[OFB Cafe] Tracking email through headers (Was: Threading (Was: BioFuels))

Rick Bowers rwbowers at gmail.com
Thu Jul 24 15:52:12 CDT 2008 

I decided to create a new thread since this is somewhat irrelevant.

Attached are the headers from one type of SPAM mail I receive. 
Someone (or many someones) use random mail IDs at my domains (I have 
several) to send out SPAM.  I catch them in my "catch-all" account 
and usually discard them. But I'm curious how to track them.
My mail server is ponyexpress.addressunknown.us, it serves all my 
domains. I use ZoneEdit.Com for my DNS on some of my domains and 
EveryDNS.Net for others. ponyexpress is NATted through my router to 
my Comcast account. If I've set things up correctly, outside users 
can't use my SMTP server to  spoof mails.

In the following header, I'm betting the From: ID was spoofed. the 
first "Received:" is probably the originating SMTP server, right? 
(Received: from AC5-Webproxy71.direcpc.com 
(dpc67142107229.direcpc.com [67.142.107.229])). What else can I tell from this?

The other type of SPAM I get spoofs my domain as the sender. I get 
the bounces. I'd *really* like to find the source of those messages.. 
I'll look for some message headers from one of those.

~Rick

----------

Received: (qmail 1634 invoked by alias); 23 Jul 2008 16:11:24 -0000
Delivered-To: alias-localdelivery-BF at Mail.BowersFamily.US
Received: (qmail 1630 invoked from network); 23 Jul 2008 16:11:18 -0000
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
         ponyexpress.addressunknown.us
X-Spam-Status: No, score=-0.1 required=11.0 tests=BAYES_00,
         RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK
         autolearn=no version=3.1.3
X-Spam-Level:
Received: from mail3.zoneedit.com (mail3.zoneedit.com [209.190.25.90])
   by ponyexpress.addressunknown.us ([192.168.10.10])
   with ESMTP via TCP; 23 Jul 2008 16:11:18 -0000
Received: from AC5-Webproxy71.direcpc.com (dpc67142107229.direcpc.com 
[67.142.107.229])
         by mail3.zoneedit.com (Postfix) with ESMTP id B2E572C4713
         for <647142100.62169472986894 at bowersfamily.us>; Wed, 23 Jul 
2008 12:09:41 -0400 (EDT)
Message-ID: <9CA06A0A.D546112B at rafv.com>
Date: Wed, 23 Jul 2008 13:11:51 -0300
From: Bess <Patty-kivitetn at rafv.com>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: 647142100.62169472986894 at bowersfamily.us
Subject: Christian Bale doomed Oscar chances
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
-------------- next part --------------

   I decided to create a new thread since this is somewhat irrelevant.
   Attached are the headers from one type of SPAM mail I receive. Someone
   (or  many someones) use random mail IDs at my domains (I have several)
   to  send out SPAM.  I catch them in my "catch-all" account and usually
   discard them. But I'm curious how to track them.
   My  mail  server  is  ponyexpress.addressunknown.us,  it serves all my
   domains.  I  use  ZoneEdit.Com  for  my  DNS on some of my domains and
   EveryDNS.Net for others. ponyexpress is NATted through my router to my
   Comcast  account. If I've set things up correctly, outside users can't
   use my SMTP server to  spoof mails.
   In  the  following  header,  I'm betting the From: ID was spoofed. the
   first  "Received:"  is  probably  the  originating SMTP server, right?
   (Received: from AC5-Webproxy71.direcpc.com (dpc67142107229.direcpc.com
   [67.142.107.229])). What else can I tell from this?
   The other type of SPAM I get spoofs my domain as the sender. I get the
   bounces. I'd *really* like to find the source of those messages.. I'll
   look for some message headers from one of those.
   ~Rick
     _________________________________________________________________

   Received: (qmail 1634 invoked by alias); 23 Jul 2008 16:11:24 -0000
   Delivered-To: alias-localdelivery-BF at Mail.BowersFamily.US
   Received:  (qmail  1630  invoked  from  network); 23 Jul 2008 16:11:18
   -0000
   X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
            ponyexpress.addressunknown.us
   X-Spam-Status: No, score=-0.1 required=11.0 tests=BAYES_00,
            RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK
            autolearn=no version=3.1.3
   X-Spam-Level:
   Received: from mail3.zoneedit.com (mail3.zoneedit.com [209.190.25.90])
     by ponyexpress.addressunknown.us ([192.168.10.10])
     with ESMTP via TCP; 23 Jul 2008 16:11:18 -0000
   Received:  from AC5-Webproxy71.direcpc.com (dpc67142107229.direcpc.com
   [67.142.107.229])
           by mail3.zoneedit.com (Postfix) with ESMTP id B2E572C4713
           for  <647142100.62169472986894 at bowersfamily.us>;  Wed,  23 Jul
   2008 12:09:41 -0400 (EDT)
   Message-ID: <9CA06A0A.D546112B at rafv.com>
   Date: Wed, 23 Jul 2008 13:11:51 -0300
   From: Bess <Patty-kivitetn at rafv.com>
   User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
   MIME-Version: 1.0
   To: 647142100.62169472986894 at bowersfamily.us
   Subject: Christian Bale doomed Oscar chances
   Content-Type: text/plain; charset=ISO-8859-1; format=flowed
   Content-Transfer-Encoding: 7bit

More information about the Cafe mailing list