Decipher Email Header On A Spam Email - TechRepublic
Question
March 11, 2010 at 12:35 PM
gdkmlt

Decipher Email Header On A Spam Email

by gdkmlt . Updated 16 years, 3 months ago

Hello, I am trying to decipher the below Internet Header. The email is Spam.

Mail.dvsno.org (IP Address ? 171.164.31.13) is a friendly organization who has been added to our spam filter whitelist.

Our Symantec Mail Security for SMTP(IP Address – 10.1.3.4) logs identify this email as this:
Accepted From: 171.164.31.13(Friendly Organizations IP)
Sender: connie@dvsno.org (Legitimate user at Friendly Organization)
Recipient: CPen@mydomain.com (Legitimate user at My domain)

Our Exchange Server(IP Address ? 10.1.3.5) Message Tracking identifies this email as this:
Return Path: connie@dvsno.org
Sender: connie@dvsno.org
Recipient: CPen@mydomain.com

connie@dvsno.org did not knowingly send this email.

So, is dvsno.org an open relay or is it a spam bot client? Or did a spammer just spoof the sender email address and IP address? Dvsno.org is not being blacklisted according to mxtoolbox.

Also, looking at the header, you will see ip address 89.216.228.229. This ip address does show up as being blacklisted.

Note: All of the domains & IP addresses have been altered, except the spammers address ? 89.216.228.229.

Now for the Header:
Received: from smtp.mydomain.com (10.1.3.4) by smtp.mydomain.com (10.1.3.5)
with Microsoft SMTP Server id 8.1.393.1; Wed, 10 Mar 2010 10:01:18 -0800
X-AuditID: 0a010104-000016d400000bdc-52-4b97de6e4690
Received: from mail.dvsno.org ([171.164.31.113]) by smtp.mydomain.com with
Microsoft SMTPSVC(6.0.3790.3959); Wed, 10 Mar 2010 10:01:17 -0800
Received: from [89.216.228.229] ([89.216.228.229]) by mail.dvsno.org with
Microsoft SMTPSVC(6.0.3790.3959); Wed, 10 Mar 2010 10:04:38 -0800
From: Pfizer shopping portal
To:
Subject: Crazy 80% Discount for CPen
Date: Wed, 10 Mar 2010 19:01:34 +0100
MIME-Version: 1.0
Content-Type: text/html; charset=”ISO-8859-1″
Content-Transfer-Encoding: 8bit
Return-Path: connie@dvsno.org
Message-ID:
X-OriginalArrivalTime: 10 Mar 2010 18:04:38.0812 (UTC) FILETIME=[2683A5C0:01CAC07C]
X-Brightmail-Tracker: AAAAAA==

Thank you,
Greg

This discussion is locked

All Comments