frankv_43
asked on
Exchange Mailserver Spam
I need assistance in analyzing an email header. Someone seems to be passing Spam through a customers Exchange server, but can't see how.
Header information below. The IP address of: 70.89.4.109 is the Exchange Mailserver. The IP of the intruder appears to be: 64.186.141.117
Return-Path: bristollotto03redacted@yah oo.co.jp
Received: from imta19.westchester.pa.mail .comcast.n et (LHLO
imta19.westchester.pa.mail .comcast.n et) (76.96.62.15) by
sz0165.ev.mail.comcast.net with LMTP; Tue, 14 Sep 2010 12:12:39 +0000 (UTC)
Received: from mailserver2.Inst-Child-Lit .Com ([70.89.4.109])
by imta19.westchester.pa.mail .comcast.n et with comcast
id 6cCe1f0202M7bz20KcCefL; Tue, 14 Sep 2010 12:12:40 +0000
X-CAA-SPAM: N00001
X-Authority-Analysis: v=1.1 cv=xQtC0Syy8SjLhPQcxulnFUo y7eUGsAEUo +3gGakOX9w =
c=1 sm=1 p=G0y4NAOPbeQA:10 p=H7zlAlwjME0A:10 p=FlyXWrF0noTvJhcw3_cA:9
a=Dyoqhi_TatcA:10 a=8EU9Q7FnrCoA:10 a=Cfj4BQAnxiAA:10
a=4UKdybQ46eJVya8Ku_wA:7 a=l9BT-LX5JHtfJXMJ0NHU38ZY ah4A:4 a=Ft8UYL4EG9YA:10
a=heEvz1zlalEA:10 a=XjuyCbnmBgpgFB-i:21 a=jTmyPk-QPQLX5MgK:21
a=L5inqJBnP8MMvF9QzrwThA== :117
Received: from User ([64.186.141.117]) by mailserver2.Inst-Child-Lit .Com with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 13 Sep 2010 18:42:03 -0400
Reply-To: <bristolsweepstakesredacte d@yahoo.co .jp>
From: "BRISTOL LOTTERY"<bristollotto03red acted@yaho o.co.jp>
Subject: AWARD NOTIFICATION.
Header information below. The IP address of: 70.89.4.109 is the Exchange Mailserver. The IP of the intruder appears to be: 64.186.141.117
Return-Path: bristollotto03redacted@yah
Received: from imta19.westchester.pa.mail
imta19.westchester.pa.mail
sz0165.ev.mail.comcast.net
Received: from mailserver2.Inst-Child-Lit
by imta19.westchester.pa.mail
id 6cCe1f0202M7bz20KcCefL; Tue, 14 Sep 2010 12:12:40 +0000
X-CAA-SPAM: N00001
X-Authority-Analysis: v=1.1 cv=xQtC0Syy8SjLhPQcxulnFUo
c=1 sm=1 p=G0y4NAOPbeQA:10 p=H7zlAlwjME0A:10 p=FlyXWrF0noTvJhcw3_cA:9
a=Dyoqhi_TatcA:10 a=8EU9Q7FnrCoA:10 a=Cfj4BQAnxiAA:10
a=4UKdybQ46eJVya8Ku_wA:7 a=l9BT-LX5JHtfJXMJ0NHU38ZY
a=heEvz1zlalEA:10 a=XjuyCbnmBgpgFB-i:21 a=jTmyPk-QPQLX5MgK:21
a=L5inqJBnP8MMvF9QzrwThA==
Received: from User ([64.186.141.117]) by mailserver2.Inst-Child-Lit
Mon, 13 Sep 2010 18:42:03 -0400
Reply-To: <bristolsweepstakesredacte
From: "BRISTOL LOTTERY"<bristollotto03red
Subject: AWARD NOTIFICATION.
have you checked your sever for relay settings ? may be its an open relay ?
ASKER
Yes, the Exchange box has been checked and is NOT open relay.
64.186.141.117 resolves to farm1.myforexvps.com
Also this server is not open relay or at least port 25 is blocked on their side.
Why can't you add this ip in your block list?
Also this server is not open relay or at least port 25 is blocked on their side.
Why can't you add this ip in your block list?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It would really help to see the corresponding log entries from the affected Exchange server. It seems to me that the Exchange box actually is misconfigured as an open relay.
where is the email destined ?