On 30 Mar 2016, at 9:48, Matus UHLAR - fantomas wrote:
On 30.03.16 06:18, redtailjason wrote:
[....]
The headers you have posted show mail that only goes through
internal IPs and localhost, that mail doesn't seem to come from
outside.
I believe that this is not correct.
it also looks that it comes from EPSON scanner, and has .tiff
attachment
that is quite common for scanned documents.
It is meant to seem that way. This is a very common flavor of spam these
days, although no well-run system accepts it.
Unfortunately...
[...]
Received: from [1.22.69.90] (Unknown_Domain [192.168.1.175])
by MAILSECURITY010.redtailtechnology.com (Symantec Messaging
Gateway) with
SMTP id 69.3E.24467.E9DBBF65; Wed, 30 Mar 2016 04:50:54 -0700 (PDT)
1.22.69.90 is a known recently active spambot:
http://www.abuseat.org/lookup.cgi?ip=1.22.69.90 and it seems like that
spambot is using a proper IP literal of its own IP as its HELO argument,
but is actually appearing to be 192.168.1.175. This is possible in some
environments that use firewalls which NAT inbound connections so that
they seem to come from the firewall itself. On the other hand, this is a
proprietary device which may be building its Received header
perversely... In any case, something is either claiming to be or seeming
to be a spambot in Mumbai when talking to an inbound MTA in California,
which seems unlikely to be in any way a normal internal mail
transmission.
This is a problem at the "Symantec Messaging Gateway" device and
possibly with how it sees connections from the net at large.
Fortunately, Symantec has people paid to support their systems (at least
for p[aying customers) and one need not post the same thing 3 times in 5
minutes to a public mailing list to get them to respond.
So the OP needs to talk to his vendor. It is;letting mail in from a
source that NO ONE should be accepting mail from. The family of bot CBL
thinks that 1.22.69.90 is running says HELO in sub-second times after
connecting whether it sees a banner or not. If Symantec's crap doesn't
refuse that sort of client it is living up to their reputation for
selling the widest collection of popular but broken garbage of any tech
vendor.
