mark
Tux's lil' helper
Joined: 04 Jun 2002
Posts: 119
|
 Posted: Fri Sep 26, 2003 8:49 pm Post subject: Tracking this SPAM by its headers |
 |
|
I have over the past few days been receiving a lot of SPAM, I could set up a filter but in this case since I think it is inadvertant it may be useful if I could figure out where it is coming from.
In all but one case it is microsoft security updates and notifications that mail could not be delivered. The headers do not seem to share any common source. I have done some googling but cant figure out how to trace their point of origin. I am aware that headers can be forged, but a: they're not your usual marketting type spam and b: the headers look legit (at least to my relatively untrained eye)
a couple of example headers follow.
Return-Path: <wes.pangrass@aams.ab.ca>
Received: from bpd2mo1no.prod.shawcable.com ([64.59.128.220])
by mta03-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20030926180716.PGST29289.mta03-svc.ntlworld.com@bpd2mo1no.prod.shawcable.com>
for <mark.newman2@ntlworld.com>; Fri, 26 Sep 2003 19:07:16 +0100
Received: from bpd2mi1no.prod.shawcable.com
(bpd2mi1no-qfe3.prod.shawcable.com [10.0.184.120])
by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
with ESMTP id <0HLU0038326AB8@l-daemon> for mark.newman2@ntlworld.com; Fri,
26 Sep 2003 12:03:46 -0600 (MDT)
Received: from qsiyyc (h24-86-221-211.ed.shawcable.net [24.86.221.211])
by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
with SMTP id <0HLU000R52625O@l-daemon> for mark.newman2@ntlworld.com; Fri,
26 Sep 2003 12:03:46 -0600 (MDT)
Date: Fri, 26 Sep 2003 12:03:38 -0600 (MDT)
Date-warning: Date header was inserted by l-daemon
From: "Security Assistance" < >
Subject: Latest Internet Patch
To: "Partner" < >
and this one
Return-Path: <eth.airserv@codetel.net.do>
Received: from mail4.codetel.net.do ([196.3.81.59])
by mta06-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20030925142503.CXT22584.mta06-svc.ntlworld.com@mail4.codetel.net.do>
for <mark.newman2@ntlworld.com>; Thu, 25 Sep 2003 15:25:03 +0100
Received: from dlmn ([66.98.44.182]) by mail4.codetel.net.do with Microsoft SMTPSVC(5.0.2195.6713);
Thu, 25 Sep 2003 10:24:56 -0400
FROM: "Microsoft Customer Support" <qfioioavsayjj-odrtnvx@confidence.microsoft.com>
TO: "Commercial Partner" <xusja_dyyruriqq@confidence.microsoft.com>
The only obvious correlaion is me on the receiving end, but I'm not signed up to any MS security services.
One more example follows
Return-Path: <mfgg@adelphia.net>
Received: from mta8.adelphia.net ([68.168.78.196])
by mta06-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20030926190211.FLZK22584.mta06-svc.ntlworld.com@mta8.adelphia.net>
for <mark.newman2@ntlworld.com>; Fri, 26 Sep 2003 20:02:11 +0100
Received: from xkoif ([68.68.251.109]) by mta8.adelphia.net
(InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP
id <20030926190041.WQOF29315.mta8.adelphia.net@xkoif>;
Fri, 26 Sep 2003 15:00:41 -0400
FROM: "inet mail delivery service" <smtpbot@microsoft.com>
TO: "internet user" <recipient@emailserver.com>
SUBJECT: letter
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="xmmnzl"
Message-Id: <20030926190041.WQOF29315.mta8.adelphia.net@xkoif>
Date: Fri, 26 Sep 2003 15:00:52 -0400
Undelivered to dkhsrlfdje@microsoft.com
Message follows:
I see 3 possibilities, I've been signed for these by sombody else, someone is infected with a virus and I'm just the unfortunate recipient of their forwarded mail or I'm missing something (quite possibly something obvious  )
If someone could point me in the right direction in understanding the headers I'd be greatful. The thing I find confusing is that they dont seem to have the same source.
Or I could just filter them and forget the whole thing.
Mark
_________________
Regards
Mark |
|
Networking & Security
