Sign in to follow this  
Followers 0
dnelson

How does spammer know my location?

12 posts in this topic

I run a very small mail server with a couple of different domains for my family and myself. It's hosted on a VPS located somewhere in America. I'm located in Australia and I've been getting multiple spam about jobs in Australia. I was in Europe for 10 days and I was getting similar spam, but this time for jobs in Europe. Got back home yesterday and now I'm getting spam for jobs in Australia again.

I have no idea how the spammer would know my location. The server hasn't changed. It's a VPS Debian box running Postfix, and it's not in Australia or Europe. I am the only person with access to it. I use Roundcube, running under Apache, as a webmail server, on the same Debian VPS. So when I was in Europe access to webmail was, obviously, from Europe. But I don't know how a spammer would get this information unless they were monitoring packets going to and from my server, and getting location from the ip address. Is this possible? Wouldn't the spammer would have to have access to a router somewhere near my server to do so?

I'm very security conscious and don't believe that my server has been compromised.

Share this post


Link to post
Share on other sites
<snip>

But I don't know how a spammer would get this information unless they were monitoring packets going to and from my server, and getting location from the ip address. Is this possible?

<snip>

...Elementary, my dear dnelson! Google "IP address" location and you'll find a number of services that can do that.

Share this post


Link to post
Share on other sites
I have no idea how the spammer would know my location.

Once an IP is known there are programs which can indicate where they are located

This website offers a free check

http://www.ip2location.com/free.asp

Your computer always logs on to a ISP with an assigned IP address

A bit worrying that your computer was tracked when you left one continent to another?

This info can also be sold by the provider your email/WebMail goes through (particularly Brazil)

My signature has a link for a Symantic security check (Warning they are trying to sell you their products but will warn of obvious security breaches) My signature though is for windows operating Systems.

Share this post


Link to post
Share on other sites
...Elementary, my dear dnelson! Google "IP address" location and you'll find a number of services that can do that.

The question is how do they get the ip address? The server is a Debian box that only I have access to.

Share this post


Link to post
Share on other sites

All whitefella magic to me dnelson but the culprit would seemingly have to come through

  • the Debian box (which potentially "knows" all)
  • something in/accessing the route to it
  • the domain registration records
  • the DNS whois records

The last 2 wouldn't explain the European targeting when you were there. Maybe do a tracert to one of the hosted domains and see if there is any internet chatter about the security of the last hop or two? A long shot, I admit and not a good policy to discount the prime suspect - the mail server - mostly because it is the least convenient to countenance though I admit anyone unauthorised having that degree of access would probably not content themselves with merely spamming you.

Maybe use Robtex - particularly "Shared" tab - and DomainDossier - checking everything including services - but remembering DD will use a different routing initially - on your domains to see just what can be gleaned from the public records. If neither give the comprehensive domain and DNS whois records in your instance, I've found IPNetInfo does a decent job though requiring the download and local running of that utility.

The answer is out there but I'm afraid my understanding and experience of the intricacies of it all are a little deficient when it comes to pointing to ways to help in the discovery of it.

Share this post


Link to post
Share on other sites
All whitefella magic to me dnelson but the culprit would seemingly have to come through
  • the Debian box (which potentially "knows" all)
  • something in/accessing the route to it
  • the domain registration records
  • the DNS whois records

Thanks for you suggestions.

I tend to think it is something to do with the second in the list. I can't see how the server would have been compromised, I'm very careful about access to it, plus I monitor the logs pretty regularly.

Where are you in WA? I'm in East Vic Park in Perth

Share this post


Link to post
Share on other sites
Thanks for you suggestions.

I've had trouble with Iprimus apparently selling my email information and IP

Just pay to see what hops are taken from Australia to your American (north south?) server from your computer

http://www.yougetsignal.com/tools/visual-tracert/

Any of these hops can gather your info

Share this post


Link to post
Share on other sites
The question is how do they get the ip address? The server is a Debian box that only I have access to.

Farelf is on the same track that I'm thinking, but he is ever so much more delicate <g>

I can't see how the server would have been compromised, I'm very careful about access to it, plus I monitor the logs pretty regularly.

Server is known, checked out, and logs are scanned. OK, so in theory, that's not a source.

However, being a VPS, one has to allow that although 'your' logs may not show activity, this doesn't address the fact that the physical server has not been broached.

Unfortunately, you don't cover much of the same ground in the instance of the system(s) you are using to make your connections to this server. As petzl suggests, there are a lot of malware tools out there.

What all "do you do" when connecting to that server from various spots around the world?

You say "I get spam" but don't really qualify that. Specific question is the e-mail address concerned? The assumption could be made that you are talking about e-mail address(es?) tied to this server, yet you didn't define this. You also describe "multiple domains" involved, so the quetion then expands to wonder if the incoming spam is limited to one Domain or several? Then, this might also expand to include questions about what the rest of your family might be doing while connected to this server.

Excluding some kind of malware that's somehow reporting your current location and connection points, then the most logical source for that data would be in the header of an e-mail. So the next area of research would be wondering how the (apparently described) 'same' spammer would be in the position to somehow capture that data, and that once again also raises the question as to which system might be involved in sending out that data to the 'wrong' location.

If the specific To: address is not one of your actual e-mail addresses, and running with the suggested geo-location tools, there'd be the question of your incoming setup on your e-mail server. i.e., locked down to only handle e-mail for specified addresses or wide open to accept anything addressed to the Domain(s) in question.

Share this post


Link to post
Share on other sites

Again, thanks to everyone for your suggestions, they have been helpful. I think that the traffic through one of the routers associated with the vps is being monitored. From that it would be obvious I have a mail server and maybe less obvious that it is being accessed via webmail. There is probably some automated process looking at the ip addresses accessing the webmail server and matching the spam sent to the mail server according to ip address location. As suggested, I did a traceroute and then did a search on the last hop (west-datacenter.net). mywot.com gives it a poor rating.

In answer to your question about number of domain names etcetera, there are 3 domains each with one email address. Two of the domains are getting spam inviting me to take up their job offer. When we were in Europe we were all accessing our webmail via the same iPad. Now that I'm back home I'm using my Ubuntu box and my wife is using her Windows box. Both started to get Australian targeted email as soon as we got back. I can't see how it could be the computers accessing webmail that are compromised. My daughter seems to have been lucky enough not to be targeted.

As for the mail server itself, I think I've set it up fairly tightly. It's a Postfix server and has active anti-spam measures such connection and header checks as well as blocklisting. It only accepts mail for actual users. Any pop connections (Dovecot) are via pop3s.

Share this post


Link to post
Share on other sites
I think that the traffic through one of the routers associated with the vps is being monitored.

That would seem to suggest some serious talks with the Hosting folks. However, I'd still go with someone else on the physical server as being a more likely candidate for any monitoring of 'your' traffic (also suggesting a very serious talk with your Hosting folks.)

When we were in Europe we were all accessing our webmail via the same iPad. Now that I'm back home I'm using my Ubuntu box and my wife is using her Windows box.

As for the mail server itself, I think I've set it up fairly tightly.

Based on all the above, and the appearance that you know your way around various systems, have you looked at setting up a VPN connection on that server? Granted, it won't do much for the spammer that already has your data, and of coursem the added complications of getting the rest of the family setup for this, but .... this would be a way to get around the alleged monitoring process you're looking at.

Share this post


Link to post
Share on other sites
However, I'd still go with someone else on the physical server as being a more likely candidate for any monitoring of 'your' traffic.

How is that done?

I'm considering moving to another vps. I originally had my servers on a box at home and used a dynamic dns service. Worked quite well, but my adsl line is flakey and was getting a new ip too often. And then the dynamic dns server had problems so I thought it would be better with a fixed ip on an external server. But as soon as I did, I got way more break in attempts and spam problems.

Share this post


Link to post
Share on other sites
How is that done?

The situations I've been involved with, more that I've read b=about, basically boil down to someone on that shared serber installing something easuly compromised. Once discovered, someone did the deed, managed to get into 'that' server with excalated rights, and then started working upstream on fetting deeper into that server, which then opened up other accounts

I originally had my servers on a box at home and used a dynamic dns service. .... would be better with a fixed ip on an external server. But as soon as I did, I got way more break in attempts and spam problems.

Yeah, pretty much normal for an IPA on a 'known Host' as compared to 'hiding' in the midst of 'dial-up land'

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0