taphilo.com domain listed

[taphilo]

Hi,

I own taphilo.com which is hosted at Interland in Atlanta, so there are multiple people sharing that IP mail server.

Query bl.spamcop.net - 64.225.255.15

64.225.255.15 is imta06a2.registeredsite.com

(Help) (Trace IP) (Senderbase lookup)

64.225.255.15 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 62.2 days. In the past 19.3 days, it has been listed 3 times for a total of 2.4 days

In the past week, this system has:

Been reported as a source of spam less than 10 times

Been witnessed sending mail about 20 times

Other hosts in this "neighborhood" with spam reports:

64.225.255.31

64.225.255.33

Now also I saw nobug.org (my local users group) being spoofed as well as my work bpa.gov domain being spoofed in spam and all were listed in spamcop as a spam domain.

Since, from I read in here, if I did read it correctly, that any domain drops off after 48 hours of inactivity but from what I can see most of the people reporting seem to be pretty ignornant at looking at headers and reporting spam. They seem to label it immediately and never look at headers as to where it really originted from.

Nor do they have multiple e-mail accounts to see if the same message with different return addresses from the same domain were recieved (which I can spot easily having multiple e-mail accounts on my own domain).

To me that means that my, and others on that mail server, will all be listed pretty regularlly - 20 % if the time - due to people reporting randomly without knowing what they are doing. Last month I got bounced messages when I sent out meeting notices for Portland NOBUG user group meeting from my account. One receipient USES SPAMCOP (TNT Software here in Portland) and he happens also to be the President of NOBUG and of course the e-mails I send to HIM all bounce!

I just sent out anothe mailing from taphilo.com and his e-mail just bounced back - hence me being here.

I control taphilo.com, and nobug.org (hosted at Easystreet here in Portland Oregon) mail accounts for sending and I got around 30 bounced spam messages in various mail accounts over the last two weeks. All supposedly having been sent from those domains and I can tell that none were sent. It is amusing to get an e-mail from administrator[at]taphilo.com (and I have no account there with that name) to my own personal account telling me about an important message from the domain owner.

It seems that when I forwarded our security office at Bonneville Power Administration (BPA.GOV) that a message I sent TO a TNT software e-mail account (the NOBUG president) was bounced because BPA was being labeled a spam domain it was IMEEDIATELY removed from the list - none of this 48 hour stuff. I guess Kevin being a federal security agent has more pull on removing domains than us mere federal employees.

So, am I right that once listed in SPAMCOP that I pretty much have to live with having mail blocked 20% of the time? That spammers spoofing a domain can effecitvy put up a DOS against any domain of mail delivery once enough people using SPAMCOP blindly label a spoofed return mail address as spam?

Tom Philo

[Merlyn]

Spamcop does not add spamvertised sites to the blocklist only originators of the spam via IP address.

Spamcop tracks back to the source via IP not by a spoofed name, if your mail server was RFC compliant then there would be no problem.

If your server is compliant then maybe, if you removed your spammers you would be listed 0%

[dra007]

If your server is compliant then maybe, if you removed your spammers you would be listed 0%

And perhaps the government should do more preventing internet fraud and illegal spams.

I have got some viruses and spam with spoofed .gov domains, however when you parse the headers lo and behold the regular China and Brazil domains notorious for spam show up. So I doubt very much that the problem originated with spamcop or people reporting here, for reasons already stated by Merlyn.

[Derek T]

So, am I right that once listed in SPAMCOP that I pretty much have to live with having mail blocked 20% of the time?

No, sir, you have the choice of hosting your domain with a less spam-friendly ISP. As long as you stick with your current host, unless you can put pressure on them to clean up their act, this problem will most likely recur. Move your domain to a different (clean) IP and proble will go away. SpamCop does NOT work by domain.

[taphilo]

Thanks all for answering (and explaining better than the FAQ) Spamcop.

I already logged a call into Interland Tech support about this before I posted my missive above.

However, I have no control over mail being sent from the same mail server that my domain users and I have no control over Interland complying with RFCs.

I also doubt Interland is knowinging hosting spammers due to their cost plus they themselves have anti-spamming software on the mail systems (abiet, not a great one).

IPs as well as return addresses can be spoofed in e-mails and unless you look at the MAC address and cross reference what was seen in the originating IP stack with that with the valid IP's souce MAC is the only way to find out where it was originally placed on the wire. Most any method is subject to false positives.

The advise to change ISPs is putting cost, expense, time on the end user (me) to move to another ISP over something I have no control of and to a company like Interland losing 1 small business user is not going to get them to change a thing.

Tom

[turetzsr]

Hi, Tom!

<snip>

IPs as well as return addresses can be spoofed in e-mails and unless you look at the MAC address and cross reference what was seen in the originating IP stack with  that with the valid IP's souce MAC is the only way to find out where it was originally placed on the wire. Most any method is subject to false positives.

