You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Justin Kim <ju...@mezine.com> on 2007/08/01 20:41:32 UTC

How can I find out which email account tha spammer used?

Hello,

I am having hard time finding the spammer.
Can someone point me to right direction?
According to the full header I got.
The original reciever was my company's IP.
That means the final recipient will see the spam sender as our company's
postfix server.
Is there a good way to track down these kind of spammers? Is it in the
malilog that I have to look at?
Please help!

Justin.

--------------------------------------------------
Return-Path:
Received: from vfep03.mfe.bur.connect.com.au (vfep03.mfe.bur.connect.com.au
[210.8.230.161])
by mcn06 (Cyrus v2.1.14_CCA) with LMTP; Wed, 01 Aug 2007 15:20:48 +1000
X-Sieve: CMU Sieve 2.2
Received: from vfep03.mfe.bur.connect.com.au (localhost [127.0.0.1])
by localhost.vfep03.connect.com.au (Postfix) with ESMTP id 667024A879
for ; Wed, 1 Aug 2007 15:20:29 +1000 (EST)
Received: from vfep03.mfe.bur.connect.com.au (localhost [127.0.0.1])
by vfep03.mfe.bur.connect.com.au (Postfix) with ESMTP id 529E549082
for ;
Wed, 1 Aug 2007 15:20:04 +1000 (EST)
Received: from fep03.mfe.bur.connect.com.au (fep03.mfe.bur.connect.com.au
[203.63.86.23])
by vfep03.mfe.bur.connect.com.au (Postfix) with ESMTP id 78EF149372
for ;
Wed, 1 Aug 2007 15:19:18 +1000 (EST)
Received: from [203.63.86.23] (localhost [127.0.0.1])
by localhost.mfep03.connect.com.au (Postfix) with ESMTP id 13B68F92A
for ; Wed, 1 Aug 2007 15:19:17 +1000 (EST)
Received: from ip-gt.190.57.86.40.telefonica-ca.net (unknown [190.57.86.40])
by fep03.mfe.bur.connect.com.au (Postfix) with ESMTP id AAD1FF84E;
Wed, 1 Aug 2007 15:19:08 +1000 (EST)
Received: from X.Y.Z.X (HELO mail.mycompany's.com)
by aapt.net.au with esmtp (+R00.A9J* +.S>) id H6QK71-)?.W0--5.
for free2air@aapt.net.au; Wed, 1 Aug 2007 05:19:18 +0360
Date: Wed, 1 Aug 2007 05:19:18 +0360
From: Jerome Thier
X-Mailer: The Bat! (v3.71.04) Educational
X-Priority: 3 (Normal)
Message-ID:
<60...@thebat.net>To: free2air@aapt.net.au
Subject: *****SUSPECTED SPAM***** Excellent part-time job offer for educated
people.
MIME-Version: 1.0
Content-Type: text/plain;
charset=windows-1250
Content-Transfer-Encoding: quoted-printable
X-Spam: Not detected
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63-cca (2004-01-11) on mfep03
X-Spam-Level: *******
X-Spam-Status: Yes, hits=7.5 required=5.0 tests=CCA_PRODUCT_AD_21,
CCA_SPAMMER_4,DATE_IN_PAST_03_06,LINES_OF_YELLING,LINES_OF_YELLING_2,
SARE_FINCLOP,WORK_AT_HOME autolearn=no version=2.63-cca
X-Spam-Report: * 2.3 CCA_SPAMMER_4 Known Spammer Software
* 1.3 WORK_AT_HOME BODY: Information on how to work at home (1)
* 0.6 SARE_FINCLOP BODY: Talks about financial or internet opportunity.
* 2.5 CCA_PRODUCT_AD_21 BODY: I'd love a college degree
* 0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED
* 0.1 LINES_OF_YELLING_2 BODY: 2 WHOLE LINES OF YELLING DETECTED
* 0.7 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
X-BitDefender-Scanner: Clean, Agent: BitDefender POSTFIX 1.6.2 on
vfep03
POSITION DESCRIPTION:

Successful international Company is looking for local representatives.
This is a well-paid vacation for serious ambitious person.

MAIN ADVANTAGES:
--------------------------------------------------------

- Really High Wages.
- Ability to work from home.
- Flexible schedule.
- Covered business and educational expenses.
- Illness/Disability friendly team.


GENERAL REQUIREMENTS:
--------------------------------------------------------

- Basic knowledge of credit principles, financial services and operations. =

- Creativity.
- Ability to work on multiple projects simultaneously along with meeting de=
adlines.
- Ability to work independently or in a team environment.
- college degree in Economics strongly preferred (but not required).
- Having a deep desire to achieve financial success.

How to join:
Please send your resume to our personnel manager email: RogelioRojasPX@gma=
il.com
It must be sent in a TXT, MSWord, RTF or PDF format.
In order to receive our response, please provide us with your valid email a=
ddress.

If you believe this message was delivered to you b=F3 mistake please let us=
know,
your address will be removed from our database immediately: JasonRobertsonK=
S@gmail.com

Please take appropriate action to stop this situation recurring. Please let
me know how this incident is resolved.

(This email was generated by Visualware Security Suite on 1/08/2007
18:07:13)

Re: How can I find out which email account tha spammer used?

Posted by Evan Platt <ev...@espphotography.com>.

At 11:41 AM 8/1/2007, Justin Kim wrote:
>Hello,
>
>I am having hard time finding the spammer.
>Can someone point me to right direction?
>According to the full header I got.
>The original reciever was my company's IP.
>That means the final recipient will see the spam sender as our 
>company's postfix server.
>Is there a good way to track down these kind of spammers? Is it in 
>the malilog that I have to look at?

Looking in the mail log would be a start, but this has nothing to do 
with SpamAssassin.

RE: How can I find out which email account tha spammer used?

Posted by Dan Barker <db...@visioncomm.net>.

I thought ALL received headers were spoofable, just as easily as FROM and
the other "comments" in an email header. Anyone trusting a received header
inserted before a "trusted" server's (whatever that is) entry shouldn't.

I'd not worry about it (Unless, of course, it really did come thru your
server<g>).

Dan Barker 

-----Original Message-----
From: SM [mailto:sm@resistor.net] 
Sent: Wednesday, August 01, 2007 3:45 PM
To: Justin Kim; users@spamassassin.apache.org
Subject: Re: How can I find out which email account tha spammer used?

Hello,
At 11:41 01-08-2007, Justin Kim wrote:
>According to the full header I got.
>The original reciever was my company's IP.

Does that mean that your company's mail server sent out the spam?

>That means the final recipient will see the spam sender as our 
>company's postfix server.
>Is there a good way to track down these kind of spammers? Is it in the 
>malilog that I have to look at?

You have to read your mail log.

You didn't provide the email address of the receiver and you obfuscated some
information.  As such, it's difficult to tell which of the headers are
forged.

Regards,
-sm

Re: How can I find out which email account tha spammer used?

Posted by SM <sm...@resistor.net>.

Hello,
At 11:41 01-08-2007, Justin Kim wrote:
>According to the full header I got.
>The original reciever was my company's IP.

Does that mean that your company's mail server sent out the spam?

>That means the final recipient will see the spam sender as our 
>company's postfix server.
>Is there a good way to track down these kind of spammers? Is it in 
>the malilog that I have to look at?

You have to read your mail log.

You didn't provide the email address of the receiver and you 
obfuscated some information.  As such, it's difficult to tell which 
of the headers are forged.

Regards,
-sm