Help on Fraud e-mail

I repeated received e-mails which is faking to be sent from our own
administrator/mail/system etc. What can I do, can I send it to our ISP
or to police ?

I have attached the view message source below. Can we tell where it is
really from?

small xxx - stands for the name of the e-mai reciepient
XXX - stands for the com.

Thanks in adavance.

----------------------------------------------------------------

>From - Tue Nov 29 23:26:04 2005
X-Account-Key: account2
X-UIDL: 3f77ac250000d3dc
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <mail@XXX.com>
Received: from XXX.com (awork082099.netvigator.com [203.198.86.99])
by localhost.localdomain (8.12.5/8.12.5) with ESMTP id jATBGtLN031461
for <xxx@XXX.com>; Tue, 29 Nov 2005 19:16:55 +0800
Message-Id: <200511291116.jATBGtLN031461@localhost.localdomain >
From: mail@XXX.com
To: xxx@XXX.com
Subject: You have successfully updated your password
Date: Tue, 29 Nov 2005 19:07:16 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0010_4ED42FBD.87F74A16"
X-Priority: 3
X-MSMail-Priority: Normal
Status:

This is a multi-part message in MIME format.

------=_NextPart_000_0010_4ED42FBD.87F74A16
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

"DC" <joybeautyhealth@yahoo.com.hk> wrote in message
news:1133282154.285298.21870@z14g2000cwz.googlegro ups.com

> I repeated received e-mails which is faking to be sent from our own
> administrator/mail/system etc. What can I do, can I send it to our ISP
> or to police ?
>
> I have attached the view message source below. Can we tell where it is
> really from?
....
> Received: from XXX.com (awork082099.netvigator.com [203.198.86.99])
> by localhost.localdomain (8.12.5/8.12.5) with ESMTP id jATBGtLN031461
> for <xxx@XXX.com>; Tue, 29 Nov 2005 19:16:55 +0800
> Message-Id: <200511291116.jATBGtLN031461@localhost.localdomain >

grep jATBGtLN031461 `awk '/^mail\./ {print $2}' /etc/syslog.conf`

will provide more information.

ynotssor wrote:

> "DC" <joybeautyhealth@yahoo.com.hk> wrote in message
> news:1133282154.285298.21870@z14g2000cwz.googlegro ups.com
>
>> I repeated received e-mails which is faking to be sent from our own
>> administrator/mail/system etc. What can I do, can I send it to our ISP
>> or to police ?
>>
>> I have attached the view message source below. Can we tell where it is
>> really from?
> ...
>> Received: from XXX.com (awork082099.netvigator.com [203.198.86.99])
>> by localhost.localdomain (8.12.5/8.12.5) with ESMTP id jATBGtLN031461
>> for <xxx@XXX.com>; Tue, 29 Nov 2005 19:16:55 +0800
>> Message-Id: <200511291116.jATBGtLN031461@localhost.localdomain >
>
> grep jATBGtLN031461 `awk '/^mail\./ {print $2}' /etc/syslog.conf`
>
> will provide more information.

To elaborate on what ynotssor is saying, the IP address on
the first "Received:" line, 203.198.86.99, is a reliable
indicator of the IP address from which your mail-receiving
computer received this message. Since 203.198.86.99 belongs
to netvigator.com, and since you are posting from netvigator.com,
the origin of the message may be revealed by looking for the
message-ID in your system's mail log files. You will probably
need root privileges to do so.

--
Peter Pearson
To get my email address, substitute:
nowhere -> spamcop, invalid -> net

Hi -

On 29 Nov 2005 08:35:54 -0800, "DC" <joybeautyhealth@yahoo.com.hk>
wrote:

>I repeated received e-mails which is faking to be sent from our own
>administrator/mail/system etc. What can I do, can I send it to our ISP
>or to police ?

Personally I reject email from servers which HELO/EHLO themselves as
my mail server or with one of my IP addresses. They get a 5xy
rejection with a nasty text portion.

The same thing if the envelope MAIL FROM address is my current domain
registration email address or any of my past ones.

--
Ken
http://www.ke9nr.net/