[ale] Another Email question Reading Headers.

JK jknapka at kneuro.net
Sun Jun 25 10:48:58 EDT 2006


H. A. Story wrote:

>Looking at this header from an email I just got.
>
>Delivered-To: adrin at haswes.homelinux.org
>Received: from localhost (localhost [127.0.0.1])
>	by PC002.haswes.homelinux.org (Postfix) with ESMTP id CF04F176D12
>	for <adrin at localhost>; Sat, 24 Jun 2006 11:31:11 -0400 (EDT)
>Received: from mail.bellsouth.net [205.152.59.17]
>	by localhost with POP3 (fetchmail-6.2.5.2)
>	for adrin at localhost (single-drop); Sat, 24 Jun 2006 11:31:11 -0400 (EDT)
>Received: from ibm15aec.bellsouth.net ([208.141.108.121])
>          by imf02aec.mail.bellsouth.net with ESMTP
>          id <20060624152806.LDLP2126.imf02aec.mail.bellsouth.net at ibm15aec.bellsouth.net>;
>          Sat, 24 Jun 2006 11:28:06 -0400
>Received: from soaserver3.architecture.local ([208.141.108.121])
>          by ibm15aec.bellsouth.net with ESMTP
>          id <20060624152803.SXCX22161.ibm15aec.bellsouth.net at soaserver3.architecture.local>;
>          Sat, 24 Jun 2006 11:28:03 -0400
>Received: from hci1 ([68.33.211.140]) by soaserver3.architecture.local with Microsoft SMTPSVC(6.0.3790.1830);
>	 Sat, 24 Jun 2006 10:28:01 -0500
>From: "PayPal"<aw-confirms at paypal.com>
>
>Granted I am running fetchmail. So I know where the first 2 "Received" came from.   But the next 3 throw me a little. 
>The 3rd one must be a bellsouth server the received the email.  So the last two must be the account where the email came from 
>or was relayed from???  The last looking like a exchange server???? the last receive being a comcast domain and number 4 being 
>another domain that isn't bellsouth.  Now if they are blocking port 25????  How does this email get around that???? And the to: only
>shows undisclosed-recipients.
>  
>

The mail was delivered to a Bellsouth SMTP server with
a To: address inside the Bellsouth domain. It's not a
relay attempt, and "architecture.local" apparently isn't
on anyone's blacklist, so it was accepted. The stinky thing
is the "architecture.local" stuff, which is probably the
phisher's private domain from which he can spew
garbage to the world.

As for the To:... I don't know how they arrange that, but
probably the reason you got this message is that your
address was in the Bcc: header.

-- JK




More information about the Ale mailing list