Spam headers - originated locally?

coolemail · Unread post by **coolemail** » Sat Jun 16, 2012 5:13 am

Can someone help. Looking at a Spam email received, the headers say the following:

Received: (qmail 15845 invoked from network); 15 Jun 2012 22:24:23 +0100
Received: from smtp.globelink.info (HELO globelink.info) (46.20.119.253)
by hostname.co.uk with SMTP; 15 Jun 2012 22:24:23 +0100
Received: from 127.0.0.1 (localhost [127.0.0.1])
by globelink.info (Postfix) with ESMTP id B83B16760D0

Does the bit in bold from 127.0.0.1 (that being the last "Received" in the header) mean that the email emanated from our server which it seems to suggest to me? Not sure about the relationship between that and the 46.20.119.253 IP address.

Can someone advise and tell me how we can track down the source of this spam? The relevant maillog entry is:

Jun 15 22:24:20 plesk3 /var/qmail/bin/relaylock[15835]: /var/qmail/bin/relaylock: mail from 46.20.119.253:39893 (smtp.globelink.info)
Jun 15 22:24:23 plesk3 qmail-queue-handlers[15842]: Handlers Filter before-queue for qmail started ...
Jun 15 22:24:23 plesk3 qmail-queue-handlers[15842]: from=amber.walton@globelink.info
Jun 15 22:24:23 plesk3 qmail-queue-handlers[15842]: to=xxx
Jun 15 22:24:23 plesk3 greylisting filter[15843]: Starting greylisting filter...
Jun 15 22:24:23 plesk3 greylisting filter[15843]: Timeout finished
Jun 15 22:24:23 plesk3 qmail-queue-handlers[15842]: handlers_stderr: SKIP
Jun 15 22:24:23 plesk3 qmail-queue-handlers[15842]: SKIP during call 'grey' handler
Jun 15 22:24:23 plesk3 qmail-queue-handlers[15842]: handlers_stderr: SKIP
Jun 15 22:24:23 plesk3 qmail-queue-handlers[15842]: SKIP during call 'check-quota' handler
Jun 15 22:24:23 plesk3 qmail-queue-handlers[15842]: starter: submitter[15845] exited normally
Jun 15 22:24:23 plesk3 qmail: 1339795463.070118 new msg 107747752
Jun 15 22:24:23 plesk3 qmail: 1339795463.070169 info msg 107747752: bytes 3634 from <amber.walton@globelink.info> qp 15845 uid 2020
Jun 15 22:24:23 plesk3 qmail: 1339795463.071459 starting delivery 5247: msg 107747752 to local 93-xxx
Jun 15 22:24:23 plesk3 qmail: 1339795463.071497 status: local 1/10 remote 0/20
Jun 15 22:24:23 plesk3 qmail-local-handlers[15846]: Handlers Filter before-local for qmail started ...
Jun 15 22:24:23 plesk3 qmail-local-handlers[15846]: from=amber.walton@globelink.info
Jun 15 22:24:23 plesk3 qmail-local-handlers[15846]: to=xxx
Jun 15 22:24:23 plesk3 qmail-local-handlers[15846]: mailbox: /var/qmail/mailnames/domain.com/info
Jun 15 22:24:23 plesk3 qmail: 1339795463.080686 delivery 5247: success: did_0+0+2/

Many thanks, as ever, in advance.

faris · Unread post by **faris** » Sat Jun 16, 2012 12:13 pm

127.0.0.1 was the IP that sent the message to globelink.info (46.20.119.253).

Most probably it was a webmail system running locally on that server.

coolemail · Unread post by **coolemail** » Sun Jun 17, 2012 7:55 am

Many thanks Faris, as ever.

Atomicorp

Spam headers - originated locally?

Spam headers - originated locally?

Re: Spam headers - originated locally?

Re: Spam headers - originated locally?