...Can you give us an example? I, especially, would be very interested in any evidence you may have that this has happened!

The advise to change ISPs is putting cost, expense, time on the end user (me) to move to another ISP over something I have no control of and to a company like Interland losing 1 small business user is not going to get them to change a thing.

...Yes, spammers spoil things for everyone on the Internet. You'll have to do a cost-benefit analysis to determine which is better for you -- remaining on a service that does not clean up its spammers quickly enough and thereby not being able to deliver all your e-mails or moving to a more reliable provider. <sad>

[Wazoo]

IPs as well as return addresses can be spoofed in e-mails and unless you look at the MAC address and cross reference what was seen in the originating IP stack with  that with the valid IP's souce MAC is the only way to find out where it was originally placed on the wire. Most any method is subject to false positives.

Hmmm, not sure where you heard this, but spoofing a MAC address isn't that hard to do either ... and about the only way to suggest to an ISP to take the time to "look at the originating IP stack (?)" would be that this ISP was the injection point / source of a spam based on the analysis of the IP address thread that tracked back to this ISP.

[WB8TYW]

If an I.P. address is being spoofed to send spam, it still has to come from the same router segment as the I.P. address really resides on, or it can not maintain a two-way connection.

It will also cause severe and noticable communications problems with the server that is supposed to be operating on that I.P. address.

Since delivering spam to a mail server involves a two-way connection, it is highly unlikely that I.P. spoofing is involved, and if it is, it still means that there is an extreme security problem on the network that the spamcop.net reports are going to.

So if someone is convinced that their mail server's I.P. address was spoofed, they need to do a very thorough examination of their own network to find the attacker.

So the spamcop.net reports would still be going to the correct place.

Now what the spamcop.net parser does is look at the headers on the submitted spam from the last server that received it.

This description is close but not 100% accurate of what the parser is doing.

It checks each header to see if the I.P. addresses, the rDNS for it and the mail server name match close enough to be believed.

Additionally it checks to see if that I.P. address is listed in a few select lists as a compromised system and uses a few checks to see if it is a dhcp address.

If these tests pass, it then decides to trust that the mail server is telling the truth about where it got the message from, and then repeats all the same tests on that I.P. address.

When it gets a failure, then it assumes that header line is a fake, and the spam injection point is the I.P. address that of the last mail server that it had good information on.

What was happening in the most recent case of forgeries I saw on this forum is that apparently the compromised system had not been previously listed independent of spamcop.net as a compromised system, and also was not detected to be dhcp by the spamcop.net parser.

It appears that the algorithm that the parser uses to determine a dhcp address has been changed to make this less likely that the parser would make that error.

It would take a deputies (at) spamcop.net to look at the spam samples to and see if they can determine what vulnerabilty is causing the listing, or if there is some parser error.

As there are public spam samples, it indicates that the designated abuse contact for the I.P. address should also have them.

Otherwise you can see if the folks at dsbl.org will run a test on it to see if there is a specific vulnerabilty.

Usually when a case like this shows up, it usually shows up that either the server has a weak password and is allowing anyone to use it remotely, or has something on it that is abusively auto-responding to viruses.

Since the spam sample does not look like a subject used by any virus that I know, or anything that autoresponds to viruses. So either there is a parser error, or there is some unknown security hole in the mail server.

I.P. spoofing is extremely unlikely.

-John

Personal Opinion Only

[taphilo]

What lead me to believe that my own domain is being spoofed and not accuartely checked was that where I work, BPA.GOV, was also set as being a spam domain by SpamCop (three weeks ago if I remember correctly) - and I know 100% for sure that our mail servers are NOT compromised or hacked or set as open relay or not RFC compliant. They are not even allowed to be accessed externally. Only those inside BPA can send to it. Otherwise it only receives mail.

I sent an e-mail to the same person at TNT software, the NOBUG.ORG president, and it came back from his system that BPA.GOV was listed as a spam domain by SpamCop (as mentioned in my first post).

Yes, MACs can be spoofed too, but since an IP address is really a pair of addresses if can trace back see the source MAC and if the first next hop is the router mac that the true mail server sent it; if not the router MAC then you know it is spoofed. But true, it would have to be at the injection point since past the first router the next hop MAC is put in so it can get to the next hop destination and thus the IP header information trace idea becomes invalid.

If the injection point is on a sufficiently high backbone (tier II) compromised e-mail system so that the spoofed source only goes through 1 mail server then it would appear to most programs to be valid spam. That is the only way I can think of that BPA.GOV was listed as a spam domain.

Here at BPA I only have to configure servers to ensure secure trusted communications to the mail servers and do not have to delve that extensively into the mail systems themselves (don't want to!) like I had to when we first went live with BPA.GOV in 1995. And a lot has changed since then in both the web and mail server world.

Thanks again to all who have taken the time to answer.

