Morning! Since some days I get Returned Mails from unknown mail-users which seems that someone is spamming from our machine. But when i analyze the header of the original mail i fin a line:
Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) << Although the IP of scc.co.at is 193.81.182.39
The IP 210.97.42.1 will change permanently when reading other similar mails. My questions: 1) Is it possible that someone beoke into our machine and sent this mail directly over scc.co.at 2) What can I do to stop those spammers ... ThanX Martin The header file of the original Message --------------------------------------------------------------- X-Track: 92154: 2 X-Rocket-Spam: 210.97.42.1 X-YahooFilteredBulk: 210.97.42.1 Return-Path: <rjnr3245i37@scc.co.at> Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) by mta514.mail.yahoo.com with SMTP; 28 Feb 2002 15:32:36 -0800 (PST) Reply-To: <rjnr3245i37@scc.co.at> Message-ID: <001a07e37abc$2777d8d5$6ce83be4@lplwmr> From: <rjnr3245i37@scc.co.at> To: <doctorbutcher@yahoo.com> --------------------------------------------------------------- ----------------------------------------------------------------- Dipl.-Ing. Martin Schichl SC&C Software, Communication & Consulting GmbH & Co KEG Grottenhofstr. 3, A-8053 Graz Tel. +43/(0)316/265-205, Fax +43/(0)316/265-234 mschichl@scc.co.at, http://scc.co.at
-----Original Message----- From: Martin Schichl [mailto:mschichl@scc.co.at] Sent: 1. marts 2002 07:06 To: suse-security@suse.com Subject: [suse-security] Spamming ... Morning! Since some days I get Returned Mails from unknown mail-users which seems that someone is spamming from our machine. But when i analyze the header of the original mail i fin a line:
Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) << Although the IP of scc.co.at is 193.81.182.39
The IP 210.97.42.1 will change permanently when reading other similar mails. My questions: 1) Is it possible that someone beoke into our machine and sent this mail directly over scc.co.at 2) What can I do to stop those spammers ... ThanX Martin Hi Martin This is known as a "Joe job". The spammer apparently made referrals to yout domain in the "reply to" header of the spam-mail. I haven?t dealt with a similar problm here, but I suggest you consult "news.admin.net-abuse.email". The regs in there have a great deal of experience in combatting spam and the notorious "Joe jobs". Hope this helps Yarrel [snipped smamich]
Hey all, i found something today, which caused me a wry grin. i am using sendmail tls 8.11 on a suse 7.3 box. According to http://www.abuse.net/cgi-bin/relaytest the server does not allow relay. and now i am gettig massive postmaster mails from te box, each claiming the same the original message was received at Sat, 25 May 2002 12:18:55 +0200 from nobody@localhost with id g4PAItb19508 mail header message. anyone know what this is about? regards Evert Smit
Hi, You don't have a webserver running on this box? ... perhaps with a vulnerable cgi-script such as the infamous formail.pl? Best regards Reto Inversini ----- Original Message ----- From: "Evert Smit" <admin@sidhe.net> To: <suse-security@suse.com> Sent: Saturday, May 25, 2002 1:16 PM Subject: [suse-security] Spamming under sendmail 8.11 TLS
Hey all,
i found something today, which caused me a wry grin. i am using
sendmail tls
8.11 on a suse 7.3 box. According to http://www.abuse.net/cgi-bin/relaytest the server does not allow relay.
and now i am gettig massive postmaster mails from te box, each claiming the same
the original message was received at Sat, 25 May 2002 12:18:55 +0200 from nobody@localhost with id g4PAItb19508
mail header message. anyone know what this is about?
regards Evert Smit
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
That's excatly what i just found !!!! one of my customers has been using it. i shut it down now. thanks for the input. greatly apreciated. regards Evert -----Original Message----- From: Reto Inversini [mailto:inversini@datacomm.ch] Sent: Saturday, May 25, 2002 1:41 PM To: suse-security@suse.com Subject: Re: [suse-security] Spamming under sendmail 8.11 TLS Hi, You don't have a webserver running on this box? ... perhaps with a vulnerable cgi-script such as the infamous formail.pl? Best regards Reto Inversini ----- Original Message ----- From: "Evert Smit" <admin@sidhe.net> To: <suse-security@suse.com> Sent: Saturday, May 25, 2002 1:16 PM Subject: [suse-security] Spamming under sendmail 8.11 TLS
Hey all,
i found something today, which caused me a wry grin. i am using
sendmail tls
8.11 on a suse 7.3 box. According to http://www.abuse.net/cgi-bin/relaytest the server does not allow relay.
and now i am gettig massive postmaster mails from te box, each claiming the same
the original message was received at Sat, 25 May 2002 12:18:55 +0200 from nobody@localhost with id g4PAItb19508
mail header message. anyone know what this is about?
regards Evert Smit
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
As far as I know version 1.9 of FormMail.pl is safe as long as it is properly configured (and the instructions are very clear). You have to configure a list of allowed recipients. If anyone knows different I would like to hear. Bob On Sat, 25 May 2002, Evert Smit wrote:
That's excatly what i just found !!!! one of my customers has been using it. i shut it down now.
thanks for the input. greatly apreciated.
regards Evert
-----Original Message----- From: Reto Inversini [mailto:inversini@datacomm.ch] Sent: Saturday, May 25, 2002 1:41 PM To: suse-security@suse.com Subject: Re: [suse-security] Spamming under sendmail 8.11 TLS
Hi,
You don't have a webserver running on this box? ... perhaps with a vulnerable cgi-script such as the infamous formail.pl?
Best regards
Reto Inversini
----- Original Message ----- From: "Evert Smit" <admin@sidhe.net> To: <suse-security@suse.com> Sent: Saturday, May 25, 2002 1:16 PM Subject: [suse-security] Spamming under sendmail 8.11 TLS
Hey all,
i found something today, which caused me a wry grin. i am using
sendmail tls
8.11 on a suse 7.3 box. According to http://www.abuse.net/cgi-bin/relaytest the server does not allow relay.
and now i am gettig massive postmaster mails from te box, each claiming the same
the original message was received at Sat, 25 May 2002 12:18:55 +0200 from nobody@localhost with id g4PAItb19508
mail header message. anyone know what this is about?
regards Evert Smit
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
En réponse à Martin Schichl <mschichl@scc.co.at>:
The IP 210.97.42.1 will change permanently when reading other similar mails.
hi all ;) i have the same problem from others IPs from korea and austria, like for example: Received: from UNKNOWN (210.99.118.62, claiming to be "sb.sabuk- gm.ed.kangwon.hs") i ll mail them and their ISP ;) Ivan R. sysadmin
Yuppa, Martin Schichl wrote:
Morning!
Since some days I get Returned Mails from unknown mail-users which seems that someone is spamming from our machine.
But when i analyze the header of the original mail i fin a line:
Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) << Although the IP of scc.co.at is 193.81.182.39
The IP 210.97.42.1 will change permanently when reading other similar mails.
perfectly normal spam. Mail headers can be faked easily, and there are plenty of spam-supporting MUAs out there (like the infamous Pegasus mailer in its early versions). Also, there are lots, lots of open relays on the internet, which is the spammer's most important "infrastructure" to spew out their garbage. I guess 3 out of 10 internet-connected MTAs suffer from improper anti-relay configurations, some of them accidentally, some of them deliberately; remember that spamming/direct marketing is a major business nowadays, with lots of $$$ floating around.
My questions: 1) Is it possible that someone beoke into our machine and sent this mail directly over scc.co.at
If you're worried about the From:-line in the mail header, calm down - most spammers use Bcc (blind carbon copy) lists for their mails, to hide the recipient list, and to make things looking "innocent".
2) What can I do to stop those spammers ...
first of all, if you're running sendmail, make sure your current sendmail-config includes the ACCESS.db feature. If so, add the offending FQDNs/IPs to the access file and reject any connection. Next, send a cooperative mail to the admin of the real scc.co.at (abuse@, hostmaster@, postmaster@, info@, etc.). Make sure you include the full mail with its headers. Also you may want to collect the mail logs of the incident, as well as any other log message connected with the spamming activity. This may give you clues about other unusual events in your logs as well.
