Jump to content
Sign in to follow this  
biripada

Trace SPAMMER

Recommended Posts

Hi All,

I provide proxy service. and one user sent SAPM MAIL using our service and below is that mail header. I have iptable log enabled , and there is no issue I verified and it giving correct result for other abuse cases like CBL etc.

From the below report it tells a connection has been made from : MY_SERVER_IP to 149.174.103.88 at given time.

But in IPTABLE log I don't see any connection made to this IP - 149.174.103.88

Am I taking correct destination IP from following header. Pls help. I need to trace the user who spam.

Thank you

=====================

Received: from core-lga05d.mail.aol.com (core-lga05.mail.aol.com [10.76.11.5])
by mtaomg-aai02.mx.aol.com (OMAG/Core Interface) with ESMTP id E234338000082;
Wed, 5 Nov 2014 16:00:39 -0500 (EST)
X-MB-Message-Source: WebUI
Subject: PLEASE I NEED YOUR URGENT ATTENTION
X-MB-Message-Type: User
MIME-Version: 1.0
From: xxxxtopher Edward <xxxxtopher.edward2[at]aol.co.uk>
Content-Type: multipart/alternative;
boundary="--------MB_8D1C752AFAE926C_1104_10EFB3_webmail-va085.sysops.aol.com"
X-Mailer: AOL Webmail STANDARD
Received: from MY_SERVER_IP by webmail-va085.sysops.aol.com (149.174.103.88) with
HTTP (WebMailUI); Wed, 05 Nov 2014 16:00:38 -0500
Message-Id: <8D1C__________________C11D[at]webmail-va085.sysops.aol.com>
X-Originating-IP: [MY_SERVER_IP]
Date: Wed, 5 Nov 2014 16:00:38 -0500
x-aol-global-disposition: S
X-spam-FLAG: YES
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
s=20140625; t=1415221249;
bh=SID3WEUl/Mm/0P3neBBy7O/tQSr64ExaJ7aerAb5RaU=;
h=From:Subject:Message-Id:Date:MIME-Version:Content-Type;
b=b82VXaKg4vUytw0XjcB4T7bY6IexhDQJJIJufiq1K+Up4e7KjZ97660dgTakwqpBw
s8PsYE+PusDtRfA7QruuT0Fx8ZCOsqeoOxqhcTrcmAtVKf+xiG1M+C1eb0IzV4AecD
kbFEeD1QNN4axIRvTGnNRzdDW9r2tUk3DKQRekC8=
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1b0264545a8ff7727f
X-spam-Score: 15.9/5
======================================================

Share this post


Link to post
Share on other sites

Seems like it biripada - but usually the originating IP address is taken from the first "Received:" line ("X-....:" lines should never be trusted, too easy to forge), often in the form

Received: from MY_SERVER_NAME (MY_SERVER_IP) by webmail-va085.sysops.aol.com (149.174.103.88) with HTTP (WebMailUI);

&nbsp &nbsp&nbsp&nbsp&nbsp Wed, 05 Nov 2014 16:00:38 -0500

I assume you have checked your IP address in the CBL for any evidence of compromise/relay?

Share this post


Link to post
Share on other sites

Hi All,

I provide proxy service. and one user sent SAPM MAIL using our service and below is that mail header. I have iptable log enabled , and there is no issue I verified and it giving correct result for other abuse cases like CBL etc.

From the below report it tells a connection has been made from : MY_SERVER_IP to 149.174.103.88 at given time.

But in IPTABLE log I don't see any connection made to this IP - 149.174.103.88

Am I taking correct destination IP from following header. Pls help. I need to trace the user who spam.

Thank you

AOL have their servers set right IMO?

http://www.spamcop.net/sc?id=z5999203458zb60789c7280b61280c66a21b4fc75126z

In this case a compromised account using IP 95.141.28.118

Sent through AOL IP 64.12.143.76

Share this post


Link to post
Share on other sites

Thanks Farelf and petzl.

None of the IP present in header , does not present in log.

If the source IP ( our IP ) is correctly mentioned here I should have got an entry for ""Received: from MY_SERVER_IP by webmail-va085.sysops.aol.com (149.174.103.88) "".

Yes. In CBL our IP was listed 1 week ago but for Conflicker issue not for spamming. I was able to track the user and blocked the user from CBL provided information.

So it means any body can provide report to Spamcop with a forge source IP.. The problem is my ISP creating pressure on me.

Thank you

Share this post


Link to post
Share on other sites

If there was a forged header improperly implicating you in a SpamCop report you could try writing to the SpamCop administrator, Don D'Minion (spamcop[at]spro.net). If he can verify the forgery (and he sees more of this stuff than any of the rest of us) that might help with your ISP. On the external evidence MY_SERVER_IP would definitely be seen as the apparent source - the SC parser would pick that from the first "Received:" line.

Share this post


Link to post
Share on other sites

Thanks Farelf and petzl.

None of the IP present in header , does not present in log.

If the source IP ( our IP ) is correctly mentioned here I should have got an entry for ""Received: from MY_SERVER_IP by webmail-va085.sysops.aol.com (149.174.103.88) "".

Yes. In CBL our IP was listed 1 week ago but for Conflicker issue not for spamming. I was able to track the user and blocked the user from CBL provided information.

So it means any body can provide report to Spamcop with a forge source IP.. The problem is my ISP creating pressure on me.

Thank you

Good that the Botnet infection was dealt with?

Also check "MY_SERVER_IP" has its Fwd/Rev DNS match

Check yours here

http://www.senderbase.org/lookup/?search_string=149.174.103.88

Years ago many mailservers rejected on that alone may still do, rDNS is another weakness, doubt a mail server would stamp the wrong IP?

Many spammers simply change their computer name from "My Computer" to "([MY_SERVER_IP])" but that would not fool AOL or SpamCop

Edited by petzl

Share this post


Link to post
Share on other sites

...

Also check "MY_SERVER_IP" has its Fwd/Rev DNS match

Check yours here

http://www.senderbase.org/lookup/?search_string=149.174.103.88

...

I'm guessing there is no "MY_SERVER_NAME" otherwise the AOL header would have shown it? rDNS is another matter - as also whether or not "MY_SERVER_IP" is in the Spamhaus PBL or the equivalent in sorbs.net (which feeding it into the senderbase lookup would also show, for both//either). None of which, whatever the results and whatever the implications for messaging from the O/P's server IN GENERAL, answers the question why the particular transaction was not picked up in the O/P's outgoing logs. That sounds like a hack of some sort - another server using "MY_SERVER_IP" as a proxy, perhaps. I don't know how that is even possible or what traces of such abuse might exist (or where, presumably that would be with the ISP). In any event, checking "MY_SERVER_IP" in the senderbase.org lookup is a very good starting point, good call petzl.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×