[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Sat, Mar 30, 2013 at 9:29 AM, Simon Waters wrote: [an explanation better than anything I could have written] Few additions: > Received: from localhost ([127.0.0.1] helo=pi.a-squared.co.uk) > by pi.a-squared.co.uk with esmtp (Exim 4.72) > (envelope-from <list-bounces@xxxxxxxxxxxxx>) > id 1ULq16-0004WK-Fv; Sat, 30 Mar 2013 07:15:56 +0000 > > Hmm that is slightly odd for a normal email, Pi got it from "localhost", > again I trust Pi, so presumably it is sent from a script (the DCGLUG > mailing list software), but also you might see spam filters or virus > checkers sending email from localhost. localhost is the reverse DNS of the IP address 127.0.0.1, which indeed merely shows that the email was passed on from one script to another on a local machine. Mailman does that, but it is also common for spam filters to pass the email around a few times before sending it on. It you see 'localhost' as the HELO domain for a non-local connection, you can be rather certain that the email is spam - and that the spammer isn't particularly good at his job. > Received: from [213.246.94.96] (helo=[192.168.2.33]) > by smtp.hosts.co.uk with esmtps (TLSv1:CAMELLIA256-SHA:256) > (Exim 4.72) (envelope-from <tompotts@xxxxxxxxxxxxxxxxxxxxxx>) > id 1ULq15-0001xV-7z > for list@xxxxxxxxxxxxx; Sat, 30 Mar 2013 07:15:55 +0000 > > Okay so smtp.hosts.co.uk is not known to me (well lets pretend so > anyway), and a suspiciously generic server name. But a quick check with > dig, and whois, show the domain and address are both registered to > "NAMESCO" who are reputable UK company. So I'm inclined to trust they > are accurate. > > The "helo" here is suspicious. 192.168.2.33 is an RFC1918 reserved > private address. HELO is suppose to be unique. My email server would > probably (it weighs its options) reject an incoming email with such a > "HELO". > > In this case it would appear to okay, since it is the first Received > header, so an example of email being injected at the origin as we expect > with SMTP, such a record in the middle of a list of Received headers > might suggest fakery. The IP address 213.245.94.96 is in NAMESCO-DSL7, > so seems likely it is a ADSL line. The final 's' in esmtps shows that this was an authenticated SMTP connection, so probably a mail client connecting to the provider's SMTP server with a username and password. Because of this authentication, the otherwise suspicious HELO doesn't really matter. > Some spam filters check Received headers for known spam sources, but > faking them would only allow you to add known spam sources, so would > only increase, and not decrease your chance of spam being filtered as spam. You have to be very cautious though. A common mistake is to find "spam sending IP addresses" on one of the received headers, while that IP is merely a dynamic IP address connecting to the provider's SMTP server. 213.245.94.96 (listed by, a.o., SORBS as a dynamic IP address) is a good example of that. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq