Security Basics mailing list archives
Re: Receiving spam from my own server
From: "Dave Moore" <dave.j.moore () gmail com>
Date: Wed, 6 Dec 2006 14:16:25 -0600
Hello list- I've done some more research and I've come up with a log entry from sendmail. I am running centos 4.4 with latest sendmail from yum repo if it helps. Dec 6 06:08:05 www sendmail[16362]: kB6C7vnv016362: from=<info () avitas net>, size=408, class=0, nrcpts=1, msgid=<200612061208.kB6C7vnv016362 () www avitas net>, proto=SMTP, daemon=MTA, relay=nodns.netserv.net [195.200.140.196] (may be forged) I was starting to think that my mailserver had nothing to do with this, but this log entry seems vague to me (I don't know a lot about sendmail) Also, here's a complete set of headers from a different message. I won't 'sanitize' this time, as it appears I've already borked it. Delivered-To: dave.j.moore () gmail com Received: by 10.82.154.4 with SMTP id b4cs148618bue; Wed, 6 Dec 2006 04:08:06 -0800 (PST) Received: by 10.100.13.12 with SMTP id 12mr179762anm.1165406886412; Wed, 06 Dec 2006 04:08:06 -0800 (PST) Return-Path: <info () avitas net> Received: from www.avitas.net (www.avitas.net [66.97.174.142]) by mx.google.com with ESMTP id 26si177445wrl.2006.12.06.04.08.06; Wed, 06 Dec 2006 04:08:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of info () avitas net designates 66.97.174.142 as permitted sender) Received: from nodns.netserv.net (nodns.netserv.net [195.200.140.196] (may be forged)) by www.avitas.net (8.13.1/8.13.1) with SMTP id kB6C7vnv016362 for <info () avitas net>; Wed, 6 Dec 2006 06:08:01 -0600 Date: Wed, 6 Dec 2006 06:07:57 -0600 From: info () avitas net Message-Id: <200612061208.kB6C7vnv016362 () www avitas net> To: info () avitas net On 5 Dec 2006 15:41:30 -0000, krymson () gmail com <krymson () gmail com> wrote:
First, you didn't sanitize very well, but that actually helps answer your question a bit better. :) Second, email senders can be spoofed. I could send you email that looks like it came from info () foobar net as well. Spammers and attackers do this all the time. If I were spamming your company at foobar.net, I'd try to pick something "official sounding" as well, like admin, helpdesk, support, info, it-services, etc. Third, you have the headers pasted below, which is good! You're looking in the right place. In fact, they included this tidbit: Received: from e180234232.adsl.alicedsl.de (e180234232.adsl.alicedsl.de [85.180.234.232]) I really suspect you've just been receiving spoofed emails. Fourth, I like to verify findings in multiple places. You should check your mail server logs for this particular email being received/sent. Depending on your server, you may be limited to looking for anything sent to you during a specific time period, matching up message-ids, and determining which SMTP server sent it to you. Then determine is you own that SMTP server or if it is some other machine. You mention this came from a web server, and if someone is abusing a page on your site to send you emails, you might want to check your web server logs as well. I've seen cases where weird emails are getting sent from a web site and it turns out some industrious web developer, unbeknownst to anyone else, put up a "request help" form which then emailed a given department. These types of forms can be abused when not secured properly. While there is still the possibility of rogue forms on your web server or maybe your mail server is just plain 0wned, but the odds point in favor of some spammer spoofing the sender field in his emails. Chances are it isn't even coming from his own machines, just machines he 0wns. <-snip-> Hello all- I run a webserver, let's call it foobar.net I am receiving spam e-mails from addresses such as info (at) foobar (dot) net [email concealed], admin (at) foobar (dot) net [email concealed], etc. I ran the open relay tests at ordb.org, and they report that my server is not an open relay. I'd appreciate any suggestions as to where I should go next. Here are some headers that i've attempted to sanitize (i.e. remove my hostname and ip) Delivered-To: dave.j.moore (at) gmail (dot) com [email concealed] Received: by 10.82.163.14 with SMTP id l14cs33696bue; Fri, 1 Dec 2006 13:26:41 -0800 (PST) Received: by 10.90.103.2 with SMTP id a2mr5744854agc.1165008401102; Fri, 01 Dec 2006 13:26:41 -0800 (PST) Return-Path: <info (at) avitas (dot) net [email concealed]> Received: from www.foobar.net (www.foobar.net [66.xx.xx.xx]) by mx.google.com with ESMTP id 12si654066wrl.2006.12.01.13.26.40; Fri, 01 Dec 2006 13:26:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of info (at) foobar (dot) net [email concealed] designates 66.xx.xx.xx as permitted sender) Received: from e180234232.adsl.alicedsl.de (e180234232.adsl.alicedsl.de [85.180.234.232]) by www.foobar.net (8.13.1/8.13.1) with SMTP id kB1LQbEt016235 for <info (at) foobar (dot) net [email concealed]>; Fri, 1 Dec 2006 15:26:39 -0600 Date: Fri, 1 Dec 2006 15:26:37 -0600 From: info (at) foobar (dot) net [email concealed] Message-Id: <200612012126.kB1LQbEt016235 (at) www.foobar (dot) net [email concealed]> To: info (at) foobar (dot) net [email concealed] --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
-- -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GAT d-(+) s+: a24 C++ UBL++ P+>+++ L++ E--- W+++$ N+ o? K? w O? M-- V? !PS !PE Y PGP- t++ 5++ X+ R+++ tv+ b++ DI++++ D++ G e+ h-- r++ y+ ------END GEEK CODE BLOCK------ --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- Receiving spam from my own server Dave Moore (Dec 04)
- RE: Receiving spam from my own server Murda Mcloud (Dec 06)
- Re: Receiving spam from my own server Chris Largret (Dec 06)
- <Possible follow-ups>
- Re: Receiving spam from my own server krymson (Dec 06)
- Re: Receiving spam from my own server Dave Moore (Dec 07)
- Re: Receiving spam from my own server Will Yonker (Dec 07)
- RE: Receiving spam from my own server Adam Rosen (Dec 06)
- Re: Receiving spam from my own server Dave Moore (Dec 07)