[olug] Reading the Received header in email

Eric W. Biederman ebiederm at xmission.com
Tue Dec 2 06:15:09 CST 2014


David Gilman <davidgilman1 at gmail.com> writes:

> Noob mail admin here.  I'm so nooby that I've outsourced the whole
> thing to Google to get it working instead of learning it myself.
>
> My MX record points at their Google mail servers, and they've got SPF
> configured so only their servers can send mail for my domain.  There
> is a mail server running on the machine that the A record points.
> After a quick look through the configuration files it does seem to
> only be listening on localhost but I don't know exim4 in and out
> enough to be assured.
>
> I've got Google's mail servers configured to redirect all mail sent to
> any address to the admin inbox as a way of catching things that get
> lost.  Every now and then I get a bounce message, and they've got an
> initial Received: line like the following:
>
> Received: from $GARBAGE (unknown [$MYSTERY_IP])
>         by $MY_DOMAIN with SMTP id $SMTP_IP
>         for <$SOMETHING@$NOT_MY_DOMAIN>; Mon, 20 Oct 2014 04:50:18 +0800
>
> where $GARBAGE is what looks like someone mashing on the keys and
> clearly not a FQDN.  I don't see my A record's IP anywhere.
>
> I don't understand what the Received line is telling me.  The
> $MYSTERY_IP isn't mine at all, so why does it say it came from
> $MY_DOMAIN?  What's going on here?

One of two possibilities.
- It is a forged bounce message.
- Someone isn't checking SPF and is bouncing spam in your direction.

I would check those bounces for evil attachments.

Eric



More information about the OLUG mailing list