Weird Email problem

[soia]

One of my users got an email from loser@domain.com. First there is no one named loser on my mail server. Second this person knows information about the company which, im guessing, is an internal problem. Im using Seattle labs mail server to do my mail and have broadcasting turned off. How can somebody send an email to a specific user with an email account that doesn't exist. Also is this internal or external???? Im confused at the moment.


Thanx
-soia

[DjM]

It might help us if you could post the actual e-mail header record. The header should give you / us more information to work with.



Cheers:

[soia]

> ----- Original Message -----
> > From: LOSER @CCAP
> > To: Hku
> > Sent: Friday, January 31, 2003 9:23 AM
> > Subject: None

Thats the header of the original message

[noODle]

Could this be of any help.

Or otherwise this

[DjM]

The header record I am refering to would look more like this:

Received: from mailserver.mail.com
by GWIA.mailserver.com; Tue, 22 Oct 2002 17:19:52 -0600
Received: from mail.com ([xx.xx.xx.xx])
by sendmail.mail.com (GW 2.5.2.11) with SMTP id M2002102217201404984
; Tue, 22 Oct 2002 17:20:14 -0600
Received: from pd2mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10])
by mail.com (xx.xx.xx.xx) with ESMTP id g9MNIFcj027414;
Tue, 22 Oct 2002 17:18:16 -0600 (MDT)
Received: from pd3mr2so.prod.shaw.ca
(pd3mr2so-qfe3.prod.shaw.ca [10.0.141.178]) by l-daemon
(iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002))
with ESMTP id <0H4E00L0UONHW1@l-daemon>; Tue, 22 Oct 2002 17:16:29 -0600 (MDT)
Received: from pn2ml7so.prod.shaw.ca
(pn2ml7so-qfe0.prod.shaw.ca [10.0.121.151]) by l-daemon
(iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002))
with ESMTP id <0H4E00JOWONHNU@l-daemon>; Tue, 22 Oct 2002 17:16:29 -0600 (MDT)
Received: from m1d2j7 (h68-144-135-23.cg.shawcable.net [68.144.135.23])
by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002))
with SMTP id <0H4E00MV2ONGNH@l-daemon>; Tue, 22 Oct 2002 17:16:29 -0600 (MDT)
Date: Tue, 22 Oct 2002 17:16:26 -0600
From: LOSER @CCAP <LOSER @CCAP>
Subject: whatever
To: Hku Message-id: <000a01c27a21$0ebef420$0300a8c0@cg.shawcable.net>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: multipart/alternative;
boundary="Boundary_(ID_n+SDV2nvWbI5pCkjrnsb0Q)"
X-Priority: 3
X-MSMail-priority: Normal

This is a multi-part message in MIME format.

--Boundary_(ID_n+SDV2nvWbI5pCkjrnsb0Q)
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT

Can you find the part of the e-mail that looks like this?

Cheers:

[soia]

Where would i look to find that header????

[(V)/\><]

but of course it could all be invalid data, forged even, so the account would not have to exist.

[DjM]

Originally posted here by soia
Where would i look to find that header????

What e-mail client are you running?


Cheers:

[soia]

Ok found the header here it is. Apparantly this guy got a hotmail account and made it loseratccap@hotmail.com

eceived: by mail.ccap.net from localhost
(router,slmail V5.1); Fri, 31 Jan 2003 15:41:12 -0500
for <hku>
Received: from hotmail.com [64.4.31.124]
by mail.ccap.net [167.206.187.19] (MailWarden 5.1.0.1069 (SLmail Add-On Edition)) with SMTP
id 145A712A71714E378F4760B6EDC5A52C
for <hku@ccap.net>; Fri, 31 Jan 2003 15:41:08 -0500
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Fri, 31 Jan 2003 12:37:51 -0800
Received: from 24.47.112.193 by pv1fd.pav1.hotmail.msn.com with HTTP;
Fri, 31 Jan 2003 20:37:51 GMT
X-Originating-IP: [24.47.112.193]
From: "LOSER @CCAP" <loseratccap@hotmail.com>
To: "Hku" <hku@ccap.net>
Bcc:
Subject: Re: None
Date: Fri, 31 Jan 2003 20:37:51 +0000
Mime-Version: 1.0
Content-Type: text/html
Message-ID: <F1247cMjlc6WdQTpa600000a59b@hotmail.com>
X-OriginalArrivalTime: 31 Jan 2003 20:37:51.0329 (UTC) FILETIME=[9FB92D10:01C2C968]
X-SLUIDL: BD519167-6612454B-9747C5C7-450E3897

<html><div style='background-color:'><DIV>


CHECK YOUR WALLET OR APPLY FOR A PASSPORT BUT DONT CLIMB THE TOWER STAIRS

</P></DIV>
<DIV></DIV>
<DIV></DIV>&gt;From: "Hanson Ku" <HKU@CCAP.NET>
<DIV></DIV>&gt;To: "LOSER @CCAP" <LOSERATCCAP@HOTMAIL.COM>
<DIV></DIV>&gt;Subject: Re: None
<DIV></DIV>&gt;Date: Fri, 31 Jan 2003 09:59:30 -0500
<DIV></DIV>&gt;
<DIV></DIV>&gt;I NEED POSITIVE ID....
<DIV></DIV>&gt; ----- Original Message -----
<DIV></DIV>&gt; From: LOSER @CCAP
<DIV></DIV>&gt; To: Hku
<DIV></DIV>&gt; Sent: Friday, January 31, 2003 9:48 AM
<DIV></DIV>&gt; Subject: Re: None
<DIV></DIV>&gt;
<DIV></DIV>&gt;
<DIV></DIV>&gt; THE MAN IN THE WATCHTOWER
<DIV></DIV>&gt;
<DIV></DIV>&gt;
<DIV></DIV>&gt;
<DIV></DIV>&gt; &gt;From: "Hanson Ku"
<DIV></DIV>&gt; &gt;To: "LOSER @CCAP"
<DIV></DIV>&gt; &gt;Subject: Re: None
<DIV></DIV>&gt; &gt;Date: Fri, 31 Jan 2003 09:32:54 -0500
<DIV></DIV>&gt; &gt;
<DIV></DIV>&gt; &gt;HAA HA U AGAIN...IDENTIFY YOURSELF.....
<DIV></DIV>&gt; &gt; ----- Original Message -----
<DIV></DIV>&gt; &gt; From: LOSER @CCAP
<DIV></DIV>&gt; &gt; To: Hku
<DIV></DIV>&gt; &gt; Sent: Friday, January 31, 2003 9:23 AM
<DIV></DIV>&gt; &gt; Subject: None
<DIV></DIV>&gt; &gt;
<DIV></DIV>&gt; &gt;
<DIV></DIV>&gt; &gt; IF THEY KEEP HIRING PEOPLE WHERE WILL WE PARK?
<DIV></DIV>&gt; &gt;
<DIV></DIV>&gt; &gt;
<DIV></DIV>&gt; &gt;------------------------------------------------------------------------------
<DIV></DIV>&gt; &gt; STOP MORE SPAM with the new MSN 8 and get 2 months FREE*

Considering this person gave up an ip address, can we get an actual user name of the guy???

[DjM]

Well that answers one of your questions, the e-mail was external (hotmail).

Considering this person gave up an ip address, can we get an actual user name of the guy???

If your talking about this "Received: from 24.47.112.193 by pv1fd.pav1.hotmail.msn.com with HTTP;", you can try and contact abuse@hotmail.com but I wouldn't hold your breath. I doubt they will give out any information to you but they may give the actual sender a hard time. It's your call.

Cheers: