mail headers question

Here's a sample spam headers that I received today.
There are three domain addresses here:
counsellor.com, fia74-110.dsl.hccnet.nl and iwexx.japan.com
My question is, which address do I need to block so that I don't receive
spam from this source again.

Return-Path: <tfzqzxa@counsellor.com>
Received: from fia74-110.dsl.hccnet.nl (fia74-110.dsl.hccnet.nl
[62.251.110.74])
by mydomain.com (8.12.8/8.12.8) with SMTP id i3KD8X56523724
for <al@mydomain.com>; Tue, 20 Apr 2004 06:08:35 -0700
Received: from iwexx.japan.com [72.224.120.76] by 62.251.110.74 with wbttrf

thanks,
al

"al" <al@somplace.com> writes:
>Here's a sample spam headers that I received today.
>There are three domain addresses here:
>counsellor.com, fia74-110.dsl.hccnet.nl and iwexx.japan.com
>My question is, which address do I need to block so that I don't receive
>spam from this source again.

>Return-Path: <tfzqzxa@counsellor.com>
>Received: from fia74-110.dsl.hccnet.nl (fia74-110.dsl.hccnet.nl
>[62.251.110.74])
> by mydomain.com (8.12.8/8.12.8) with SMTP id i3KD8X56523724
> for <al@mydomain.com>; Tue, 20 Apr 2004 06:08:35 -0700
>Received: from iwexx.japan.com [72.224.120.76] by 62.251.110.74 with wbttrf


All you can be 100% positive here (because all other info can be
forged and is useless) is that you received this SPAM from the IP
address 65.251.110.74.

In this particular case, it does appear that this really does map to
fia74-110.dsl.hccnet.nl, but this certainly doesn't require to be the
case, reverse DNS lookups might be wrong, the first instance is what
the SMTP sending reported its name as, which is 100% arbitrary.

The 2nd Recevied: line might be accurate, it might just be something
thrown in there to throw you off the scent, so its totally unreliable
to do any blocking based on that.

Most likely, this is some compromised host on a DSL line in the
Netherlands, and they'll soon or already have discover that their
machine was hacked (with worm/virus/spyware/whatever) and take steps
to clean it, so even blocking this machine might just add an entry to
your filter that never gets used again, especially since this happened
two and a half days ago.

The SPAMers most likely have just moved onto another compromised host
somewhere else, and are spewing their junk from there instead.


--
Doug McIntyre merlyn@visi.com
Network Engineer/Jack of All Trades
Vector Internet Services, Inc.

"al" <al@somplace.com> writes:

> Here's a sample spam headers that I received today.
> There are three domain addresses here:
> counsellor.com, fia74-110.dsl.hccnet.nl and iwexx.japan.com
> My question is, which address do I need to block so that I don't receive
> spam from this source again.
>
> Return-Path: <tfzqzxa@counsellor.com>
> Received: from fia74-110.dsl.hccnet.nl (fia74-110.dsl.hccnet.nl
> [62.251.110.74])
> by mydomain.com (8.12.8/8.12.8) with SMTP id i3KD8X56523724
> for <al@mydomain.com>; Tue, 20 Apr 2004 06:08:35 -0700
> Received: from iwexx.japan.com [72.224.120.76] by 62.251.110.74 with wbttrf

62.251.110.74 looks like a trojaned box or an exploited proxy.

http://cbl.abuseat.org/lookup.cgi?ip....submit=Lookup

We're looking up against the CBL (or rather xbl.spamhaus.org, but same
thing pretty much) and it's catching a lot of spam from compromised
home machines.

(I honestly can't think of a good place to set follow-ups to. nanae
tends to be more heat than light sometimes.)

cheers,
Jamie
--
James Riden / j.riden@massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/