Possible spoofing causing problems with whitelisting?

Derrick Georgiades dgeorgiades at POWERENG.COM
Tue Apr 15 20:27:30 IST 2003 

This is an odd one.  A user received a piece of junk mail today that was
whitelisted, I do not know why it was whitelisted.  The user at mydomain.com is
not whitelisted nor the sender.  I do whitelist everything from
*@mydomain.com.  But what is interesting is the Received lines in the
header.  It originates from 191.146.230.212 and claims to be received from
the ip of my server, however the next received line has my server ip but
with an ip that was resolved that is not mine, then it claims that my server
received it from itself, then onto my internal exchange server.  This is not
what a typical header looks like for my site.

Below is a copy of the header.  I have changed the DNS name of my server to
"gatewayserver" and the ip to "gatewayserverip".
Any ideas why the email would be whitelisted?  Is there anything suspicious
about the header?

Thanks Derrick Georgiades
Power Engineers, Inc.



Received: from gatewayserver by exchangeserver with SMTP (Microsoft Exchange
Internet Mail Service Version 5.5.2650.21)
        id 2KR7L08K; Tue, 15 Apr 2003 07:21:23 -0600
Received: from gatewayserverip ([61.129.112.58])
        by gatewayserver (8.12.8/8.12.8) with SMTP id h3FDKPpo009805;
        Tue, 15 Apr 2003 07:20:28 -0600 (MDT)
Received: from 0jg9t.j3gm5z.net [191.146.230.212] by gatewayserverip; Tue,
15 Apr 2003 20:18:03 -0700
Message-ID: <79gcjv90l5977sp0$fs3mac$478$d94 at g137.18.l.bu8l>
From: "Robyn Richey" <cqizj5l0z6e4 at erols.com>
To: user at mydomain.com
Subject: Re:how to make large profits on eBay
Date: Tue, 15 Apr 03 20:18:03 GMT
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="_16B_C_0AC5.5_1BC"
X-MailScanner: Found to be clean
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=16.9,
        required 4, CLICK_BELOW_CAPS, DATE_IN_FUTURE_06_12,
        FORGED_MUA_OUTLOOK, FROM_HAS_MIXED_NUMS, HOME_EMPLOYMENT,
HTML_50_60,
        HTML_FONT_BIG, HTML_LINK_CLICK_CAPS, HTML_LINK_CLICK_HERE,
        HTML_MESSAGE, HTTP_USERNAME_USED, LINES_OF_YELLING,
        LINES_OF_YELLING_2, LINES_OF_YELLING_3, MIME_HTML_NO_CHARSET,
        MIME_HTML_ONLY, MISSING_MIMEOLE, OPPORTUNITY, REMOVE_PAGE,
        UPPERCASE_25_50, USERPASS, WORK_AT_HOME)

This is a multi-part message in MIME format.

--_16B_C_0AC5.5_1BC
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

--_16B_C_0AC5.5_1BC--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030415/c53e4cff/attachment.html

More information about the MailScanner mailing list