[Wazoo]

BPA.GOV, was also set as being a spam domain by SpamCop

Somewhere, there's still a bit of a problem in defining your situation and any link to / with SpamCop ... There is no SpamCop listing of "spam domains" that are available for any use, short of some tallying data of reported spew .... Any specific bad source, and BL inclusion, is all based on an IP address ... domain name has nothing to do with any of this.

[Spambo]

What lead me to believe that my own domain is being spoofed and not accuartely checked was that where I work, BPA.GOV, was also set as being a spam domain by SpamCop (three weeks ago if I remember correctly) - and I know 100% for sure that our mail servers are NOT compromised or hacked or set as open relay or not RFC compliant. They are not even allowed to be accessed externally. Only those inside BPA can send to it. Otherwise it only receives mail.

[snip]

Considering that the FTC & Postal Inspection Service charged 4 individuals yesterday with spam related crimes, including illegally using machines owned by the Administrative Office of the United States Courts and the U.S. Army Information Center to send their spam, I wonder how you are so sure that your department's machines aren't (or haven't been) similarly abused by spammers.

http://www.freep.com/money/tech/spam29_20040429.htm

[taphilo]

We cannot discuss specifics of our setup (not allowed too) but knowing how our systems are set up, the degree of lockdowns we have, the products we use, the technical ability of the people running the systems, the many layered mutiple cross checks we have in place as well as the operational procedures to ensure that only authorized mail (twice checked) is sent from our systems to the internet mail server - since this mail server NEVER originates any mail only passes along messages sent ONLY from internal mail systems.

That is why I am quite certain that spam has never orginated from our internet mail server.

[Wazoo]

Not discounting all your words of wonder at the staffing, tool sets, and suggested security clearances in place ..... but .....

since this mail server NEVER originates any mail only passes along messages sent ONLY from internal mail systems

I don't even want to try to guess at just how many times this statement has been made .... later followed by something like "damn, I didn't realize that ..." that "your e-mail server" doesn't originate e-mail on its own is nice, but others that have made the same claim found that the reason that there was no evidence of the spew in thei mail-server logs was that the e-mail server wasn't the route taken by the outgoing spew. You're welcome to do a bit of research at the many anti-virus sites and see if you can come up with the number of virii/trojans/etc. that contain their very own little SMTP engine to handle the outgoing on its own ... if the firewall you keep mentioning has all this expanded capability, check the firewall logs for traffic that shouldn't be there .... the last recent example of this found hundreds of megabytes of traffic flowing out (and again, the e-mail server logs showed nothing) ....

[taphilo]

If an trojan tried to directly send out messages using it's own engine it would be blocked by network design. If a trojan used its own engine and had the userid and password of a user whose system is compromised on the network then it would not be blocked. That is the only way I know of that spam could originate inside our system and be sent out through our internet system.

Then if that engine did send mail the user would

1) have thousands of e-mails in the outbox since it would be recorded as being sent

2) would have the mailbox disabled once it reaches the max mailbox size allowed (which is fairly low) and thus the spam would stop

3) the user would have to log a call to clear the mailbox and so it would be discovered

4) the three anti-virus systems running in our network would all have to have failed in order for the trojan to get onto the system and then to allow it to send messages from an untrusted source to a trusted source.

Given the above, I doubt that bpa.gov orginated anything.

[Merlyn]

If an trojan tried to directly send out messages using it's own engine it would be blocked by network design. If a trojan used its own engine and had the userid and password of a user whose system is compromised on the network then it would not be blocked. That is the only way I know of that spam could originate inside our system and be sent out through our internet system.

Then if that engine did send mail the user would

1) have thousands of e-mails in the outbox since it would be recorded as being sent

2) would have the mailbox disabled once it reaches the max mailbox size allowed (which is fairly low) and thus the spam would stop

3) the user would have to log a call to clear the mailbox and so it would be discovered

4) the three anti-virus systems running in our network would all have to have failed in order for the trojan to get onto the system and then to allow it to send messages from an untrusted source to a trusted source.

Given the above, I doubt that bpa.gov orginated anything.

You know so little and you know it so fluently.

[Miss Betsy]

I am probably not the person to answer this, but my understanding is that the little SMTP engines that send email out do /not/ do so through the normal mail server. They send via some other port. That's when people who look at their firewall logs say, "Oh, blank!"

so I don't think your user would have any unusual activity in the mailbox.

And, I am even more uncertain of this, but I think maybe the trojans get in through open ports rather than a way that normal anti-virus software would give an alert for. They might identify it if you ran the software. Again, I don't know.

However, IP addresses apparently can be spoofed. Have you gotten any reply from the deputies? Last time, the poster said that spamcop was very prompt in correcting the problem. If it was spoofed, the deputies will recognize it.

