biripada Posted November 7, 2014 Share Posted November 7, 2014 Hi All, I provide proxy service. and one user sent SAPM MAIL using our service and below is that mail header. I have iptable log enabled , and there is no issue I verified and it giving correct result for other abuse cases like CBL etc. From the below report it tells a connection has been made from : MY_SERVER_IP to 149.174.103.88 at given time. But in IPTABLE log I don't see any connection made to this IP - 149.174.103.88 Am I taking correct destination IP from following header. Pls help. I need to trace the user who spam. Thank you ===================== Received: from core-lga05d.mail.aol.com (core-lga05.mail.aol.com [10.76.11.5]) by mtaomg-aai02.mx.aol.com (OMAG/Core Interface) with ESMTP id E234338000082; Wed, 5 Nov 2014 16:00:39 -0500 (EST) X-MB-Message-Source: WebUI Subject: PLEASE I NEED YOUR URGENT ATTENTION X-MB-Message-Type: User MIME-Version: 1.0 From: xxxxtopher Edward <xxxxtopher.edward2[at]aol.co.uk> Content-Type: multipart/alternative; boundary="--------MB_8D1C752AFAE926C_1104_10EFB3_webmail-va085.sysops.aol.com" X-Mailer: AOL Webmail STANDARD Received: from MY_SERVER_IP by webmail-va085.sysops.aol.com (149.174.103.88) with HTTP (WebMailUI); Wed, 05 Nov 2014 16:00:38 -0500 Message-Id: <8D1C__________________C11D[at]webmail-va085.sysops.aol.com> X-Originating-IP: [MY_SERVER_IP] Date: Wed, 5 Nov 2014 16:00:38 -0500 x-aol-global-disposition: S X-spam-FLAG: YES DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20140625; t=1415221249; bh=SID3WEUl/Mm/0P3neBBy7O/tQSr64ExaJ7aerAb5RaU=; h=From:Subject:Message-Id:Date:MIME-Version:Content-Type; b=b82VXaKg4vUytw0XjcB4T7bY6IexhDQJJIJufiq1K+Up4e7KjZ97660dgTakwqpBw s8PsYE+PusDtRfA7QruuT0Fx8ZCOsqeoOxqhcTrcmAtVKf+xiG1M+C1eb0IzV4AecD kbFEeD1QNN4axIRvTGnNRzdDW9r2tUk3DKQRekC8= X-AOL-REROUTE: YES x-aol-sid: 3039ac1b0264545a8ff7727f X-spam-Score: 15.9/5 ====================================================== Link to comment Share on other sites More sharing options...
Farelf Posted November 7, 2014 Share Posted November 7, 2014 Seems like it biripada - but usually the originating IP address is taken from the first "Received:" line ("X-....:" lines should never be trusted, too easy to forge), often in the form Received: from MY_SERVER_NAME (MY_SERVER_IP) by webmail-va085.sysops.aol.com (149.174.103.88) with HTTP (WebMailUI);  Â     Â Wed, 05 Nov 2014 16:00:38 -0500 I assume you have checked your IP address in the CBL for any evidence of compromise/relay? Link to comment Share on other sites More sharing options...
petzl Posted November 7, 2014 Share Posted November 7, 2014 Hi All, I provide proxy service. and one user sent SAPM MAIL using our service and below is that mail header. I have iptable log enabled , and there is no issue I verified and it giving correct result for other abuse cases like CBL etc. From the below report it tells a connection has been made from : MY_SERVER_IP to 149.174.103.88 at given time. But in IPTABLE log I don't see any connection made to this IP - 149.174.103.88 Am I taking correct destination IP from following header. Pls help. I need to trace the user who spam. Thank you AOL have their servers set right IMO? http://www.spamcop.net/sc?id=z5999203458zb60789c7280b61280c66a21b4fc75126z In this case a compromised account using IP 95.141.28.118 Sent through AOL IP 64.12.143.76 Link to comment Share on other sites More sharing options...
biripada Posted November 7, 2014 Author Share Posted November 7, 2014 Thanks Farelf and petzl. None of the IP present in header , does not present in log. If the source IP ( our IP ) is correctly mentioned here I should have got an entry for ""Received: from MY_SERVER_IP by webmail-va085.sysops.aol.com (149.174.103.88) "". Yes. In CBL our IP was listed 1 week ago but for Conflicker issue not for spamming. I was able to track the user and blocked the user from CBL provided information. So it means any body can provide report to Spamcop with a forge source IP.. The problem is my ISP creating pressure on me. Thank you Link to comment Share on other sites More sharing options...
Farelf Posted November 7, 2014 Share Posted November 7, 2014 If there was a forged header improperly implicating you in a SpamCop report you could try writing to the SpamCop administrator, Don D'Minion (spamcop[at]spro.net). If he can verify the forgery (and he sees more of this stuff than any of the rest of us) that might help with your ISP. On the external evidence MY_SERVER_IP would definitely be seen as the apparent source - the SC parser would pick that from the first "Received:" line. Link to comment Share on other sites More sharing options...
petzl Posted November 8, 2014 Share Posted November 8, 2014 Thanks Farelf and petzl. None of the IP present in header , does not present in log. If the source IP ( our IP ) is correctly mentioned here I should have got an entry for ""Received: from MY_SERVER_IP by webmail-va085.sysops.aol.com (149.174.103.88) "". Yes. In CBL our IP was listed 1 week ago but for Conflicker issue not for spamming. I was able to track the user and blocked the user from CBL provided information. So it means any body can provide report to Spamcop with a forge source IP.. The problem is my ISP creating pressure on me. Thank you Good that the Botnet infection was dealt with? Also check "MY_SERVER_IP" has its Fwd/Rev DNS match Check yours here http://www.senderbase.org/lookup/?search_string=149.174.103.88 Years ago many mailservers rejected on that alone may still do, rDNS is another weakness, doubt a mail server would stamp the wrong IP? Many spammers simply change their computer name from "My Computer" to "([MY_SERVER_IP])" but that would not fool AOL or SpamCop Link to comment Share on other sites More sharing options...
Farelf Posted November 8, 2014 Share Posted November 8, 2014 ... Also check "MY_SERVER_IP" has its Fwd/Rev DNS match Check yours here http://www.senderbase.org/lookup/?search_string=149.174.103.88... I'm guessing there is no "MY_SERVER_NAME" otherwise the AOL header would have shown it? rDNS is another matter - as also whether or not "MY_SERVER_IP" is in the Spamhaus PBL or the equivalent in sorbs.net (which feeding it into the senderbase lookup would also show, for both//either). None of which, whatever the results and whatever the implications for messaging from the O/P's server IN GENERAL, answers the question why the particular transaction was not picked up in the O/P's outgoing logs. That sounds like a hack of some sort - another server using "MY_SERVER_IP" as a proxy, perhaps. I don't know how that is even possible or what traces of such abuse might exist (or where, presumably that would be with the ISP). In any event, checking "MY_SERVER_IP" in the senderbase.org lookup is a very good starting point, good call petzl. Link to comment Share on other sites More sharing options...
biripada Posted November 8, 2014 Author Share Posted November 8, 2014 Thanks all. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.