Re: mail headers question

From: Doug McIntyre (merlyn_at_visi.com)
Date: 04/22/04 

Date: 22 Apr 2004 21:20:18 GMT

"al" <al@somplace.com> writes:
>Here's a sample spam headers that I received today.
>There are three domain addresses here:
>counsellor.com, fia74-110.dsl.hccnet.nl and iwexx.japan.com
>My question is, which address do I need to block so that I don't receive
>spam from this source again.

>Return-Path: <tfzqzxa@counsellor.com>
>Received: from fia74-110.dsl.hccnet.nl (fia74-110.dsl.hccnet.nl
>[62.251.110.74])
> by mydomain.com (8.12.8/8.12.8) with SMTP id i3KD8X56523724
> for <al@mydomain.com>; Tue, 20 Apr 2004 06:08:35 -0700
>Received: from iwexx.japan.com [72.224.120.76] by 62.251.110.74 with wbttrf

All you can be 100% positive here (because all other info can be
forged and is useless) is that you received this SPAM from the IP
address 65.251.110.74.

In this particular case, it does appear that this really does map to
fia74-110.dsl.hccnet.nl, but this certainly doesn't require to be the
case, reverse DNS lookups might be wrong, the first instance is what
the SMTP sending reported its name as, which is 100% arbitrary.

The 2nd Recevied: line might be accurate, it might just be something
thrown in there to throw you off the scent, so its totally unreliable
to do any blocking based on that.

Most likely, this is some compromised host on a DSL line in the
Netherlands, and they'll soon or already have discover that their
machine was hacked (with worm/virus/spyware/whatever) and take steps
to clean it, so even blocking this machine might just add an entry to
your filter that never gets used again, especially since this happened
two and a half days ago.

The SPAMers most likely have just moved onto another compromised host
somewhere else, and are spewing their junk from there instead. 

-- 
Doug McIntyre						merlyn@visi.com
                   Network Engineer/Jack of All Trades
                      Vector Internet Services, Inc.

Relevant Pages

  • Re: ISPs blocking SMTP connections from dynamic IP address space
    ... >>ip blocking for legitimate servers is silly. ... Because spam ... AOL will likely cancel the ...
    (freebsd-questions)
  • Re: mail headers question
    ... >Here's a sample spam headers that I received today. ... to do any blocking based on that. ... The SPAMers most likely have just moved onto another compromised host ...
    (microsoft.public.exchange2000.admin)
  • Re: mail headers question
    ... >Here's a sample spam headers that I received today. ... to do any blocking based on that. ... The SPAMers most likely have just moved onto another compromised host ...
    (comp.security.unix)
  • Re: Ping Sue Mitchell
    ... Kathy is correct - Comcast is blocking mail FROM my servers as spam, ... My host has a quarantine folder - you can go and look and see if stuff ...
    (sci.med.transcription)
  • Re: Spam Filtering HELP
    ... blocking spam by blocking IP addresses is not a very logical ... iHateSpam For Microsoft Exchange, ... >> IP within the Header matches, ...
    (microsoft.public.exchange.setup)