Need to dertime where this email come from.. it wasnt sent from my servers... its weird it only stats 66.79.165.30 once. Anyone with previous experiance, know whats happening? :S kind regards. ################################################################################ X-Apparently-To: x via 66.163.179.144; Wed, 26 Sep 2007 11:00:52 -0700 X-Originating-IP: [68.230.241.14] Authentication-Results: mta175.mail.re2.yahoo.com from=cox.net; domainkeys=neutral (no sig) Received: from 68.230.241.14 (EHLO fed1rmpop110.cox.net) (68.230.241.14) by mta175.mail.re2.yahoo.com with SMTP; Wed, 26 Sep 2007 11:00:52 -0700 Received: from fed1rmimpo01.cox.net ([70.169.32.71]) by fed1rmmtao105.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20070926175141.MUBZ11358.fed1rmmtao105.cox.net@fed1rmimpo01.cox.net>; Wed, 26 Sep 2007 13:51:41 -0400 Received: from fed1wml11.mgt.cox.net ([172.18.180.10]) by fed1rmimpo01.cox.net with bizsmtp id t5re1X00W0DrMWL0000000; Wed, 26 Sep 2007 13:51:39 -0400 Received: from 66.79.165.30 by webmail.west.cox.net; Wed, 26 Sep 2007 13:51:38 -0400 Date: Wed, 26 Sep 2007 10:51:39 -0700 From: UK NATIONA LOTTERY <gailpmm@cox.net> Reply-To: mrsjuliaelm@hotmail.com Subject: Congratulation!!! you have won MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) Sensitivity: Normal We are pleased to notify you the draw (555) of the FREE LOTTERY, Online Sweepstakes Program held on 28th june,2007 Participants were selected through a computer ballot system drawn from a pool of over 20,000 names of distinguished professionals drawn from all part of the world as part of our international promotions programmed conducted annually.been approved to claim a total sum of =C2=A3500,000.00(Five hundr= ed thousand pounds) Contact Our Claims officer Mrs:Julia Elmson Email:mrsjuliaelm@hotmail.com FULL NAME: SEX: COMPANY: IF ANY FULL CONTACT ADDRESS: AGE: PHONE: CELL: FAX: CITY: STATE: ZIP CODE: COUNTRY: OCCUPATION: Mode of payment/Bank Transfer or Courier Delivery=20 Code (markup):
Your server is with Cox? Where did this spam report come from, from Cox or from your hosting provider? Bailey
come from spamcop. and no my hosting provider isnt cox... and email sent from my server looks like this. Return-path: <webmaster@resellerclubtalk.com> Envelope-to: webmaster@resellerclubtalk.com Delivery-date: Thu, 27 Sep 2007 05:38:24 +0000 Received: from [66.79.165.30] (helo=mail.resellerclubtalk.com) by tiny.dnsprotect.org with esmtpa (Exim 4.68) (envelope-from <webmaster@resellerclubtalk.com>) id 1Iam4u-0004Cl-HG for webmaster@resellerclubtalk.com; Thu, 27 Sep 2007 05:38:24 +0000 Date: Thu, 27 Sep 2007 05:38:24 +0000 To: webmaster@resellerclubtalk.com From: ResellerClubTalk.com - Resellerclub Community Forums <webmaster@resellerclubtalk.com> Auto-Submitted: auto-generated Message-ID: <200709270529.f00c44303756@www.resellerclubtalk.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit X-Priority: 3 X-Mailer: vBulletin Mail via PHP Subject: New LinkBack to post 'NYC Realty Domain' Code (markup): and Return-Path: <hostmaster@xperthost.com> Received: from aamtain07-winn.ispmail.ntl.com ([81.103.221.35]) by mtain03-winn.ispmail.ntl.com with ESMTP id <20070927185024.DSGE4213.mtain03-winn.ispmail.ntl.com@aamtain07-winn.ispmail.ntl.com> for <martynjd@ntlworld.com>; Thu, 27 Sep 2007 19:50:24 +0100 Received: from tiny.dnsprotect.org ([66.79.165.30]) by aamtain07-winn.ispmail.ntl.com with ESMTP id <20070927185023.GZYW20945.aamtain07-winn.ispmail.ntl.com@tiny.dnsprotect.org> for <martynjd@ntlworld.com>; Thu, 27 Sep 2007 19:50:23 +0100 Received: from [81.104.99.112] (helo=D5PVNH2J) by tiny.dnsprotect.org with esmtp (Exim 4.68) (envelope-from <hostmaster@xperthost.com>) id 1IayRK-0004bC-LO for martynjd@ntlworld.com; Thu, 27 Sep 2007 18:50:23 +0000 From: <hostmaster@xperthost.com> To: <martynjd@ntlworld.com> Subject: test email Date: Thu, 27 Sep 2007 19:49:40 +0100 Message-ID: <004801c80137$2cd254f0$8676fed0$@com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0049_01C8013F.8E96BCF0" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcgBNykd3sQXTtyxTE+UQq4nOwDndg== Content-Language: en-gb X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - tiny.dnsprotect.org X-AntiAbuse: Original Domain - ntlworld.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - xperthost.com Code (markup):
cheap advertising. ? i have my own dedicated server chain. But first time i've have a spam email without the information to back it up :S
It has been a few years since I have looked at email headers very closely but: The Received lines document an emails path but they are read from bottom to top. So in the first email it looks like the email originated from your server at 66.79.xx.xx and was finally received in a Yahoo email account. But I believe that bottom Received line and the one above it may be faked and that the email really originated from a compromised cox.net user's computer. Spamcop drops you from their list if they don't get more than one complaint about spam from your IP in a 24 hour period. If you continue to have problems take a look Spamcop's Dispute Resolution to find how to report a technical error in their parser. All of this assumes you have properly secured your mail server. If you are unsure you can run an email server relay test Tom
If sendmail is active on your server and you have no restrictions then someone can send as many emails as they wish using your box as the host. Lock it down your server will be reported to big sites like aol hotmail and gmail and any emails will go to the bulk/spam filters
Indeed. Based on the headers you provided, the message was relayed through your server -- through a proxy? Are you running a proxy? This is the danger of running proxy servers... bad, bad things can be relayed through your box, and YOU are held liable for the transmission. Proxy servers are generally considered a bad idea, which is why most hosts don't allow them to be run on their network. If you're not knowingly running a proxy on your server, well now that's a different story it means your server has likely been compromised and needs a security audit & lockdown. Feel free to PM me if you have any specific questions you don't want to drag through a public forum. Hope this helps!!! Bailey