Yo-Popa Posted April 25, 2007 Posted April 25, 2007 I've started getting spam which SpamCop parses as coming from my Domain (CustomMade.com). It looks to me like the spammers have a new way of eliminating source IP address and substituting the IP of the recipient. Is this possible or is the spam really coming from my domain? It appears to me that this spam came from static24-72-115-169.yorkton.accesscomm.ca but there is no IP in the header except for mine. Here is an example showing just the header with my Email address munged: Return-Path: <tdqoroyof[at]hotmail.com> Received: from static24-72-115-169.yorkton.accesscomm.ca (custommade.com [208.234.14.70] (may be forged)) by custommade.com (8.12.10/8.12.10) with SMTP id l3PEFsK4031073 for <xxx[at]xxxxxxx>; Wed, 25 Apr 2007 10:15:56 -0400 Message-ID: <811701c78742$df1bbc91$ba0d5b8b[at]hotmail.com> From: tdqoroyof[at]hotmail.com To: xxx[at]xxxxxxxx Subject: =?windows-1251?B?z+7s7ubl7CDxIPDl6uvg7O7p?= Date: Wed, 25 Apr 2007 14:03:29 +0000 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0000_B1468237.EB16C9FD" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express V6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-UIDL: +Im!!K]l"!Y]A!!M"Q"!
Telarin Posted April 25, 2007 Posted April 25, 2007 Is that IP address by any chance the IP for a web server that you operate? It is quite possible that they are somehow abusing a feedback form on the site to send you spam from your own website.
Yo-Popa Posted April 25, 2007 Author Posted April 25, 2007 Is that IP address by any chance the IP for a web server that you operate? It is quite possible that they are somehow abusing a feedback form on the site to send you spam from your own website. Yes, that IP is my mail server. I do not have any forms on my website. There probably is a formMail in the CGI bin.
StevenUnderwood Posted April 25, 2007 Posted April 25, 2007 Yes, that IP is my mail server. I do not have any forms on my website. There probably is a formMail in the CGI bin. If those are the only headers on the message, then your mailserver put them there. by custommade.com (8.12.10/8.12.10) with SMTP id l3PEFsK4031073 for <xxx[at]xxxxxxx>; Wed, 25 Apr 2007 10:15:56 -0400 Are there any other logs you can see this connection with (firewall or SMTP, for instance) to confirm the message was/was not sent internal? How do these headers compare with valid messages coming through normal channels? P.S. With this post, this thread will be moved into the Lounge. Not sure if it is a reporting problem (did you receive this spam and are trying to report it) or a blocklist problem (you got this spam report and are trying to explain it).
Yo-Popa Posted April 25, 2007 Author Posted April 25, 2007 If those are the only headers on the message, then your mailserver put them there. Are there any other logs you can see this connection with (firewall or SMTP, for instance) to confirm the message was/was not sent internal? How do these headers compare with valid messages coming through normal channels? P.S. With this post, this thread will be moved into the Lounge. Not sure if it is a reporting problem (did you receive this spam and are trying to report it) or a blocklist problem (you got this spam report and are trying to explain it). Where did my mail server get the part "Received: from static24-72-115-169.yorkton.accesscomm.ca "? Normally the headers from normal channels have the source IP address and Spamcop parses them easily. I report a lot of spam daily but in this case I'm trying to figure out if my server is being used to send spam, possibly to others.
StevenUnderwood Posted April 25, 2007 Posted April 25, 2007 Where did my mail server get the part "Received: from static24-72-115-169.yorkton.accesscomm.ca "? Normally the headers from normal channels have the source IP address and Spamcop parses them easily. I report a lot of spam daily but in this case I'm trying to figure out if my server is being used to send spam, possibly to others. A normal (simple) mail conversation goes: telnet host 25 helo (or ehlo) MYHOSTNAME mail from: <MY EMAIL ADDRESS> rcpt to: <YOUR EMAIL ADDRESS> data ... static24-72-115-169.yorkton.accesscomm.ca would have been in place of MYHOSTNAME and can be whatever the sending side wants it to be. By RFC, it should be the FQDN of the host sending the message, but getting spammers to follow the RFQ's is like.... The IP address is the only trustable information because it is generated by your server AND needs to send information and get replies back from that same IP for the transmission to work correctly.
Wazoo Posted April 25, 2007 Posted April 25, 2007 ns0.aitcom.net reports the following MX records: Preference Host Name IP Address 10 custommade.com 216.117.131.69 20 mail.custommade.com 216.117.131.69 Then I/we get confused again by some of the SenderBase data that I still can't get anyone there to explain to me ... http://www.senderbase.org/search?searchBy=...g=208.234.14.70 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.1 .. -89% Last 30 days .. 2.0 .. -99% Average ........ 4.0 Date of first message seen from this address 2003-11-04 No address list shown since no email was detected from custommade.com. But then I/we look at http://www.senderbase.org/search?searchBy=...=custommade.com Volume Statistics for this Domain Magnitude Vol Change vs. 30 Day Last day ......... 3.1 .. 1151% Last 30 days ... 2.0 Date of first message seen from this domain 2005-07-22 No address list shown since no email was detected from custommade.com. At any rate, rom what has been stated thus far, the next source of data needed would be something from the access logs to see just who is tapping into somethng that would be capable of sending an e-mail ...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.