Hi,
I am getting many spam bounce mails today. here is the header from one file. Can anyone tell me which IP is really sending the spam. I am bit confused with diffrent IP's
-------
Received: from bigfoot.com (mail.bigfoot.com [64.15.239.140]) by amsmsx02.gorillapark.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55)
id MGJ0LX6P; Sat, 15 Jun 2002 04:36:05 +0200
Received: from pop.sunbeltengineering.com ([64.105.59.76])
by BFLITEMAIL3A.bigfoot.com (LiteMail v3.02(BFLITEMAIL3A)) with SMTP id 14Jun2002_BFLITEMAIL3A_34882_108382178;
Fri, 14 Jun 2002 22:36:04 -0400 EST
Received: from chorus3.cern.ch ([206.104.54.4]) by pop.sunbeltengineering.com with Microsoft SMTPSVC(5.0.2195.2966);
Fri, 14 Jun 2002 22:36:02 -0400
Message-ID: <000072b103ab$000048e4$00001db9@cic.cl>
From: dancemc@hotmail.com
Reply-To: dancemc@hotmail.com
To: jeslie@buysellphones.com, psico@aircraftsys.com, ndahl@buyfonts.com,
lneiswanger@yahoo.com, ruder@industech.com, hb@beer.com
Cc: mccourry@startmarketing.com, usri@de-water.com,
mccourry@starsbasketball.com, lneiswender@yahoo.com,
lneiswender@hotmail.com, kda@gfainc.com
Subject: Lose Weight Without Dieting 1839
Date: Sat, 15 Jun 2002 16:46:18 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C21415.681B8D20"
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C21415.681B8D20
Content-Type: text/plain;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable

-------

64.15.239.140
http://www.samspade.org/t/lookat?a=64.15.239.140 may also be useful too

run it through spamcop.net for more details

Originally posted by roly
64.15.239.140
http://www.samspade.org/t/lookat?a=64.15.239.140 may also be useful too

/me thinks your reading the headers totally wrong

The original sending IP was 206.104.54.4 That's in an IP block assigned to Sprint and sub-let to:

Ace Trucking,
1172 147TH AVENUE
MOLINE, MI 49335
US

64.15.239.140 is just the IP of mail.bigfoot.com which happened to be the last forwarding mail server. Please don't blacklist it!

Best wishes,
Simon

I use bigfoot all the time, Personally I would like to see bigfoot blacklisted, maybe they would upgrade there spam prevention.

Mike

No I just dont want to blacklist the mail.bigfoot.com but just wondering how these mails goes through them, for a long time.

Anyway it is more worrying why this is landing at my server... I have nothing to with this mail ID's or the IPs. Thinking about someone is relaying on my server.

Is 64.105.59.76 an IP that belongs to one of your servers?

Simon

No, that is not belong to our server at all..

Here is the another header:

Here is a complete bounced mail with headers.
only the first line showing the qmail at "myserver.com" is from our mail server.

Initially I thought someone spamming to one of our client mail. but none of these mail id's exist in our client base on the server. and I got suspicious with the bounced mails, since hundreds of them bounced to our server. the server is running with smtp authentication. I also tried to scan the client logfiles to find out they are using any scripts to spamming, but found nothing.

Any suggestions?
----------------------------------------------------------

Hi. This is the qmail-send program at myserver.com.
I tried to deliver a bounce message to this address, but the bounce bounced!

<sexqjvppcsg@inmail.sk>:
62.168.63.132 does not like recipient.
Remote host said: 550 unknown user <sexqjvppcsg@inmail.sk>
Giving up on 62.168.63.132.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 30792 invoked from network); 14 Jun 2002 23:44:02 -0000
Received: from zwl1-p27.worldonline.nl (HELO gorillapark.com) (195.241.133.27)
by dp.aekea.com with SMTP; 14 Jun 2002 23:44:02 -0000
Date: Sat, 15 Jun 2002 01:40:25 +0100
From: Mail Delivery Subsystem <MAILER-DAEMON@gorillapark.com>
Message-Id: <200206150140.ZVW17212@mx1.gorillapark.com>
To: <sexqjvppcsg@inmail.sk>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="ZVW17212.1024099200/mx1.gorillapark.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

--ZVW17212.1024099200/mx1.gorillapark.com

The original message was received at Sat, 15 Jun 2002 01:40:25 +0100
from mail.bigfoot.com [64.15.239.140]

----- The following addresses had permanent fatal errors -----
<henrik@gorillapark.com>
(expanded from: <henrik@gorillapark.com>)

----- Transcript of session follows -----
mail.local: unknown name: henrik
550 <henrik@gorillapark.com>... User unknown

--ZVW17212.1024099200/mx1.gorillapark.com
Content-Type: message/delivery-status

Reporting-MTA: dns; mx1.gorillapark.com
Received-From-MTA: DNS; mail.bigfoot.com
Arrival-Date: Sat, 15 Jun 2002 01:40:25 +0100

Final-Recipient: RFC822; <henrik@gorillapark.com>
X-Actual-Recipient: RFC822; henrik@gorillapark.com
Action: failed
Status: 5.1.1
Last-Attempt-Date: Sat, 15 Jun 2002 01:40:25 +0100

--ZVW17212.1024099200/mx1.gorillapark.com
Content-Type: message/rfc822

Received: from bigfoot.com (mail.bigfoot.com [64.15.239.140]) by amsmsx02.gorillapark.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55)
id MGJ0LXXD; Sat, 15 Jun 2002 01:33:43 +0200
Received: from localhost.localdomain ([4.21.134.55])
by BFLITEMAIL3A.bigfoot.com (LiteMail v3.02(BFLITEMAIL3A)) with SMTP id 14Jun2002_BFLITEMAIL3A_34874_131609920;
Fri, 14 Jun 2002 19:33:40 -0400 EST
Message-ID: <1024090283.3161@localhost.localdomain>
From: sexqjvppcsg@inmail.sk
Reply-To: sexpgmsqqyy@inmail.sk
To: hb@bigfoot.com
Subject: DO YOU LIKE FREE PORN!!
Date: Sat, 15 Jun 2002 00:31:23 +0200
hb@bigfoot.com

DO ME NOW!!


FREE PORN ACCESS ALL THE PORN YOU CAN HANDLE!!

DO ME NOW I WANT YOU TO CUM!!!

http://www.freewebland.com/nh57/cc

It would really help if we knew what IP(s) belong to your server and/or what the server is named.

Simon