Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Weird case of spam [qmail]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
AxelTerizaki
n00b
n00b


Joined: 12 Apr 2003
Posts: 33
PostPosted: Mon Jul 10, 2006 11:20 am    Post subject: Weird case of spam [qmail] Reply with quote
Hello :)

One of the users of my mail server reported to me this strange case of spamming, apparently coming from his own address, to somewhere else. He noticed it because the message bounced back at him, since the recipient seems not to be valid.

Here is a copy of the headers of the "spam mail". I'll discuss about it right after.

Note: myuser@rafal-team.net is obviously a false address I replaced, instead of the real one.
Note 2: I also replaced the spam's subject on purpose

Code:
Received: from bos-mail-rmail8.bos.lycos.com (rmail8.lycosmail.lycos.com [209.202.208.28])
   by spf7-13.us4.outblaze.com (Postfix) with SMTP id 93F923A33C
   for <fluorescentspear@mailcity.com>; Sun,  9 Jul 2006 23:01:54 +0000 (GMT)
Received: from rmail.lycosmail.lycos.com ([83.198.250.124]) by hermes of bos-mail-rmail8.bos.lycos.com (127.0.0.1) with SMTP id a6970Dr1q139164120 for <fluorescentspear@mailcity.com>; Sun, 09 Jul 2006 19:00:13 -0400 (EDT)
Received: from mail.rafal-team.net
   by --- (8.13.1/8.13.1) with ESMTP id ASQpQXpzcdMdZ
   for <fluorescentspear@mailcity.com>; Jan, 9 Jul 2006 22:58:22 -0300
Received: from [98.25.92.196]
   by mail.rafal-team.net with ESMTP (8.13.1/8.13.1) id RE6oaxpyeeYw0
   for <fluorescentspear@mailcity.com>; Jan, 9 Jul 2006 22:57:08 -0300
Reply-To: "myuser@rafal-team.net" <myuser@rafal-team.net>
From: "myuser@rafal-team.net" <myuser@rafal-team.net>
Date: Jan, 9 Jul 2006 22:46:37 -0300
Message-ID: fPpFlHxYLoX8E.oukmsu2ciXOdt@rafal-team.net
To: fluorescentspear@mailcity.com
Content-type: text/html;
 Charset=Windows-1251
Subject: *insert spammy subject here*
MIME-Version: 1.0
X-Hanmail-Peer-IP: 83.198.250.124
X-Hanmail-Class: X
X-Hanmail-Env-From: myuser@rafal-team.net
X-Hanmail-Checksum: 506-T6ps4o7FoqPsTeiGQXKuh/jxrTY=



My server uses qmail and vpopmail for SMTP-Auth, which allows my users to relay mail once they authentificate.

What I have searched for so far:

  • Testing if the server is on open-relay: Nope, it isn't.
  • Is my user infected by some kind of spamming trojan? Tested, and not infected
  • I have not found any mention to a mail to deliver to mailcity.com in qmail logs (I searched in qmail-send logs)

So basically, my question is: how is this happened? Could it be that the headers are completely forged and false? COuld it be a process or a script spamming from my system? What verifications can I make to be sure of all that?

Thanks in advance for your help...
Back to top
View user's profile Send private message
GordSki
Guru
Guru


Joined: 18 Oct 2004
Posts: 329
PostPosted: Mon Jul 10, 2006 11:45 am    Post subject: Reply with quote
Hi,

Have you checked to see if your server will relay mail that appears to come from one of your valid users? This wouldn't be the same as an open relay because the mail looks like its coming from your domain.

The headers you supplied suggest that the mail when through your server and started at: 98.25.92.196

This would rule out the other option, which would be that your users address has been hijacked and forged.

G.
Back to top
View user's profile Send private message
AxelTerizaki
n00b
n00b


Joined: 12 Apr 2003
Posts: 33
PostPosted: Mon Jul 10, 2006 12:08 pm    Post subject: Reply with quote
Hmmm. Well, I asked just now that my user disables his SMTP auth on Thunderbird, and he then tried to send a mail to another address not hosted on the server (he tried to relay).

But he got rejected by the server, saying the doamin wasn't in its lists of rcpthosts, so, I guess this eliminates the possibility of the server accepting mail from a known address, even without auth.
Back to top
View user's profile Send private message
GordSki
Guru
Guru


Joined: 18 Oct 2004
Posts: 329
PostPosted: Mon Jul 10, 2006 12:45 pm    Post subject: Reply with quote
I'm guessing someone has nabbed/guessed your user's password then. The original spam message (or others like it) should appear in your logs and you should be able tell if they are authenticating properly.

G.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy