Jed: > I thought I understood enough about SMTP headers to track spam back to the > originiting machine, and thus identify the owner of the IP address. This > one has me scratching my head a bit. > Received: from redshift.com ([156.148.56.6]) > by betades.freeserve.co.uk (8.9.3/8.9.3) with SMTP id 30243 We start by assuming that this Received: line, which was purportedly added by betades.freeserve.co.uk, can be trusted. If that host can be trusted, and the Received: line is correct, then the IP address from which the connection originated was 156.148.56.6. (According to RIPE it looks like that IP address is in Italy.) The "redshift.com" in the Received: line indicates that the spammer gave the text "redshift.com" as the HELO/EHLO argument during the SMTP negotiation. This text is pretty obviously forged, and you can safely assume that redshift.com (whoever they are) have nothing to do with this, and that in fact their good name is being sullied by some spammer. I've had the same thing happen to me; check out this received line: Received: from ockers.net ([211.184.87.125]) by dom-amerijet-hq.amerijet.net (Lotus Domino Release 5.0.11) with SMTP id 2002110500574409:7283 ; Tue, 5 Nov 2002 00:57:44 -0500 That is from an actual spam which originated from Korea, on an elementary school's network (according to APNIC). Quite obviously, I hope, anyone who sees that would safely conclude that ockers.net had nothing to do with that. However, there is nothing to stop spammers from using any text or domain name they want for the HELO. As a courtesy to me, these spammers put my e-mail address as the From: and Reply-To: lines in the headers of their spam. So I get lots of bounce messages - whee. > The IP address 156.148.56.6 is owned by CERN. redshift.com has address > 216.228.2.86. I have no idea what the (8.9.3/8.9.3) notation means. Those are sendmail version numbers, which sendmail gets from its compile and config file. That appears to be the sendmail version that betades.freeserve.co.uk is running. > Are spammers now using some hacked-up SMTP programs that forge data in the > initial envelope, or going through servers which intentionally mis-resolve > hosts/addresses? Surely you jest! Spammers? Forging information? Using hacked-up SMTP programs? Seriously, the envelope can contain forged information (the MAIL FROM can be set to anything the spammer desires), but please remember that probably the RCPT TO will be set to some address that (the spammer hopes) is valid. Please also remember that the Received: lines are just part of the DATA portion of the SMTP transaction and can also be forged. I've seen lots of bogus Received lines in spams. -- Jim Ockers (ockers@ockers.net) Contact info: please see http://www.ockers.net/ Fight Spam! Join CAUCE (Coalition Against Unsolicited Commercial Email) at http://www.cauce.org/ .