Miss Betsy

[Wazoo]

If an trojan tried to directly send out messages using it's own engine it would be blocked by network design. If a trojan used its own engine and had the userid and password of a user whose system is compromised on the network then it would not be blocked. That is the only way I know of that spam could originate inside our system and be sent out through our internet system.

Interesting thought, but .... way out of touch with reality .. sorry

Then if that engine did send mail the user would

1) have thousands of e-mails in the outbox since it would be recorded as being sent

Wow, so far off the mark ... I'll suggest you do some research once again. If this is the level of your staff intelligence on how these things work, I can see why you've a problem believing that there could be a problem.

2) would have the mailbox disabled once it reaches the max mailbox size allowed (which is fairly low) and thus the spam would stop

3) the user would have to log a call to clear the mailbox and so it would be discovered

Ouch ... please re-read the above comments ...

4) the three anti-virus systems running in our network would all have to have failed in order for the trojan to get onto the system and then to allow it to send messages from an untrusted source to a trusted source.

sounds like way too much trust placed in some spiffy software ... somebodyreally needs to get some dirt under the fingernails and really take a look at what's going on network wise.

Given the above, I doubt that bpa.gov orginated anything.

Fine, you're entitled to your opinion ... I'll just state that you haven't convinced me yet that there isn't something going on that the tech staff just hasn't figured out yet. Again, this is a suspicion based on the years of hearing the phrase you've used ... "my system is locked down .. ain't no way ..." and finding / showing that the facts didn't agree.

[Ellen]

We cannot discuss specifics of our setup (not allowed too) but knowing how our systems are set up, the degree of lockdowns we have, the products we use, the technical ability of the people running the systems, the many layered mutiple cross checks we have in place as well as the operational procedures to ensure that only authorized mail (twice checked) is sent from our systems to the internet mail server - since this mail server NEVER originates any mail only passes along messages sent ONLY from internal mail systems.

That is why I am quite certain that spam has never orginated from our internet mail server.

If you would like to send the IP that is blocked to me at the email address in the sig below I would be happy to query the database.

[Merlyn]

What lead me to believe that my own domain is being spoofed and not accuartely checked was that where I work, BPA.GOV, was also set as being a spam domain by SpamCop (three weeks ago if I remember correctly) - and I know 100% for sure that our mail servers are NOT compromised or hacked or set as open relay or not RFC compliant. They are not even allowed to be accessed externally. Only those inside BPA can send to it. Otherwise it only receives mail.

Well lets check:

no IP found for BPA.GOV - try again

[bPA.GOV has 2 MX records mailhost1.BPA.GOV.(10) mailhost2.BPA.GOV.(10)]

Resolved mailhost1.BPA.GOV to 170.160.4.251

Query bl.spamcop.net - 170.160.4.251

170.160.4.251 is measles.bpa.gov

170.160.4.251 not listed in bl.spamcop.net

SpamCop has no record of this system

Resolved mailhost2.BPA.GOV to 170.160.4.252

Query bl.spamcop.net - 170.160.4.252

170.160.4.252 is mailhost2.bpa.gov

170.160.4.252 not listed in bl.spamcop.net

SpamCop has no record of this system

It does not look like Spamcop knows anything about either of these IP's. Which IP's do you "Think" were listed?

[taphilo]

I know enough to know that I don't know the nitty gritty details of how every possible software program works.

But I DO know the full time system people who scan our internal network for any activity, the full time people who scan our mail servers, the full time people who configure and monitor our firewalls, the interrealtionship setup of our systems as who can send what to whom, how they are checked, the two people who full time monitor all the hacking attempts against our servers and the level of expertise they have.

Since having been involved with all this since we first went live onto the Internet in 1995 (when I did all the work in getting both the circuits and the equipment installed and configured onto the network and the checks we put in starting from the get-go of multiple firewalling , preventing spoofing, hacking, bastion setups, etc) I can speak that we have done it right from the beginning and there is no way anyone could have gotten into any of our systems to send spam from our domain.

SpamCop does not show our domain now - but then it drops off systems after so many days of no reports so checking now for what happenned 5 weeks ago is a bit useless.

Opening up a random port and then trying to send mail outside just is not possible - unless it is using HTTP and connecting to and sending to a web server outside and dumping it there - but then it would be retaining our outbound proxy web IP address - but then the mail address reported would be our proxy server and NOT our e-mail server. The original trace said our mail server.

I am talking in here about MY expertise - not the others who do this full time. I am quite low in all the knowledge on this spam stuff, it is not what I do day in day out - but I AM a good operational analysis person and I am typing and brainstorming as to what could be possible to get by the checks in place in this forum. So you may think what I have typed is way off base but that is because all the NORMAL and best practices are ALREADY IN PLACE and are constantly checked to ensure that they are working.

You can try and guard against the unknown but you can only test against the known.

So I am trying to think up ways that they could possible get past what we have in place to prevent spam and I cannot think of any at all (plese read 1st paragraph above again now).

