|
Question : SMTP message headers
|
|
Can anyone help me decipher this line in an SMTP message header.
"Received: from pc1-lutn2-3-cust135.lutn.cable.ntl.com (HELO 212.171.30.232)
(213.105.218.135) by server-20.tower-14.messagelabs.com with SMTP; 23 Apr
2003 18:21:10 -0000"
What puzzles me is the phrase "pc1-lutn2-3-cust135.lutn.cable.ntl.com (HELO 212.171.30.232) (213.105.218.135)" with 2 ip addresses.
My understanding is that the 'received' line should be of the form (claimed/real identity) + (real IP address).
213.105.218.135 would then be real, and DNS resolves to pc1-lutn2-3-cust135.lutn.cable.ntl.com
So, what is the IP address 212.171.30.232 doing in the received line? (This IP resolves to host232-30.pool212171.interbusiness.it
I think this is a suspect mail message, so dont trust the headers. However, I think the receiving host which added this header was genuine, and this is the first line going down in the headers which is suspect. Fuller copy of headers, with some anonymising is;
Received: (qmail 5944 invoked from network); 23 Apr 2003 18:21:10 -0000
Received: from pc1-lutn2-3-cust135.lutn.cable.ntl.com (HELO 212.171.30.232)
(213.105.218.135) by server-20.tower-14.messagelabs.com with SMTP; 23 Apr
2003 18:21:10 -0000
Received: from unknown (HELO mail.gmx.net) (78.165.116.169) by
smtp4.cyberec.com with smtp; Apr, 23 2003 18:04:58 +0700
Received: from unknown (149.89.93.47) by rly-xr02.mx.aol.com with NNFMP; Apr,
23 2003 16:54:05 -0700
|
Answer : SMTP message headers
|
|
Its exactly as kiranghag says - anyone can HELO anything. It appears your SMTP server did the reverse lookup based on the actual communicating IP address and not the IP address given in the HELO.
This sounds like mis-direction from a spammer. That or a very poorly configured mailserver probably run by someone who has no business being at a server console.
|
|
|
|
|
