Mailing List Message #12054
From: Warren Michelsen <>
Subject: Real IP of Sending MTA
Date: Wed, 13 Nov 2002 19:55:39 -0700
To: SIMS Discussions <>
A spam in my queue begins:

P I 11-11-2002 16:47:32 0000 glen
R E 11-11-2002 16:47:36 0000 glen
R E 11-11-2002 16:48:06 0000 jeff
R E 11-11-2002 16:48:36 0000 katie
R E 11-11-2002 16:49:06 0000 oscar
R E 11-11-2002 16:51:06 0000 pierre
R E 11-11-2002 16:53:06 0000 rainbow

Received: from [] (HELO
  by (Stalker SMTP Server 1.8b9d11)
  with SMTP id S.0000110944; Mon, 11 Nov 2002 09:47:34 -0700

Can I accept as the real IP address of the offending MTA or is it like the HELO argument ( which can be any durned thing the spammer pleases?

Trying to lookup the MX for comes up empty which is why, I suppose, SIMS tries to connect to -- the IP of, which is probably not the real host name anyway.

00:17:33 3 SMTP-208( Failed to connect to []. reason=60

I went through the spam in the queue and noted that not more than three items were from any one IP address but all are obviously part of the same dictionary attack on one domain.

All gave the same "" HELO argument.

Given the wide variety of addresses, is it likely that the IP is faked too?

Then again, those IPs that resolve are all non-US but scattered throughout br, de, it, at, etc.

Now, I would think that a spammer with resources spread this widely would be caught by my RBL but that doesn't seem to be happening so I'm adding each IP manually in the hope that the IPs are not faked and that eventually it will do some good.

Am I wasting my time.

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster