1Ti9BLE4vQSxOL0E=
To: cfontana@ars-llc.com
Subject: theh
From: getu <seci@keji.com>
Message-Id: <1307464001.136@keji.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Thu, 02 Sep 2010 22:25:57 -0700
Return-Path: serveradmin@thehockeydepot
X-OriginalArrivalTime: 03 Sep 2010 05:26:00.0673 (UTC) FILETIME=[7EB49510:01CB4B2
Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
Received: from cf5.hc.ru ([89.111.176.226]) by ars-llc.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 3 Sep 2010 01:21:19 -0400
Received: from dogostro by cf5.hc.ru with local (Exim 4.69)
(envelope-from <dogostro@cf5.hc.ru>)
id 1OrOiC-0005Gp-Qv
for cfontana@ars-llc.com; Fri, 03 Sep 2010 09:21:16 +0400
To: cfontana@ars-llc.com
Subject: dogo
From: namhe <feri@weis.com>
Message-Id: <1307464001.136@weis.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding:
Date: Fri, 03 Sep 2010 09:21:16 +0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cf5.hc.ru
X-AntiAbuse: Original Domain - ars-llc.com
X-AntiAbuse: Originator/Caller UID/GID - [1109 1109] / [47 12]
X-AntiAbuse: Sender Address Domain - cf5.hc.ru
Return-Path: dogostro@cf5.hc.ru
X-OriginalArrivalTime: 03 Sep 2010 05:21:19.0841 (UTC) FILETIME=[D7510510:01CB4B2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you also using IP Blacklists to check against? I use the barracuda IP blacklist (amongst others) and at least one of the emails you just posted is listed on Barracuda (95.211.127.21)
ASKER
Changed some settings in Vipre in accordance with their documentation. There was an option under antispam to Add X-Headers that I didn't have checked. I will see if this worked. The other settings seemed to be correct. I have all the RBL and SPF settings correct as per their best practices. Thanks for the help. I'll keep you posted.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just RTFM'd and it seems that SPF check caters for Reverse DNS!
I would also add b.barracudacentral.org to the RBL list (don't forget to register on their website which is free)..
http://www.barracudacentral.org/rbl
http://www.barracudacentral.org/rbl
ASKER
No more spam. Problems looks to be resolved. I think it was the checkbox for X-Headers that added what I needed since the RBL and SPF settings were in place.
Thanks!
Thanks!
Do all the headers show different sending servers? (mop100.hostmop.com ([203.217.173.100])