Joe Mocerino asked:
We are using SmarterMail 11.2 and are receiving spam from senders in our address book (name only, different email). In the header i see “Received: from localhost” and other suspicious things. In the past this would be a compromised email account but we have changes passwords and dont believe that is the case here.
NOTE: “[NAME FROM MY ADDRESS BOOK] ” the display name is something i recognize, the email address is not
Return-Path: <firstname.lastname@example.org> Received: from lead.intertech.net (Lead.intertech.net [188.8.131.52]) by dns19.tntsupport.net with SMTP; Mon, 13 May 2013 10:09:39 -0500 Received: from localhost (lead.intertech.net [127.0.0.1]) by lead.intertech.net (interTECH) with ESMTP id 8668663E92B for <MY EMAIL ADDRESS>; Mon, 13 May 2013 09:02:18 -0600 (MDT) X-Virus-Scanned: amavisd-new at lead.intertech.net Received: from lead.intertech.net ([127.0.0.1]) by localhost (lead.intertech.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Di0eiZ8JSOQr for <MY EMAIL ADDRESS>; Mon, 13 May 2013 09:02:17 -0600 (MDT) Received: from localhost (unknown [184.108.40.206]) by lead.intertech.net (interTECH) with ESMTPSA id 835F063E8F6 for <MY EMAIL ADDRESS>; Mon, 13 May 2013 09:02:14 -0600 (MDT) From: [NAME FROM MY ADDRESS BOOK] <email@example.com> Reply-To: [NAME FROM MY ADDRESS BOOK] <firstname.lastname@example.org> Subject: Fwd: for [MY FIRST NAME] To: <MY EMAIL ADDRESS> MIME-Version: 1.0 Date: Mon, 13 May 2013 08:02:46 -0800 (PST) Content-Type: text/plain; charset=us-ascii Message-Id: <20130513150216.835F063E8F6@lead.intertech.net> X-SmarterMail-Spam: Commtouch 0 [value: Unknown], SPF_Pass, DK_None, DKIM_None, Custom Rules , HostKarma - Whitelist X-CTCH-RefId: str=0001.0A010209.5191025B.003C:SCFSTAT14621567,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-SmarterMail-TotalSpamWeight: 0 hey. what do you think about this? http://www.35lezarts.fr/advertisingbunchbriangordon/ Sent from my iPhone
You can’t necessary believe anything in the
Received: headers, except the one that corresponds to the mail server that directly spoke to your mail server. These are trivial to fake. However, the one added by your own server is certainly real enough.
Reading this, I would believe that the valid Received: header corresponding to receipt by your mail server is this one:
Received: from lead.intertech.net (Lead.intertech.net [220.127.116.11]) by dns19.tntsupport.net with SMTP; Mon, 13 May 2013 10:09:39 -0500
Since the listed abuse contact for 18.104.22.168 is
email@example.com and it seems to be PI address space, I’d suggest just blackholing them, unless you actually know who this company is. In that case, you should call them and find the right person to yell at.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.