Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Weird SMTP Header info using SMTP publishing rule

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> Weird SMTP Header info using SMTP publishing rule Page: [1]
Login
Message << Older Topic   Newer Topic >>
Weird SMTP Header info using SMTP publishing rule - 13.Jan.2005 2:14:00 AM   
uscvega

 

Posts: 1
Joined: 13.Jan.2005
From: California
Status: offline 		We finally made the switch to an ISA 2004 box and we started noticing that spam email has some particular header information that appears to be incorrect.
Below is an email header from a nonspam source:
+++++++++++++
Microsoft Mail Internet Headers Version 2.0
Received: from mail.my.org ([10.10.x.x]) by MYMAILER with Microsoft SMTPSVC(6.0.3790.211);
Wed, 12 Jan 2005 07:34:45 -0800
Received: from alias-1.c10-ave-mta3.cnet.com ([206.16.1.190]) by mail.my.org with Microsoft SMTPSVC(6.0.3790.211);
Wed, 12 Jan 2005 07:34:42 -0800
X-sbi: accucast
Message-ID: <29960220.1105544082193.JavaMail.accucast@206.16.1.189>
++++++++++++++++++
Email from a spam source:
Microsoft Mail Internet Headers Version 2.0
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Received: from mail.my.org ([10.10.x.x]) by MYMAILER with Microsoft SMTPSVC(6.0.3790.211); Sun, 9 Jan 2005 23:12:01 -0800
Received: from rproxy.gmail.com ([172.x.x.x]) by mail.my.org with Microsoft SMTPSVC(6.0.3790.211); Sun, 9 Jan 2005 23:11:59 -0800
++++++++++++++
The gist of the problem is that the rproxy.gmail.com (172.x.x.x) is given the internal address of my ISA box. As you can notice, the email was an obvious spam mail but for some reason the headers are not flowing correctly to the email server. I originally thought that this was occuring only for some spam but it happens with all spam to all users. REAL email flows correctly. Is there some action in the SMTP filter or the way isa server publishes smtp servers that make this header "restatment"? Is replacing the IP address with itself when it can't do a reverse dns lookup?

I have the publishing rule set "requests appear to come from the original client" and the smtp application filter is applied.

Its making it default to use tools like spam cop or things of that nature when reviewing the spam logs.

Thanks,

Carlos

[ January 13, 2005, 02:15 AM: Message edited by: uscvega ]
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Server Publishing >> Weird SMTP Header info using SMTP publishing rule Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts