Security Basics mailing list archives

Re: Receiving spam from my own server

From: "Dave Moore" <dave.j.moore () gmail com>
Date: Wed, 6 Dec 2006 14:16:25 -0600

Hello list-

I've done some more research and I've come up with a log entry from
sendmail. I am running centos 4.4 with latest sendmail from yum repo
if it helps.

Dec  6 06:08:05 www sendmail[16362]: kB6C7vnv016362:
from=<info () avitas net>, size=408, class=0, nrcpts=1,
msgid=<200612061208.kB6C7vnv016362 () www avitas net>, proto=SMTP,
daemon=MTA, relay=nodns.netserv.net [195.200.140.196] (may be forged)

I was starting to think that my mailserver had nothing to do with
this, but this log entry seems vague to me (I don't know a lot about
sendmail)

Also, here's a complete set of headers from a different message. I
won't 'sanitize' this time, as it appears I've already borked it.

Delivered-To: dave.j.moore () gmail com
Received: by 10.82.154.4 with SMTP id b4cs148618bue;
       Wed, 6 Dec 2006 04:08:06 -0800 (PST)
Received: by 10.100.13.12 with SMTP id 12mr179762anm.1165406886412;
       Wed, 06 Dec 2006 04:08:06 -0800 (PST)
Return-Path: <info () avitas net>
Received: from www.avitas.net (www.avitas.net [66.97.174.142])
       by mx.google.com with ESMTP id 26si177445wrl.2006.12.06.04.08.06;
       Wed, 06 Dec 2006 04:08:06 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
info () avitas net designates 66.97.174.142 as permitted sender)
Received: from nodns.netserv.net (nodns.netserv.net [195.200.140.196]
(may be forged))
        by www.avitas.net (8.13.1/8.13.1) with SMTP id kB6C7vnv016362
        for <info () avitas net>; Wed, 6 Dec 2006 06:08:01 -0600
Date: Wed, 6 Dec 2006 06:07:57 -0600
From: info () avitas net
Message-Id: <200612061208.kB6C7vnv016362 () www avitas net>
To: info () avitas net



On 5 Dec 2006 15:41:30 -0000, krymson () gmail com <krymson () gmail com> wrote:

First, you didn't sanitize very well, but that actually helps answer your question a bit better. :)

Second, email senders can be spoofed. I could send you email that looks like it came from info () foobar net as well. Spammers and 
attackers do this all the time. If I were spamming your company at foobar.net, I'd try to pick something "official 
sounding" as well, like admin, helpdesk, support, info, it-services, etc.

Third, you have the headers pasted below, which is good! You're looking in the right place. In fact, they included this 
tidbit:

Received: from e180234232.adsl.alicedsl.de
(e180234232.adsl.alicedsl.de [85.180.234.232])

I really suspect you've just been receiving spoofed emails.

Fourth, I like to verify findings in multiple places. You should check your mail server logs for this particular email 
being received/sent. Depending on your server, you may be limited to looking for anything sent to you during a specific 
time period, matching up message-ids, and determining which SMTP server sent it to you. Then determine is you own that 
SMTP server or if it is some other machine.

You mention this came from a web server, and if someone is abusing a page on your site to send you emails, you might 
want to check your web server logs as well.

I've seen cases where weird emails are getting sent from a web site and it turns out some industrious web developer, unbeknownst 
to anyone else, put up a "request help" form which then emailed a given department. These types of forms can be abused when 
not secured properly.

While there is still the possibility of rogue forms on your web server or maybe your mail server is just plain 0wned, but 
the odds point in favor of some spammer spoofing the sender field in his emails. Chances are it isn't even coming from 
his own machines, just machines he 0wns.



<-snip->

Hello all-

I run a webserver, let's call it foobar.net

I am receiving spam e-mails from addresses such as info (at) foobar (dot) net [email concealed],
admin (at) foobar (dot) net [email concealed], etc. I ran the open relay tests at ordb.org, and
they report that my server is not an open relay.

I'd appreciate any suggestions as to where I should go next.

Here are some headers that i've attempted to sanitize (i.e. remove my
hostname and ip)

Delivered-To: dave.j.moore (at) gmail (dot) com [email concealed]
Received: by 10.82.163.14 with SMTP id l14cs33696bue;
Fri, 1 Dec 2006 13:26:41 -0800 (PST)
Received: by 10.90.103.2 with SMTP id a2mr5744854agc.1165008401102;
Fri, 01 Dec 2006 13:26:41 -0800 (PST)
Return-Path: <info (at) avitas (dot) net [email concealed]>
Received: from www.foobar.net (www.foobar.net [66.xx.xx.xx])
by mx.google.com with ESMTP id 12si654066wrl.2006.12.01.13.26.40;
Fri, 01 Dec 2006 13:26:41 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
info (at) foobar (dot) net [email concealed] designates 66.xx.xx.xx as permitted sender)
Received: from e180234232.adsl.alicedsl.de
(e180234232.adsl.alicedsl.de [85.180.234.232])
by www.foobar.net (8.13.1/8.13.1) with SMTP id kB1LQbEt016235
for <info (at) foobar (dot) net [email concealed]>; Fri, 1 Dec 2006 15:26:39 -0600
Date: Fri, 1 Dec 2006 15:26:37 -0600
From: info (at) foobar (dot) net [email concealed]
Message-Id: <200612012126.kB1LQbEt016235 (at) www.foobar (dot) net [email concealed]>
To: info (at) foobar (dot) net [email concealed]

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------



--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GAT d-(+) s+: a24 C++ UBL++ P+>+++ L++ E--- W+++$ N+ o? K? w O? M-- V?
!PS !PE Y PGP- t++ 5++ X+ R+++ tv+ b++ DI++++ D++ G e+ h-- r++ y+
------END GEEK CODE BLOCK------

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

Current thread:

Receiving spam from my own server Dave Moore (Dec 04)
- RE: Receiving spam from my own server Murda Mcloud (Dec 06)
- Re: Receiving spam from my own server Chris Largret (Dec 06)
- <Possible follow-ups>
- Re: Receiving spam from my own server krymson (Dec 06)
  - Re: Receiving spam from my own server Dave Moore (Dec 07)
  - Re: Receiving spam from my own server Will Yonker (Dec 07)
- RE: Receiving spam from my own server Adam Rosen (Dec 06)
  - Re: Receiving spam from my own server Dave Moore (Dec 07)