I look at how things work -- not how they are supposed to work -- and go from there. I've had many arguements with a few people saying "it is not designed to work that way" and then I have to go get screen shots, system dumps, logs, showing and proving to them it is NOT working as they said it does to get them to change things. So I can see people's points in here where how it is supposed to work and how it REALLY works does not sync and that is how spam, spyware etc get in. That is why some of the things in here are "way off base" and people have stated that I am dumb.

Getting valid desired systems through all the network, hardware, and software checks just to talk to other systems is hard in our network. I cannot see how a malware program could just connect to a smtp server and send spam using an invalid account - or a valid - and and talk to any server in our system and never be traced.

Oh, our security people did look at the mail logs from our systems when I reported to them that we were listed -- no invalid "from" e-mails originated in the logs, (the spam that I saw as coming from our domain had random from addresses, none even followed our convention), no massive mailing from any person inside occured in any time frame, nothing on the server etc.

All in all I am still sure that the IPs were spoofed when placed on the wire. I have no expectations of convincing anyone in here otherwise and, likewise, I doubt if anyone in here can convince me that it was possible .

Bad thing about being a Fed, you cannot discuss in enough detail to explain anyting now in order to find out any answers - only those in security can talk and then only to other federal security. So I (and you) will never really know . . .

Tom

[Wazoo]

you cannot discuss in enough detail to explain anyting now in order to find out any answers - only those in security can talk and then only to other federal security. So I (and you) will never really know . . .

I'm a but put off by you saying on one hand that you are in the mix, but then keep saying that the "folks that run / check things ..." ... which is it?

You were offered the opportunity to provide an IP so that one of the Deputies could look up the SpamCop data and give you some insight .. you don't make it sound like you took advantage of that.

There's security and there's security amd when you mention that your place of work was "tagged as a spam domain" (which you never did explain) and your team of experts can't find a clue ... there's security!!! And if you really want to play cloak and dagger stuff, there are agencies around that have staff that can get involved, especially when you play the "security" card. If needed, I can offer some contacts, though noting that if you're as hoopty as you want to make it appear, you should have some of those people already on site. Time spent in the D.C. and Baltmore area, now retired U.S. Army might suggest something to you for background, such that your "security" remarks got me giggling. As stated in another thread, to yet another 'government' type .. ask around and see if anyone can recall a little place called Vint Hill Farms Station ...

[Merlyn]

You sure do talk a lot without saying anything.

How about just stating what the IP's are or quit complaining.

[Miss Betsy]

IMHO, it would be better for the IT people to ask the questions and read the answers than to have you filter it to them.

There is a possibility it was spoofed. But in order to stop that kind of spoofing and to get your IP address off the scbl, you need to contact the deputies <at> spamcop.net. Like you, they don't want to publish 'how' the spammer achieves a spoof for security reasons. If you do contact them, then they will do what they can to see that it does not happen again. Also, they can give you more information that would narrow the search for any vulnerabilities if they think it is not spoofed.

It may be something as simple as automatic virus notifications (which I received the other day from a military IP address). It included the virus so that I was able to notify the other military IP address of the virus as well as notifying them that was not good practice. I am not saying your agency does this, but there might be something simple like that.

Miss Betsy

[WB8TYW]

One I.P. address was given already.

Hi,

I own taphilo.com which is hosted at Interland in Atlanta, so there are multiple people sharing that IP mail server.

Query bl.spamcop.net - 64.225.255.15

64.225.255.15 is imta06a2.registeredsite.com

(Help) (Trace IP) (Senderbase lookup)

64.225.255.15 listed in bl.spamcop.net (127.0.0.2)

As the headers are only available to a deputy, it is not possible for anyone to see if it was a forgery, or something else.

It seems that when I forwarded our security office at Bonneville Power Administration (BPA.GOV) that a message I sent TO a TNT software e-mail account (the NOBUG president) was bounced because BPA was being labeled a spam domain it was IMEEDIATELY removed from the list - none of this 48 hour stuff. I guess Kevin being a federal security agent has more pull on removing domains than us mere federal employees.

No I.P. address was given for the BPA.GOV, all that can be done is a check of the publicly known I.P. addresses. Merlyn did a check, and spamcop.net has no record of any reports on those I.P. addresses.

If mail from the BPA.GOV was being rejected by someone, it does not appear to be from a spamcop.net listing.

spamcop.net does not track spam domains. Spamcop.net tracks reports about spam from I.P. addresses.

So far, Tom has not provided the rejection message that led him to think that spamcop.net had listed BPA.GOV or an I.P. address. There are a few hundred DNSbls, and some mail servers will report the wrong information in a rejection message.

So until Tom provides this information, which would be in the rejection message that he received as a result of his e-mail attempt, there is no way to determine what happened.

Now in the case of 64.225.255.15, it would take a deputy to prove if it was a case of header forgery or not.

In the other case of domain forgery of another.com's domains, there was a lot of spam samples available from many sources. I even received a few copies of the spam.

So if it is a forgery, the spammer is not being as prolific as with the other cases.

The spam sample shows what really looks like a spam, so it was either a parser error, or there really has been spam coming from that I.P. address. I have not found any other sightings though.

IP Hijacking can be easily ruled out. There are only three possibiliies of where this could be done.

1. On the same segment as the system being spoofed. The system owner would be seeing severe problems as a result of this.

2. A routing table hijack operation. The system owner would be effectively cut off from the rest of the internet while the exploit was in progress.

If either of these things had happened to Tom, a spamcop.net listing would be nothing compared to the problems he would be seeing with his system.

So anyone that has even an elementary understanding of how TCP/IP works can rule out these two causes.

The third case of I.P. spoofing would be if the network segment that the spamcop.net parser is on had been exploited. If that were the case, I would expect all sorts of problems to be showing up, and people complaining.

So case three is almost totally unlikely either.

Now things are getting confusing as there are two different I.P. addresses that are being discussed in this thread. One known and one unknown.

The deputies can look up the known one, and try to determine what the issue is.

It is listed again.

A sample sent sometime during the 24 hours beginning Sun May 2 20:00:00 2004 -0400:

Received: from -.-.com (-.-.com [64.225.255.15])

by -.-.-.com (-.-.-.-.-) with - id -

Mon, - May 2004 - -

Subject: - technology of the year - social networks - francisco - may -

From: jo.. at ..a.com

It appears that multiple domains share a common outgoing mail server.

A deputy would have to look at this further to see of the spam samples match any of the known exploits, or if header spoofing is going on.

The other people that can look at the headers of the reported spam are the ones that read abuse[at]interland.net.

Normally with header spoofing, there is more received lines, and once you know what to look for, it is more obvious. However the munged samples do not have the information needed for us mere mortals to determine why.

And there have been changes made to the parser to make it harder for a spammer to deliberatly cause your I.P. address to be listed with out the spam report being able to be traced back to the forger's I.P. address.

As far as the other issue. No evidence has been submitted to this forum that shows any connection of known I.P. addresses for the BPA.GOV and spamcop.net. I can not find any internet record of any spam coming from BPA.GOV. So there is no reason to believe that there is any problem with the BPA.GOV.

The checks described that were done apparently on the BPA.GOV network are insuficient to determine if a network or a system had been compromised, if they were the only checks that were done. If someone has compromised a system, they can certainly tamper with the mail server logs. Typically the spammer bypasses the mail server completely leaving nothing in the log. The access would show up in the firewall logs if it kept them.

Miss Betsy, you will remember the "Tinman" case that went on for at least a month?

In that case, everything that was described here was checked and passed. The system owner finally put a packet monitor on the system and caught the spammer.

The spammer had found a vulnerability in a web server, and had uploaded a e-mail program written in the computer language perl, send the spam, and then deleted all trace of their "visit" off of the server.

With out the packet monitor, it is likely that the vulnerability would never had been found. According postings in news.admin.net-abuse.sightings, there were quite a few mail servers being exploited in this way, and all of it stopped as soon as the cause was found. The servers in question were all running a UNIX type operating system.

So all the evidence that can be viewed publically is showing that there is no problem with BPA.GOV, and that it never has had any of it's known I.P. addresses listed with spamcop.net.

64.225.255.15 however clearly has some spam reports against it, and until the reasons for the listing is found, it looks like it will be regularly listed.

And a spamcop.net listing is not always 48 hours. The listing time is a maximum of 48 hours. The minimum listing time according to past posts is 1/2 hour. The time of a listing is based mainly on how much spam was reported, and how many times that I.P. has been listed in the past.

It is likely that the case with 64.225.255.15, is one of the following:

1. Someone sharing the mail server is actively spamming.

2. There is a security hole somewhere in the mail server.

3. The parser is making an error.

Statistics of the solutions to past problems put the odds highly in favor of case #1 above, with low probability of case #2, or case #3.

So Tom,

As the deputies may not monitor these threads in a timely fashon, I would recommend e-mailing them at the address they gave earlier.

Or obtain the spam sample from the people at interland.net that you are paying for your domain and post it here for everyone to look at.

If there is an error in the parser, then it is in everyone's interest to get it fixed.

If the server is compromised, again, it is in everyone's interest to get it fixed.

Speculating about what could have happened is not going to result in anything constructive beeing done, except for possibly teaching Miss Betsy a few simple things about Internet routing.

Usually once a spam sample can be located, it can be compared with other spam samples from servers who's problems have been identified and fixed.

You can always ask at the dsbl.org to run a comprehensive test on your server. If it has a known vulnerabilty, they have a good shot at finding it. They currently show no record of 64.225.255.15.

-John

Personal Opinion Only

[taphilo]

Note: I have Easystreet.com who hosts NOBUG.ORG forward messages to my nobug[at]taphilo.com account for webmaster and tres[at]nobug.org questions just for ease of my use.

Here is a header from a recent reject that ended up in my mail box. Course all the e-mails addresses shown in the rejcts are totally random and false. Same type of thing that I saw as coming from my taphilo.com domain.

Received: from valvur.sm.ee ([172.20.1.1])

by domino.sm.ee (Lotus Domino Release 5.0.11)

with ESMTP id 2004042820381712:13134 ;

Wed, 28 Apr 2004 20:38:17 +0300

Received: Message by Barricade valvur.sm.ee with SMTP id i3SHcGvc007398

for <anne.poll[at]sm.ee>; Wed, 28 Apr 2004 20:38:16 +0300

Received: from wizard.online.ee/194.106.96.27 by Barricade SMTP gate; Wed Apr 28 20:37:26 2004

Received: (qmail 15717 invoked by uid 79); 28 Apr 2004 20:37:08 +0300

Received: from TYBBZMNEF[at]nobug.org by wizard by uid 78 with qmail-scanner-1.20rc3

(clamuko: 0.60 Clear:RC:0:.

Processed in 0.927191 secs); 28 Apr 2004 20:37:08 +0300

Received: from unknown (HELO 194.106.96.27) (218.56.34.74)

by wizard.online.ee with SMTP; 28 Apr 2004 20:37:07 +0300

Received: from 120.96.192.51 by 218.56.34.74; Thu, 29 Apr 2004 14:27:41 +0400

X-evelope-data: from "<TYBBZMNEF[at]nobug.org>" for "<anne.poll[at]sm.ee>"

Message-ID: <PAPTDBRCKFVECSPIOYMQIAYYS[at]audiobridge.com>

From: "Ashley Ryan" <TYBBZMNEF[at]nobug.org>

Reply-To: "Ashley Ryan" <TYBBZMNEF[at]nobug.org>

To: leili.matsar[at]sm.ee

Cc: anne.poll[at]sm.ee

Subject: guess what? all presc ription medic ations available at our site

Date: Thu, 29 Apr 2004 14:34:41 +0400

X-Mailer: Microsoft Outlook Express 5.50.4522.1200

MIME-Version: 1.0

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-MIMETrack: Itemize by SMTP Server on Domino/Sotsmin(Release 5.0.11 |July 24, 2002) at

28.04.2004 20:38:17,

Serialize by Router on Domino/Sotsmin(Release 5.0.11 |July 24, 2002) at 28.04.2004

20:38:22,

Serialize complete at 28.04.2004 20:38:22

Content-Type: multipart/alternative;

boundary="--61907200107084103737"

Above was the header in the HTML encoded e-mail that was bounced back to me and the headers of the bounce message:

Return-Path: <>

Received: from inbound-mx6.atl.registeredsite.com ([64.224.219.94])

by imta03a2.registeredsite.com with ESMTP

id <20040428173935.JXBW2059.imta03a2.registeredsite.com[at]inbound-mx6.atl.registeredsite.com>

for <nobug[at]taphilo.com>; Wed, 28 Apr 2004 13:39:35 -0400

Received: from smtp.easystreet.com (smtp.easystreet.com [69.30.22.10])

by inbound-mx6.atl.registeredsite.com (8.12.10/8.12.8) with ESMTP id i3SHcUPL007427

for <nobug[at]taphilo.com>; Wed, 28 Apr 2004 17:38:52 GMT

Received: from smtpdelivery.easystreet.com (smtpdelivery.easystreet.com [206.26.36.40])

(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))

(No client certificate requested)

by smtp.easystreet.com (Postfix) with ESMTP id B6BC86DC057

for <nobug[at]taphilo.com>; Wed, 28 Apr 2004 10:38:26 -0700 (PDT)

Received: from mx.easystreet.com (smtpfilter01 [10.32.1.1])

(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))

(No client certificate requested)

by smtpdelivery.easystreet.com (Postfix) with ESMTP id 74285845EB7

for <TYBBZMNEF[at]nobug.org>; Wed, 28 Apr 2004 10:38:26 -0700 (PDT)

Received: from valvur.sm.ee (valvur.sm.ee [62.65.34.146])

(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))

(No client certificate requested)

by mx.easystreet.com (Postfix) with ESMTP id 0F9F02F0185

for <TYBBZMNEF[at]nobug.org>; Wed, 28 Apr 2004 10:36:27 -0700 (PDT)

Received: Message by Barricade valvur.sm.ee with ESMTP id i3SHcLbo007422

for <TYBBZMNEF[at]nobug.org>; Wed, 28 Apr 2004 20:38:21 +0300

X-evelope-data: from "<TYBBZMNEF[at]nobug.org>" for "<anne.poll[at]sm.ee>"

Message-ID: <PAPTDBRCKFVECSPIOYMQIAYYS[at]audiobridge.com>

From: Postmaster[at]sm.ee

Reply-To: "Ashley Ryan" <TYBBZMNEF[at]nobug.org>

To: "Ashley Ryan" <TYBBZMNEF[at]nobug.org>

Cc: anne.poll[at]sm.ee

Subject: DELIVERY FAILURE: User anne.poll (anne.poll[at]sm.ee) not listed in public

Name & Address Book

Date: Thu, 29 Apr 2004 14:34:41 +0400

X-Mailer: Microsoft Outlook Express 5.50.4522.1200

MIME-Version: 1.0

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-MIMETrack: Itemize by SMTP Server on Domino/Sotsmin(Release 5.0.11 |July 24, 2002) at

28.04.2004 20:38:17,

Serialize by Router on Domino/Sotsmin(Release 5.0.11 |July 24, 2002) at 28.04.2004

20:38:22,

Serialize complete at 28.04.2004 20:38:22

Content-Type: multipart/report; report-type=delivery-status; boundary="==IFJRGLKFGIR17997UHRUHIHD"

X-info: Headers changed by Barricade

I can't show you the message of the bounced one from BPA (I may be able to, have to see if I can recover deleted messages first).

But in the above case NOBUG.ORG, is hosted by Easystreet.com, is being used as the reject point for the false nobug.org messages. This of course shows the path all the way back to me through Interland in the 2nd one.

I do no a true reject of my own domain since I deleted them out of my mailbox (bad, should have saved one) so all I have recently is:

Received: from [195.132.15.240] (HELO tele2.fr)

by mailfe05.swip.net (CommuniGate Pro SMTP 4.2b2)

with ESMTP id 24780172 for eu555787[at]tele2.fr; Wed, 28 Apr 2004 12:59:04 +0200

From: tom[at]taphilo.com

To: eu555787[at]tele2.fr

Subject: Re: Re: Re: Re:

Date: Wed, 28 Apr 2004 12:59:02 +0200

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0004_00006616.00000B41"

X-Priority: 3

X-MSMail-Priority: Normal

Message-ID: <auto-000024780172[at]mailfe05.swip.net>

Failed to deliver to 'eu555787[at]tele2.fr'

SMTP module(domain old.swip.net) reports:

host old.swip.net says:

550 Invalid recipient: <eu555787[at]tele2.fr>

which of course I did not send to and it shows only 1 mail hop and did not even come from Interland. I have a 2nd one also:

Received: from [195.132.15.209] (HELO netclub.com)

by mail.net (CommuniGate Pro SMTP 3.5.6)

with ESMTP id 28847886 for info[at]netclub.com; Wed, 05 May 2004 11:35:27 -0400

From: tom[at]taphilo.com

To: info[at]netclub.com

Subject: Here is it

Date: Wed, 5 May 2004 17:35:05 +0200

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0007_00001885.0000417F"

X-Priority: 3

X-MSMail-Priority: Normal

Message-ID: <auto-000028847886[at]mail.net>

Requesting outside help is out of the question = I am not allowed to and only people in our security office can request things like that be done against our systems. But then we have all sorts of outside Federal people always coming in since we are Federal so being checked for all types of vunerablities goes on all the time.

Our mail server is public info mailhost2.bpa.gov.(10) mailhost1.bpa.gov.(10)] host 1 is 170.160.4.251 and 2 is .252.

TNT Software subscribes to SPAMCOP and the original reject was via SPAMCOP message stating that it was rejected by it.

A more recent rject by TNT was via RBL6

Reporting-MTA: dns; mail12.atl.registeredsite.com

Received-From-MTA: DNS; imta01a2.registeredsite.com

Arrival-Date: Tue, 13 Apr 2004 03:04:21 GMT

Final-Recipient: RFC822; scott[at]TNTSoftware.com

Action: failed

Status: 5.7.1

Remote-MTA: DNS; mail.tntsoftware.com

Diagnostic-Code: SMTP; 550 5.7.1 Your message from 64.224.219.86 has been identified by RBL6 as potential spam or other unwanted email and blocked by our scanning gateway. If you believe this was an error, please forward this message to abuse[at]tntsoftware.com. We apologize for this inconvenience.

Last-Attempt-Date: Tue, 13 Apr 2004 03:05:00 GMT

Remember, being big means in our agency there could be up to 6 groups that have to cooperate and work together to configure and install anything to ensure things acutally work (usuallly there are at least 4). Thus, we all have competing needs and specialties and thus we end up cross-checking each other's work. This is not a one person does all work place (never was) so this helps prevent open holes since each person looks at needs and solutions differently and add in the normal security group single mindesness of locking down everything (even if needed) helps make our systems tight.

WB8TYW - thanks, that is a lot of typing.