PDA

View Full Version : Email headers - is this real?



hamstar
06-01-2006, 02:15 PM
Hi guys,

Trying to kill off spam at my work. I can view the headers but only kindof know whats going on with them.

Heres the headers.


Received: from mm-notify-out-2101.amazon.com (unverified) by myworkserver.nz
(Content Technologies SMTPRS 4.3.14) with ESMTP id <T75ac3c4290ac163266694@mywork.server.nz> for <nobody@mywork.nz>;
Fri, 6 Jan 2006 13:06:43 +1300
Received: from na-rte-app-1102.vdc.amazon.com ([10.144.17.45])
by mm-notify-out-2101.amazon.com with ESMTP; 05 Jan 2006 15:59:52 -0800
Received: by na-rte-app-1102.vdc.amazon.com
id AAA-notification-17551,8452; 5 Jan 2006 15:59:56 -0800
Date: 5 Jan 2006 15:59:56 -0800
Message-ID: <.AAA-notification-17551,8452.1136505596@na-rte-app-1102.vdc.amazon.com>
X-AMAZON-TRACK: notification
To: nobody@mywork.nz
From: "Amazon.com Payments" <orders@experiencedbooks.com>
Subject: Your Amazon Marketplace Purchase
Cc: payments-mail@amazon.com
Bounces-to: RealTimeEmail+OMS-OMSPARITY-9f39I0Oa0w@bounces.amazon.com
Content-Type: text/plain
MIME-Version: 1.0
X-AMAZON-MAIL-RELAY-TYPE: notification

Are they real?

I have edited the email and domains of my work by the way.

Cheers,
hamstar

Speedy Gonzales
06-01-2006, 02:39 PM
If u know noone from Amazon then delete it! Easy.

hamstar
06-01-2006, 02:41 PM
Well... I mean headers in general...

How can you tell if its real?

Speedy Gonzales
06-01-2006, 02:45 PM
Pass. I doubt it these days u can. Emails can be faked by anyone.

BUT if u havent dealt with the origin, delete it.

Graham L
06-01-2006, 02:47 PM
Looks like a real one. But to know, you need to be capable of making changes in the sendmail configuration file, and having it work. :D

BIFF
06-01-2006, 02:50 PM
Hi guys,

Trying to kill off spam at my work. I can view the headers but only kindof know whats going on with them.

Heres the headers.


Received: from mm-notify-out-2101.amazon.com (unverified) by myworkserver.nz
(Content Technologies SMTPRS 4.3.14) with ESMTP id <T75ac3c4290ac163266694@mywork.server.nz> for <nobody@mywork.nz>;
Fri, 6 Jan 2006 13:06:43 +1300
Received: from na-rte-app-1102.vdc.amazon.com ([10.144.17.45])
by mm-notify-out-2101.amazon.com with ESMTP; 05 Jan 2006 15:59:52 -0800
Received: by na-rte-app-1102.vdc.amazon.com
id AAA-notification-17551,8452; 5 Jan 2006 15:59:56 -0800
Date: 5 Jan 2006 15:59:56 -0800
Message-ID: <.AAA-notification-17551,8452.1136505596@na-rte-app-1102.vdc.amazon.com>
X-AMAZON-TRACK: notification
To: nobody@mywork.nz
From: "Amazon.com Payments" <orders@experiencedbooks.com>
Subject: Your Amazon Marketplace Purchase
Cc: payments-mail@amazon.com
Bounces-to: RealTimeEmail+OMS-OMSPARITY-9f39I0Oa0w@bounces.amazon.com
Content-Type: text/plain
MIME-Version: 1.0
X-AMAZON-MAIL-RELAY-TYPE: notification

Are they real?

I have edited the email and domains of my work by the way.

Cheers,
hamstar

Your mail server is not putting the necessary information in the headers to be sure. You should really only worry about the last hop (at the top) where your mail server accepted the message. Your system should be configured to enter the IP address of the server from which it is accepting the message. The previous hop has an internal (10.x.x.x) address logged beside it so it is of no use in confirming whether the message is real, plus anything below where your mail server accepts the message can be faked easily.
Once your mail system is configured to log the IP address of the host from which it is accepting the message from, then you are able to ping the reported hostname and see if it resolves to the true IP address (the one your mail server records) and also perform a reverse lookup on the IP to see if it has a valid PTR record. You can also use whois to see who owns the netblock from which the message originates.
As you are using mailsweeper you should get SSS to help you configure the antispam functionality in the product, as I believe it is free.

Cheers

BIFF

hamstar
06-01-2006, 03:06 PM
ahh mean...

cheers. :D

bartsdadhomer
06-01-2006, 03:28 PM
http://compnetworking.about.com/od/workingwithipaddresses/qt/ipaddressemail.htm?nl=1

pctek
06-01-2006, 04:35 PM
Its not real.