what am I dealing with here?

Julian Field MailScanner at ecs.soton.ac.uk
Mon Mar 31 20:45:32 IST 2008


 From the looks of the headers you have given us, it looks to me to be 
hard to do much with them, except DNSBL and SURBL in SpamAssassin might 
hit something, as it looks at all the Received: headers.
Can you not do anything based on the content of the message? You haven't 
given us that and it may well be your best bet. Are there any rules that 
look at the "To:" header and score based on a long sequence of numbers 
in it? If not, then that may be worth a try in this case.

Not sure what else to say, sorry.


------- SNIP ---------
I got a call from a school we scan mail for, complaining they are 
getting some inappropriate email, which is sailing through our scanner 
with a very low score.

I found the message shows it is being delivered by some other server 
from Venezuela, with our relay server listed second from the bottom. The 
header is not showing accurate information either on some of the 
messages, as far as To, and From

 What can I do to shut this down?

I have included info from one of the messages.

    IP Address      Hostname      Country      RBL      Spam      Virus  
    All    98.136.44.51      n75.bullet.mail.sp1.yahoo.com      United 
States      [  ]     [  ]     [  ]     [  ]
216.252.122.218     t3.bullet.sp1.yahoo.com     United States     [  ] 
    [  ]     [  ]     [  ]
69.147.65.156     omp404.mail.sp1.yahoo.com     United States     [  ] 
    [  ]     [  ]     [  ]
127.0.0.1     relay-4.lctn.org     (GeoIP Lookup Failed)     [  ]     [  
]     [  ]     [  ]
190.72.118.113     190-72-118-113.dyn.dsl.cantv.net     Venezuela     [  
]     [  ]     [  ]     [  ]


ID:    DDD5238001C.94591
Message Headers:    Received: from n75.bullet.mail.sp1.yahoo.com 
(n75.bullet.mail.sp1.yahoo.com [98.136.44.51])
     by relay-4.lctn.org (Postfix) with SMTP id DDD5238001C
     for <khippen at kms.k12.mn.us>; Sun, 30 Mar 2008 15:52:54 -0500 (CDT)
Received: from [216.252.122.218] by n75.bullet.mail.sp1.yahoo.com with 
NNFMP; 30 Mar 2008 20:52:30 -0000
Received: from [69.147.65.156] by t3.bullet.sp1.yahoo.com with NNFMP; 30 
Mar 2008 20:52:30 -0000
Received: from [127.0.0.1] by omp404.mail.sp1.yahoo.com with NNFMP; 30 
Mar 2008 20:52:30 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 493512.39708.bm at omp404.mail.sp1.yahoo.com
Received: (qmail 45004 invoked by uid 60001); 30 Mar 2008 20:52:30 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
b=b+ZjzHg4KHt6d2gKflATIw5TohQzUJ2lVPcqPbCiIzlU0n9Skvc3hKz2zcy7/3ZRkqvljZS5DQ7phzi/Dne1Ck4n86QHnd9NDrHSRSrACynu0T1/3K0SzFioRVRMWFoxXX2g8lOTbU3O49yfsL3f5JkzdTeCQe0YnugSXEdj3Qc=;
X-YMail-OSG: 
yeipdhMVM1lQDWuM.8hWb8yJBWFZbzK4JI34oV3jP0PoM3jGYlMQ8biezzdcUn_FkPMGvxIVHMnS7QiNtCYcm_FKjPDA.J.e1LI-
Received: from [190.72.118.113] by web45105.mail.sp1.yahoo.com via HTTP; 
Sun, 30 Mar 2008 13:52:30 PDT
Date: Sun, 30 Mar 2008 13:52:30 -0700 (PDT)
From: joie mudra <joiemudra4458 at yahoo.com>
Subject: hey
To: kensmith16123940 at netscape.com
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary="0-1647990638-1206910350=:30060"
Content-Transfer-Encoding: 8bit
Message-ID: <258826.30060.qm at web45105.mail.sp1.yahoo.com>

-- 
Raymond Norton
LCTN


Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list