Question

Locked

Decipher Email Header On A Spam Email

By gdkmlt ·
Hello, I am trying to decipher the below Internet Header. The email is Spam.

Mail.dvsno.org (IP Address ? 171.164.31.13) is a friendly organization who has been added to our spam filter whitelist.

Our Symantec Mail Security for SMTP(IP Address - 10.1.3.4) logs identify this email as this:
Accepted From: 171.164.31.13(Friendly Organizations IP)
Sender: connie@dvsno.org (Legitimate user at Friendly Organization)
Recipient: CPen@mydomain.com (Legitimate user at My domain)

Our Exchange Server(IP Address ? 10.1.3.5) Message Tracking identifies this email as this:
Return Path: connie@dvsno.org
Sender: connie@dvsno.org
Recipient: CPen@mydomain.com

connie@dvsno.org did not knowingly send this email.

So, is dvsno.org an open relay or is it a spam bot client? Or did a spammer just spoof the sender email address and IP address? Dvsno.org is not being blacklisted according to mxtoolbox.

Also, looking at the header, you will see ip address 89.216.228.229. This ip address does show up as being blacklisted.

Note: All of the domains & IP addresses have been altered, except the spammers address ? 89.216.228.229.

Now for the Header:
Received: from smtp.mydomain.com (10.1.3.4) by smtp.mydomain.com (10.1.3.5)
with Microsoft SMTP Server id 8.1.393.1; Wed, 10 Mar 2010 10:01:18 -0800
X-AuditI 0a010104-000016d400000bdc-52-4b97de6e4690
Received: from mail.dvsno.org ([171.164.31.113]) by smtp.mydomain.com with
Microsoft SMTPSVC(6.0.3790.3959); Wed, 10 Mar 2010 10:01:17 -0800
Received: from [89.216.228.229] ([89.216.228.229]) by mail.dvsno.org with
Microsoft SMTPSVC(6.0.3790.3959); Wed, 10 Mar 2010 10:04:38 -0800
From: Pfizer shopping portal <connie@dvsno.org>
To: <connie@dvsno.org>
Subject: Crazy 80% Discount for CPen
Date: Wed, 10 Mar 2010 19:01:34 +0100
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Return-Path: connie@dvsno.org
Message-I <SERVERqSAeD2Vh7nbqa00000139@mail.dvs-snoco.org>
X-OriginalArrivalTime: 10 Mar 2010 18:04:38.0812 (UTC) FILETIME=[2683A5C0:01CAC07C]
X-Brightmail-Tracker: AAAAAA==

Thank you,
Greg

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Probably

by oldbaritone In reply to Decipher Email Header On ...

a hacked email account or server. The spammers figured out a way to validate themselves to dvsno.org and convince the mail server to forward SPAM for them. One way it happens is with keyloggers, and there are many others.

dvsno.org needs to start by changing passwords and reviewing security policies for email.

Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums