<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2650.12">
<TITLE>Possible spoofing causing problems with whitelisting?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2 FACE="Arial">This is an odd one. A user received a piece of junk mail today that was whitelisted, I do not know why it was whitelisted. The user@mydomain.com is not whitelisted nor the sender. I do whitelist everything from *@mydomain.com. But what is interesting is the Received lines in the header. It originates from 191.146.230.212 and claims to be received from the ip of my server, however the next received line has my server ip but with an ip that was resolved that is not mine, then it claims that my server received it from itself, then onto my internal exchange server. This is not what a typical header looks like for my site.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Below is a copy of the header. I have changed the DNS name of my server to "gatewayserver" and the ip to "gatewayserverip".</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Any ideas why the email would be whitelisted? Is there anything suspicious about the header?</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Thanks Derrick Georgiades</FONT>
<BR><FONT SIZE=2 FACE="Arial">Power Engineers, Inc.</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2 FACE="Arial">Received: from<B> gatewayserver</B> by<B> exchangeserver</B> with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)</FONT>
<BR> <FONT SIZE=2 FACE="Arial">id 2KR7L08K; Tue, 15 Apr 2003 07:21:23 -0600</FONT>
<BR><FONT SIZE=2 FACE="Arial">Received: from</FONT><B> <FONT SIZE=2 FACE="Arial">gatewayserverip</FONT></B><FONT SIZE=2 FACE="Arial"> ([61.129.112.58])</FONT>
<BR> <FONT SIZE=2 FACE="Arial">by</FONT><B> <FONT SIZE=2 FACE="Arial">gatewayserver</FONT></B><FONT SIZE=2 FACE="Arial"> (8.12.8/8.12.8) with SMTP id h3FDKPpo009805;</FONT>
<BR> <FONT SIZE=2 FACE="Arial">Tue, 15 Apr 2003 07:20:28 -0600 (MDT)</FONT>
<BR><FONT SIZE=2 FACE="Arial">Received: from 0jg9t.j3gm5z.net [191.146.230.212] by</FONT><B> <FONT SIZE=2 FACE="Arial">gatewayserverip</FONT></B><FONT SIZE=2 FACE="Arial">; Tue, 15 Apr 2003 20:18:03 -0700</FONT>
<BR><FONT SIZE=2 FACE="Arial">Message-ID: <79gcjv90l5977sp0$fs3mac$478$d94@g137.18.l.bu8l></FONT>
<BR><FONT SIZE=2 FACE="Arial">From: "Robyn Richey" <cqizj5l0z6e4@erols.com></FONT>
<BR><FONT SIZE=2 FACE="Arial">To: user@mydomain.com</FONT>
<BR><FONT SIZE=2 FACE="Arial">Subject: Re:how to make large profits on eBay</FONT>
<BR><FONT SIZE=2 FACE="Arial">Date: Tue, 15 Apr 03 20:18:03 GMT</FONT>
<BR><FONT SIZE=2 FACE="Arial">X-Priority: 3</FONT>
<BR><FONT SIZE=2 FACE="Arial">X-MSMail-Priority: Normal</FONT>
<BR><FONT SIZE=2 FACE="Arial">X-Mailer: Microsoft Outlook Express 5.50.4522.1200</FONT>
<BR><FONT SIZE=2 FACE="Arial">MIME-Version: 1.0</FONT>
<BR><FONT SIZE=2 FACE="Arial">Content-Type: multipart/alternative;</FONT>
<BR> <FONT SIZE=2 FACE="Arial">boundary="_16B_C_0AC5.5_1BC"</FONT>
<BR><FONT SIZE=2 FACE="Arial">X-MailScanner: Found to be clean</FONT>
<BR><FONT SIZE=2 FACE="Arial">X-MailScanner-Information: Please contact the ISP for more information</FONT>
<BR><FONT SIZE=2 FACE="Arial">X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=16.9,</FONT>
<BR> <FONT SIZE=2 FACE="Arial">required 4, CLICK_BELOW_CAPS, DATE_IN_FUTURE_06_12,</FONT>
<BR> <FONT SIZE=2 FACE="Arial">FORGED_MUA_OUTLOOK, FROM_HAS_MIXED_NUMS, HOME_EMPLOYMENT, HTML_50_60,</FONT>
<BR> <FONT SIZE=2 FACE="Arial">HTML_FONT_BIG, HTML_LINK_CLICK_CAPS, HTML_LINK_CLICK_HERE,</FONT>
<BR> <FONT SIZE=2 FACE="Arial">HTML_MESSAGE, HTTP_USERNAME_USED, LINES_OF_YELLING,</FONT>
<BR> <FONT SIZE=2 FACE="Arial">LINES_OF_YELLING_2, LINES_OF_YELLING_3, MIME_HTML_NO_CHARSET,</FONT>
<BR> <FONT SIZE=2 FACE="Arial">MIME_HTML_ONLY, MISSING_MIMEOLE, OPPORTUNITY, REMOVE_PAGE,</FONT>
<BR> <FONT SIZE=2 FACE="Arial">UPPERCASE_25_50, USERPASS, WORK_AT_HOME)</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">This is a multi-part message in MIME format.</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">--_16B_C_0AC5.5_1BC</FONT>
<BR><FONT SIZE=2 FACE="Arial">Content-Type: text/html</FONT>
<BR><FONT SIZE=2 FACE="Arial">Content-Transfer-Encoding: quoted-printable</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">--_16B_C_0AC5.5_1BC--</FONT>
</P>
</BODY>
</HTML>