Decipher Email Header On A Spam Email

By gdkmlt ·
Hello, I am trying to decipher the below Internet Header. The email is Spam. (IP Address ? is a friendly organization who has been added to our spam filter whitelist.

Our Symantec Mail Security for SMTP(IP Address - logs identify this email as this:
Accepted From: Organizations IP)
Sender: (Legitimate user at Friendly Organization)
Recipient: (Legitimate user at My domain)

Our Exchange Server(IP Address ? Message Tracking identifies this email as this:
Return Path:
Recipient: did not knowingly send this email.

So, is an open relay or is it a spam bot client? Or did a spammer just spoof the sender email address and IP address? is not being blacklisted according to mxtoolbox.

Also, looking at the header, you will see ip address This ip address does show up as being blacklisted.

Note: All of the domains & IP addresses have been altered, except the spammers address ?

Now for the Header:
Received: from ( by (
with Microsoft SMTP Server id 8.1.393.1; Wed, 10 Mar 2010 10:01:18 -0800
X-AuditI 0a010104-000016d400000bdc-52-4b97de6e4690
Received: from ([]) by with
Microsoft SMTPSVC(6.0.3790.3959); Wed, 10 Mar 2010 10:01:17 -0800
Received: from [] ([]) by with
Microsoft SMTPSVC(6.0.3790.3959); Wed, 10 Mar 2010 10:04:38 -0800
From: Pfizer shopping portal <>
To: <>
Subject: Crazy 80% Discount for CPen
Date: Wed, 10 Mar 2010 19:01:34 +0100
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Message-I <>
X-OriginalArrivalTime: 10 Mar 2010 18:04:38.0812 (UTC) FILETIME=[2683A5C0:01CAC07C]
X-Brightmail-Tracker: AAAAAA==

Thank you,

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -


by oldbaritone In reply to Decipher Email Header On ...

a hacked email account or server. The spammers figured out a way to validate themselves to and convince the mail server to forward SPAM for them. One way it happens is with keyloggers, and there are many others. needs to start by changing passwords and reviewing security policies for email.

Back to Networks Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums