On 13/10/15 09:58, Stephen Powell wrote: > Unfortunately, I don't. Attached below is one of the mail delivery > failure notices, which includes the headers of the original message. > But I don't understand what it all means. Okay, here goes an attempt at a translation. > Return-Path: <zlinuxman@wowway.com> Okay, this is the address where bounce messages will be sent to. > X_CMAE_Category: , , > X-CNFS-Analysis: v=2.1 cv=eaKdB+wH c=1 sm=1 tr=0 a=FxXVyIFnAocEnA08ajU80w==:117 a=FxXVyIFnAocEnA08ajU80w==:17 a=K-v-2zaBAAAA:8 a=QP5IY3kgAAAA:8 a=ZhWb6TEzAAAA:8 a=kj9zAlcOel0A:10 a=op2l2dobe8TBvKaan4QA:9 a=qSf3gRf-E_nrW77P:21 a=Nputykdsa0hyqt36:21 a=CjuIK1q_8ugA:10 > X-CM-Score: 0 > X-Scanned-by: Cloudmark Authority Engine > X-Authed-Username: dGhlY291Z2hpbmdjYW5hcnlAd293d2F5LmNvbQ== > X_CMAE_Category: , , > X-CNFS-Analysis: > X-CM-Score: > X-Scanned-by: Cloudmark Authority Engine These are some scanning service. Anything with an X- header is a non-standard header. Perhaps a search for "Cloudmark Authority Engine" might yield some clues as to how to interpret these. > Authentication-Results: smtp02.wow.cmh.synacor.com smtp.user=thecoughingcanary; auth=pass (LOGIN) Not sure about this one. > Received: from [69.73.17.154] ([69.73.17.154:57886] helo=46MmPDFcgl13022) > by smtp.mail.wowway.com (envelope-from <zlinuxman@wowway.com>) > (ecelerity 3.6.1.42806 r(Platform:3.6.1.1)) with ESMTPA > id 54/A2-15401-2D8D4165; Wed, 07 Oct 2015 04:33:28 -0400 There are usually several of these, and they'll appear in reverse order. (If you want an example, have a look at mine.) The bottom one, should be the original source of the email. In this case, it gives the IP address of 69.73.17.154 as the source, and 'smtp.mail.wowway.com' was the host that processed the email. The rest is detail on how it got there (in this case, the SMTP protocol). We'll come back to this. > Reply-To: <shoprecruiterss@oath.com> > Message-ID: <54.A2.15401.2D8D4165@smtp02.wow.cmh.synacor.com> > From: "SSN"<zlinuxman@wowway.com> > To: shoprecruiterss@oath.com > Subject: - Welcome: Mystery Shopper's 2015 - Those are the start of the actual message, so where to send replies to (if someone hits Reply), the message identifier (used when matching a reply to the original message), From/To/Cc addresses and email subject. We determined that the email came from 69.73.17.154. If we do a WHOIS look-up on this, we get: > RC=0 stuartl@rikishi ~ $ whois 69.73.17.154 > > # > # ARIN WHOIS data and services are subject to the Terms of Use > # available at: https://www.arin.net/whois_tou.html > # > # If you see inaccuracies in the results, please report at > # http://www.arin.net/public/whoisinaccuracy/index.xhtml > # > > > # > # The following results may also be obtained via: > # http://whois.arin.net/rest/nets;q=69.73.17.154?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2 > # > > > # start > > NetRange: 69.73.17.152 - 69.73.17.159 > CIDR: 69.73.17.152/29 > NetName: HUNT697317152-29 > NetHandle: NET-69-73-17-152-1 > Parent: WIDEOPENWEST (NET-69-73-0-0-1) > NetType: Reassigned > OriginAS: AS12083 > Customer: Oakwood Church (C02277166) > RegDate: 2009-07-17 > Updated: 2009-07-17 > Ref: http://whois.arin.net/rest/net/NET-69-73-17-152-1 > > > CustName: Oakwood Church > Address: 5500 Adventist Blvd NW. > City: Huntsville > StateProv: AL > PostalCode: 35896 > Country: US > RegDate: 2009-07-17 > Updated: 2013-03-19 > Ref: http://whois.arin.net/rest/customer/C02277166 > > OrgAbuseHandle: IPADM469-ARIN > OrgAbuseName: IP Administrator > OrgAbusePhone: +1-706-645-8194 > OrgAbuseEmail: abuse@wideopenwest.com > OrgAbuseRef: http://whois.arin.net/rest/poc/IPADM469-ARIN > > OrgNOCHandle: IPADM669-ARIN > OrgNOCName: IP Administrator > OrgNOCPhone: +1-706-634-2898 > OrgNOCEmail: ipadmin@wideopenwest.com > OrgNOCRef: http://whois.arin.net/rest/poc/IPADM669-ARIN > > OrgTechHandle: UNIXA3-ARIN > OrgTechName: Unix Administration > OrgTechPhone: +1-630-536-3158 > OrgTechEmail: emcmillen@wideopenwest.com > OrgTechRef: http://whois.arin.net/rest/poc/UNIXA3-ARIN > > OrgTechHandle: IPADM669-ARIN > OrgTechName: IP Administrator > OrgTechPhone: +1-706-634-2898 > OrgTechEmail: ipadmin@wideopenwest.com > OrgTechRef: http://whois.arin.net/rest/poc/IPADM669-ARIN > > # end > > > # start > > NetRange: 69.73.0.0 - 69.73.127.255 > CIDR: 69.73.0.0/17 > NetName: WIDEOPENWEST > NetHandle: NET-69-73-0-0-1 > Parent: NET69 (NET-69-0-0-0-0) > NetType: Direct Allocation > OriginAS: AS12083 > Organization: WideOpenWest Finance LLC (WOPW) > RegDate: 2003-09-03 > Updated: 2013-03-19 > Ref: http://whois.arin.net/rest/net/NET-69-73-0-0-1 > > > OrgName: WideOpenWest Finance LLC > OrgId: WOPW > Address: 1674 Frontenac Rd > City: Naperville > StateProv: IL > PostalCode: 60563 > Country: US > RegDate: 2002-04-10 > Updated: 2015-05-08 > Ref: http://whois.arin.net/rest/org/WOPW > > > OrgAbuseHandle: IPADM469-ARIN > OrgAbuseName: IP Administrator > OrgAbusePhone: +1-706-645-8194 > OrgAbuseEmail: abuse@wideopenwest.com > OrgAbuseRef: http://whois.arin.net/rest/poc/IPADM469-ARIN > > OrgNOCHandle: IPADM669-ARIN > OrgNOCName: IP Administrator > OrgNOCPhone: +1-706-634-2898 > OrgNOCEmail: ipadmin@wideopenwest.com > OrgNOCRef: http://whois.arin.net/rest/poc/IPADM669-ARIN > > OrgTechHandle: UNIXA3-ARIN > OrgTechName: Unix Administration > OrgTechPhone: +1-630-536-3158 > OrgTechEmail: eric.bailey@wideopenwest.com > OrgTechRef: http://whois.arin.net/rest/poc/UNIXA3-ARIN > > OrgTechHandle: IPADM669-ARIN > OrgTechName: IP Administrator > OrgTechPhone: +1-706-634-2898 > OrgTechEmail: ipadmin@wideopenwest.com > OrgTechRef: http://whois.arin.net/rest/poc/IPADM669-ARIN > > # end > > > > # > # ARIN WHOIS data and services are subject to the Terms of Use > # available at: https://www.arin.net/whois_tou.html > # > # If you see inaccuracies in the results, please report at > # http://www.arin.net/public/whoisinaccuracy/index.xhtml > # The bounce message unfortunately doesn't give us any information on what the server's IP address is, so we can't easily compare it to the emails you're sending to the list to see if the routes match up. The headers do bear a strong resemblance though. Not sure if you're using a standard email client on another host or whether you're running a webmail client (I think Zimbra does both). The email *looks* as if it was sent directly to your host before a relay was attempted. From my perspective, it looks like your SMTP password possibly has been leaked or cracked. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Attachment:
signature.asc
Description: OpenPGP digital signature