Thanks to everyone who responded. Thanks for the link below as well. That is a nice site. Chris -----Original Message----- From: Robson, John [mailto:john.robson@xxxxxxxxxxxxx] Sent: Tuesday, March 04, 2003 10:18 AM To: 'MS_Exchange@xxxxxxxxxxxxxxx'; ExchangeList (exchangelist@xxxxxxxxxxxxx) Subject: RE: [MS_Exchange] Spoofing? Try the following link, this will tell you where to contact. John http://www.network-tools.com/default.asp?prog=express <http://www.network-tools.com/default.asp?prog=express&Netnic=whois.arin.net &> &Netnic=whois.arin.net& host=h002078cc3b91.ne.client2.attbi.com -----Original Message----- From: Chris Wall [mailto:chris@xxxxxxxxxxxxxxxxxxx] Sent: 04 March 2003 14:50 To: Exchange Group on Yahoo (MS_Exchange@xxxxxxxxxxx); ExchangeList (exchangelist@xxxxxxxxxxxxx) Subject: [MS_Exchange] Spoofing? Importance: High Hello everyone, My organization has a mailbox called 'HostMaster' and last night someone sent a message titled 'test, please ignore' to the Hostmaster mailbox. What is weird, is that the message says that it is from itself (HostMaster@xxxxxxxxxxxxxxxxxxx <mailto:HostMaster@xxxxxxxxxxxxxxxxxxx> ). Only one person has permissions to this mailbox and he did not send it. The To: field and CC: field in the message are blank. This indicates that the message was sent using a BCC: field. Is there anyway that I can see what was put in the BCC: field? Better yet, I have provided the header information from the e-mail: Received: from mbserv002.globalknowledge.com ([172.16.56.25]) by mbserv002.globalknowledge.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 1XBJ8D65; Mon, 3 Mar 2003 18:40:28 -0500 Received: FROM h002078cc3b91.ne.client2.attbi.com BY mbserv002.globalknowledge.com ; Mon Mar 03 18:40:11 2003 -0500 subject: Test, Ignore.. MBSERV002 'reflects' our internal bridgehead here. Is there any information here that would help me to determine who sent this message. If it were sent from within our company, SMTP would not be involved. Only the X400 connectors would have been used.... is the 'h002078cc3b91.ne.client2.attbi.com' the culprit here? If so what is my next step in finding out who this is or at least reporting them to some type of authority? Thanks for any info. I am new at this. Thanks, Chris Wall [Non-text portions of this message have been removed] Yahoo! Groups Sponsor ADVERTISEMENT To unsubscribe from this group, send an email to: MS_Exchange-unsubscribe@xxxxxxxxxxx Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. Yahoo! Groups Sponsor ADVERTISEMENT <http://rd.yahoo.com/M=245454.2994396.4323964.2848452/D=egroupweb/S=17082988 46:HM/A=1457554/R=0/*http://ipunda.com/clk/beibunmaisuiyuiwabei> <http://us.adserver.yahoo.com/l?M=245454.2994396.4323964.2848452/D=egroupmai l/S=:HM/A=1457554/rand=679663090> To unsubscribe from this group, send an email to: MS_Exchange-unsubscribe@xxxxxxxxxxx Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> .