not sure if this is the right place or not, but I just had a user ask about
a bounced email...the "bounce" was to a message that she did not send. I
checked the header anyway, just to be a good doobie, and the info is
confusing. usually, these things only spoof a user-name, but you can see
that the sending server was not real. This time, the bounce gives the
sending server's name as someone else's, but the address is my gateway.
(which is running bordermanager 3.5EE, as well as gwia 5.5ep). So now I'm
wondering if one of my workstations is inflicted, and is sending out mail.
I've opened port 25 on BM so that clients can get their home pop-mail. But
I would have guessed that these annoying little viruses that include their
own smtp engine would be using the inflicted workstation's ip address, which
in this case would be the unrouteable 192.168.x.x..so they wouldn't actually
be able to go anywhere. is it possible that dynamic nat is changing it over
to the "real" ip address of the BM server? and how would the name of the
"real" mail server running on the same box find its way into the header?
How can I check to see if there's anything inappropriate going out on port
25?

I just pushed out the latest virus updates (norton) via zenworks, fwiw.



here's the first line in the bounce-header:

Received: from notmydomain.edu(mail.mycompany.com[207.239.xx.xx])
by mr3.its.notmydomain.edu(8.12.11/8.12.11) with ESMTP id i1PL6Qqd011192
for someuser@notmydomain.edu Wed, 25 Feb 2004 16:06:26 -0500 (EST)


the name in parenthesis in the first line is my mail server and correct ip
address!