Source IP missing from header?

[Yo-Popa]

I've started getting spam which SpamCop parses as coming from my Domain (CustomMade.com). It looks to me like the spammers have a new way of eliminating source IP address and substituting the IP of the recipient. Is this possible or is the spam really coming from my domain?

It appears to me that this spam came from static24-72-115-169.yorkton.accesscomm.ca but there is no IP in the header except for mine. Here is an example showing just the header with my Email address munged:

Return-Path: <tdqoroyof[at]hotmail.com>

Received: from static24-72-115-169.yorkton.accesscomm.ca (custommade.com [208.234.14.70] (may be forged))

by custommade.com (8.12.10/8.12.10) with SMTP id l3PEFsK4031073

for <xxx[at]xxxxxxx>; Wed, 25 Apr 2007 10:15:56 -0400

Message-ID: <811701c78742$df1bbc91$ba0d5b8b[at]hotmail.com>

From: tdqoroyof[at]hotmail.com

To: xxx[at]xxxxxxxx

Subject: =?windows-1251?B?z+7s7ubl7CDxIPDl6uvg7O7p?=

Date: Wed, 25 Apr 2007 14:03:29 +0000

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_0000_B1468237.EB16C9FD"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express V6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

X-UIDL: +Im!!K]l"!Y]A!!M"Q"!

[Telarin]

Is that IP address by any chance the IP for a web server that you operate? It is quite possible that they are somehow abusing a feedback form on the site to send you spam from your own website.

[Yo-Popa]

Is that IP address by any chance the IP for a web server that you operate? It is quite possible that they are somehow abusing a feedback form on the site to send you spam from your own website.

Yes, that IP is my mail server. I do not have any forms on my website. There probably is a formMail in the CGI bin.

[StevenUnderwood]

Yes, that IP is my mail server. I do not have any forms on my website. There probably is a formMail in the CGI bin.

If those are the only headers on the message, then your mailserver put them there.

by custommade.com (8.12.10/8.12.10) with SMTP id l3PEFsK4031073 for <xxx[at]xxxxxxx>; Wed, 25 Apr 2007 10:15:56 -0400

Are there any other logs you can see this connection with (firewall or SMTP, for instance) to confirm the message was/was not sent internal? How do these headers compare with valid messages coming through normal channels?

P.S. With this post, this thread will be moved into the Lounge. Not sure if it is a reporting problem (did you receive this spam and are trying to report it) or a blocklist problem (you got this spam report and are trying to explain it).

[Yo-Popa]

If those are the only headers on the message, then your mailserver put them there.

Are there any other logs you can see this connection with (firewall or SMTP, for instance) to confirm the message was/was not sent internal? How do these headers compare with valid messages coming through normal channels?

P.S. With this post, this thread will be moved into the Lounge. Not sure if it is a reporting problem (did you receive this spam and are trying to report it) or a blocklist problem (you got this spam report and are trying to explain it).

Where did my mail server get the part "Received: from static24-72-115-169.yorkton.accesscomm.ca "?

Normally the headers from normal channels have the source IP address and Spamcop parses them easily.

I report a lot of spam daily but in this case I'm trying to figure out if my server is being used to send spam, possibly to others.

[StevenUnderwood]

Where did my mail server get the part "Received: from static24-72-115-169.yorkton.accesscomm.ca "?

Normally the headers from normal channels have the source IP address and Spamcop parses them easily.

I report a lot of spam daily but in this case I'm trying to figure out if my server is being used to send spam, possibly to others.

A normal (simple) mail conversation goes:

telnet host 25
helo (or ehlo) MYHOSTNAME
mail from: <MY EMAIL ADDRESS>
rcpt to: <YOUR EMAIL ADDRESS>
data
...

static24-72-115-169.yorkton.accesscomm.ca would have been in place of MYHOSTNAME and can be whatever the sending side wants it to be. By RFC, it should be the FQDN of the host sending the message, but getting spammers to follow the RFQ's is like....

The IP address is the only trustable information because it is generated by your server AND needs to send information and get replies back from that same IP for the transmission to work correctly.

[Wazoo]

ns0.aitcom.net reports the following MX records:

Preference Host Name IP Address

10 custommade.com 216.117.131.69

20 mail.custommade.com 216.117.131.69

Then I/we get confused again by some of the SenderBase data that I still can't get anyone there to explain to me ...

http://www.senderbase.org/search?searchBy=...g=208.234.14.70

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.1 .. -89%

Last 30 days .. 2.0 .. -99%

Average ........ 4.0

Date of first message seen from this address 2003-11-04

No address list shown since no email was detected from custommade.com.

But then I/we look at http://www.senderbase.org/search?searchBy=...=custommade.com

Volume Statistics for this Domain

Magnitude Vol Change vs. 30 Day

Last day ......... 3.1 .. 1151%

Last 30 days ... 2.0

Date of first message seen from this domain 2005-07-22

No address list shown since no email was detected from custommade.com.

At any rate, rom what has been stated thus far, the next source of data needed would be something from the access logs to see just who is tapping into somethng that would be capable of sending an e-mail ...