Re: Receiving spam from my own server

[krymson () gmail com]

First, you didn't sanitize very well, but that actually helps answer your question a bit better. :)

Second, email senders can be spoofed. I could send you email that looks like it came from info () foobar net as well. 
Spammers and attackers do this all the time. If I were spamming your company at foobar.net, I'd try to pick something 
"official sounding" as well, like admin, helpdesk, support, info, it-services, etc.

Third, you have the headers pasted below, which is good! You're looking in the right place. In fact, they included this 
tidbit:

Received: from e180234232.adsl.alicedsl.de
(e180234232.adsl.alicedsl.de [85.180.234.232])

I really suspect you've just been receiving spoofed emails.

Fourth, I like to verify findings in multiple places. You should check your mail server logs for this particular email 
being received/sent. Depending on your server, you may be limited to looking for anything sent to you during a specific 
time period, matching up message-ids, and determining which SMTP server sent it to you. Then determine is you own that 
SMTP server or if it is some other machine.

You mention this came from a web server, and if someone is abusing a page on your site to send you emails, you might 
want to check your web server logs as well. 

I've seen cases where weird emails are getting sent from a web site and it turns out some industrious web developer, 
unbeknownst to anyone else, put up a "request help" form which then emailed a given department. These types of forms 
can be abused when not secured properly.

While there is still the possibility of rogue forms on your web server or maybe your mail server is just plain 0wned, 
but the odds point in favor of some spammer spoofing the sender field in his emails. Chances are it isn't even coming 
from his own machines, just machines he 0wns.



<-snip->

Hello all-

I run a webserver, let's call it foobar.net

I am receiving spam e-mails from addresses such as info (at) foobar (dot) net [email concealed],
admin (at) foobar (dot) net [email concealed], etc. I ran the open relay tests at ordb.org, and
they report that my server is not an open relay.

I'd appreciate any suggestions as to where I should go next.

Here are some headers that i've attempted to sanitize (i.e. remove my
hostname and ip)

Delivered-To: dave.j.moore (at) gmail (dot) com [email concealed]
Received: by 10.82.163.14 with SMTP id l14cs33696bue;
Fri, 1 Dec 2006 13:26:41 -0800 (PST)
Received: by 10.90.103.2 with SMTP id a2mr5744854agc.1165008401102;
Fri, 01 Dec 2006 13:26:41 -0800 (PST)
Return-Path: <info (at) avitas (dot) net [email concealed]>
Received: from www.foobar.net (www.foobar.net [66.xx.xx.xx])
by mx.google.com with ESMTP id 12si654066wrl.2006.12.01.13.26.40;
Fri, 01 Dec 2006 13:26:41 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
info (at) foobar (dot) net [email concealed] designates 66.xx.xx.xx as permitted sender)
Received: from e180234232.adsl.alicedsl.de
(e180234232.adsl.alicedsl.de [85.180.234.232])
by www.foobar.net (8.13.1/8.13.1) with SMTP id kB1LQbEt016235
for <info (at) foobar (dot) net [email concealed]>; Fri, 1 Dec 2006 15:26:39 -0600
Date: Fri, 1 Dec 2006 15:26:37 -0600
From: info (at) foobar (dot) net [email concealed]
Message-Id: <200612012126.kB1LQbEt016235 (at) www.foobar (dot) net [email concealed]>
To: info (at) foobar (dot) net [email concealed]

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------