Re: mail headers question
From: Doug McIntyre (merlyn_at_visi.com)
Date: 22 Apr 2004 21:20:18 GMT
"al" <firstname.lastname@example.org> writes:
>Here's a sample spam headers that I received today.
>There are three domain addresses here:
>counsellor.com, fia74-110.dsl.hccnet.nl and iwexx.japan.com
>My question is, which address do I need to block so that I don't receive
>spam from this source again.
>Received: from fia74-110.dsl.hccnet.nl (fia74-110.dsl.hccnet.nl
> by mydomain.com (8.12.8/8.12.8) with SMTP id i3KD8X56523724
> for <email@example.com>; Tue, 20 Apr 2004 06:08:35 -0700
>Received: from iwexx.japan.com [188.8.131.52] by 184.108.40.206 with wbttrf
All you can be 100% positive here (because all other info can be
forged and is useless) is that you received this SPAM from the IP
In this particular case, it does appear that this really does map to
fia74-110.dsl.hccnet.nl, but this certainly doesn't require to be the
case, reverse DNS lookups might be wrong, the first instance is what
the SMTP sending reported its name as, which is 100% arbitrary.
The 2nd Recevied: line might be accurate, it might just be something
thrown in there to throw you off the scent, so its totally unreliable
to do any blocking based on that.
Most likely, this is some compromised host on a DSL line in the
Netherlands, and they'll soon or already have discover that their
machine was hacked (with worm/virus/spyware/whatever) and take steps
to clean it, so even blocking this machine might just add an entry to
your filter that never gets used again, especially since this happened
two and a half days ago.
The SPAMers most likely have just moved onto another compromised host
somewhere else, and are spewing their junk from there instead.
-- Doug McIntyre firstname.lastname@example.org Network Engineer/Jack of All Trades Vector Internet Services, Inc.