Jump to content

Trace SPAMMER


biripada

Recommended Posts

Hi All,

I provide proxy service. and one user sent SAPM MAIL using our service and below is that mail header. I have iptable log enabled , and there is no issue I verified and it giving correct result for other abuse cases like CBL etc.

From the below report it tells a connection has been made from : MY_SERVER_IP to 149.174.103.88 at given time.

But in IPTABLE log I don't see any connection made to this IP - 149.174.103.88

Am I taking correct destination IP from following header. Pls help. I need to trace the user who spam.

Thank you

=====================

Received: from core-lga05d.mail.aol.com (core-lga05.mail.aol.com [10.76.11.5])
by mtaomg-aai02.mx.aol.com (OMAG/Core Interface) with ESMTP id E234338000082;
Wed, 5 Nov 2014 16:00:39 -0500 (EST)
X-MB-Message-Source: WebUI
Subject: PLEASE I NEED YOUR URGENT ATTENTION
X-MB-Message-Type: User
MIME-Version: 1.0
From: xxxxtopher Edward <xxxxtopher.edward2[at]aol.co.uk>
Content-Type: multipart/alternative;
boundary="--------MB_8D1C752AFAE926C_1104_10EFB3_webmail-va085.sysops.aol.com"
X-Mailer: AOL Webmail STANDARD
Received: from MY_SERVER_IP by webmail-va085.sysops.aol.com (149.174.103.88) with
HTTP (WebMailUI); Wed, 05 Nov 2014 16:00:38 -0500
Message-Id: <8D1C__________________C11D[at]webmail-va085.sysops.aol.com>
X-Originating-IP: [MY_SERVER_IP]
Date: Wed, 5 Nov 2014 16:00:38 -0500
x-aol-global-disposition: S
X-spam-FLAG: YES
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
s=20140625; t=1415221249;
bh=SID3WEUl/Mm/0P3neBBy7O/tQSr64ExaJ7aerAb5RaU=;
h=From:Subject:Message-Id:Date:MIME-Version:Content-Type;
b=b82VXaKg4vUytw0XjcB4T7bY6IexhDQJJIJufiq1K+Up4e7KjZ97660dgTakwqpBw
s8PsYE+PusDtRfA7QruuT0Fx8ZCOsqeoOxqhcTrcmAtVKf+xiG1M+C1eb0IzV4AecD
kbFEeD1QNN4axIRvTGnNRzdDW9r2tUk3DKQRekC8=
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1b0264545a8ff7727f
X-spam-Score: 15.9/5
======================================================
Link to comment
Share on other sites

Seems like it biripada - but usually the originating IP address is taken from the first "Received:" line ("X-....:" lines should never be trusted, too easy to forge), often in the form

Received: from MY_SERVER_NAME (MY_SERVER_IP) by webmail-va085.sysops.aol.com (149.174.103.88) with HTTP (WebMailUI);

&nbsp &nbsp&nbsp&nbsp&nbsp Wed, 05 Nov 2014 16:00:38 -0500

I assume you have checked your IP address in the CBL for any evidence of compromise/relay?

Link to comment
Share on other sites

Hi All,

I provide proxy service. and one user sent SAPM MAIL using our service and below is that mail header. I have iptable log enabled , and there is no issue I verified and it giving correct result for other abuse cases like CBL etc.

From the below report it tells a connection has been made from : MY_SERVER_IP to 149.174.103.88 at given time.

But in IPTABLE log I don't see any connection made to this IP - 149.174.103.88

Am I taking correct destination IP from following header. Pls help. I need to trace the user who spam.

Thank you

AOL have their servers set right IMO?

http://www.spamcop.net/sc?id=z5999203458zb60789c7280b61280c66a21b4fc75126z

In this case a compromised account using IP 95.141.28.118

Sent through AOL IP 64.12.143.76

Link to comment
Share on other sites

Thanks Farelf and petzl.

None of the IP present in header , does not present in log.

If the source IP ( our IP ) is correctly mentioned here I should have got an entry for ""Received: from MY_SERVER_IP by webmail-va085.sysops.aol.com (149.174.103.88) "".

Yes. In CBL our IP was listed 1 week ago but for Conflicker issue not for spamming. I was able to track the user and blocked the user from CBL provided information.

So it means any body can provide report to Spamcop with a forge source IP.. The problem is my ISP creating pressure on me.

Thank you

Link to comment
Share on other sites

If there was a forged header improperly implicating you in a SpamCop report you could try writing to the SpamCop administrator, Don D'Minion (spamcop[at]spro.net). If he can verify the forgery (and he sees more of this stuff than any of the rest of us) that might help with your ISP. On the external evidence MY_SERVER_IP would definitely be seen as the apparent source - the SC parser would pick that from the first "Received:" line.

Link to comment
Share on other sites

Thanks Farelf and petzl.

None of the IP present in header , does not present in log.

If the source IP ( our IP ) is correctly mentioned here I should have got an entry for ""Received: from MY_SERVER_IP by webmail-va085.sysops.aol.com (149.174.103.88) "".

Yes. In CBL our IP was listed 1 week ago but for Conflicker issue not for spamming. I was able to track the user and blocked the user from CBL provided information.

So it means any body can provide report to Spamcop with a forge source IP.. The problem is my ISP creating pressure on me.

Thank you

Good that the Botnet infection was dealt with?

Also check "MY_SERVER_IP" has its Fwd/Rev DNS match

Check yours here

http://www.senderbase.org/lookup/?search_string=149.174.103.88

Years ago many mailservers rejected on that alone may still do, rDNS is another weakness, doubt a mail server would stamp the wrong IP?

Many spammers simply change their computer name from "My Computer" to "([MY_SERVER_IP])" but that would not fool AOL or SpamCop

Link to comment
Share on other sites

...

Also check "MY_SERVER_IP" has its Fwd/Rev DNS match

Check yours here

http://www.senderbase.org/lookup/?search_string=149.174.103.88

...

I'm guessing there is no "MY_SERVER_NAME" otherwise the AOL header would have shown it? rDNS is another matter - as also whether or not "MY_SERVER_IP" is in the Spamhaus PBL or the equivalent in sorbs.net (which feeding it into the senderbase lookup would also show, for both//either). None of which, whatever the results and whatever the implications for messaging from the O/P's server IN GENERAL, answers the question why the particular transaction was not picked up in the O/P's outgoing logs. That sounds like a hack of some sort - another server using "MY_SERVER_IP" as a proxy, perhaps. I don't know how that is even possible or what traces of such abuse might exist (or where, presumably that would be with the ISP). In any event, checking "MY_SERVER_IP" in the senderbase.org lookup is a very good starting point, good call petzl.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...