ThanX
Martin
The header file of the original Message --------------------------------------------------------------- X-Track: 92154: 2 X-Rocket-Spam: 210.97.42.1 X-YahooFilteredBulk: 210.97.42.1 Return-Path: <rjnr3245i37@scc.co.at> Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) by mta514.mail.yahoo.com with SMTP; 28 Feb 2002 15:32:36 -0800 (PST) Reply-To: <rjnr3245i37@scc.co.at> Message-ID: <001a07e37abc$2777d8d5$6ce83be4@lplwmr> From: <rjnr3245i37@scc.co.at> To: <doctorbutcher@yahoo.com> ---------------------------------------------------------------
Boris Lorenz <bolo@lupa.de> ---
-----Original Message----- From: bolo@lupa.de [mailto:bolo@lupa.de] Sent: 1. marts 2002 09:48 To: suse-security@suse.com Subject: Re: [suse-security] Spamming ... [snipped] If you're worried about the From:-line in the mail header, calm down - most spammers use Bcc (blind carbon copy) lists for their mails, to hide the recipient list, and to make things looking "innocent". [snipped] Boris Lorenz <bolo@lupa.de> I disagree, the real trouble with this is not the angry receivers of the spam, as much as the bounced messages. If Thomas receives multiple bounces due to undeliverable messages, it could have a negative impact on his system ressources. If the bounces are generated from a dictionary spamrun, there could be thousands on the inbound towards his box. Yarrel
Hi,
Since some days I get Returned Mails from unknown mail-users which seems that someone is spamming from our machine.
But when i analyze the header of the original mail i fin a line:
Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) <<
Although the IP of scc.co.at is 193.81.182.39
The IP 210.97.42.1 will change permanently when reading other similar mails.
210.97.42.1 is in an address range (210.97.42.0 - .63) that belongs to a Korean elementary school. (whois <ip-address> is your friend, here.
My questions: 1) Is it possible that someone beoke into our machine and sent this mail directly over scc.co.at
2) What can I do to stop those spammers ... Shoot them? There's probably someone out there to annoy you big time. You could go and ask the admins of the originating servers to try to get hold of them (in case their server's been hacked, things like, connection times from "foreign" computers and stuff. So you can trace back them to their ISP, if enough
Don't think so. Open relaying is denied at that server, but it's probably been hacked... people are willing to cooperate. Don't be surprised if it's someone living round the corner... tired, Robert
Shoot them? There's probably someone out there to annoy you big time. You could go and ask the admins of the originating servers to try to get hold of them (in case their server's been hacked, things like, connection times from "foreign" computers and stuff. So you can trace back them to their ISP, if enough people are willing to cooperate. Don't be surprised if it's someone living round the corner...
So ... this means it will be better to live with the 200 Mails a day ... :) :( Martin ----------------------------------------------------------------- Dipl.-Ing. Martin Schichl SC&C Software, Communication & Consulting GmbH & Co KEG Grottenhofstr. 3, A-8053 Graz Tel. +43/(0)316/265-205, Fax +43/(0)316/265-234 mschichl@scc.co.at, http://scc.co.at
So ... this means it will be better to live with the 200 Mails a day ...
Hmm, do you have the _content_ of the spam, too? Write to their postmaster/admin _and_ their upstream provider for information (There's usually an URL inside). Bill them for the SPAM. (200 per day? Let's say, EUR 50 per SPAM. Don't forget to make this an "offering" of your company... Ask your legal advisor before proceeding, though. How about local law enforcement? Don't know about Austria, sorry. Robert
whois <ip-address> is your friend, here. Sometimes, but APNIC is a total disaster. More often than not no usefull info will turn up, including a closer look the apnic.net and (most notoriousl spammers) nic.or.kr sites, leading to nothing or small
2) What can I do to stop those spammers ... I complain quite regularly about spam (if I can find the responsible
Yo! private owned ranges that seem to be completely outta control. A traceroute is a very laborious method as reverse DNS is (almost?) non-existent in the pacific rim. It would be nice if the community could press those reaches of the internet to make some effort to get things straight. parties, am bored and in a faul mood) (note that the text is always friendly, brief and informative) and what I have got is this: - Complain to the open relay itself: mostly bounces about "postmaster@host.net mailbox is full", "mailbox does not exist" or simply no reply. - Complain to real netblock owner or the upstream provider of an open relay: have only recently started do do that because of the previous experience (mostly with cc to relay itself), first results are not too hopefull. - Complain to provider of spam sender: mostly auto replies with no follow-up, but I do get some of those rewarding "we located and disconnected the offending accounts"; there ARE quite some very decent providers out there. - Complain to the provider or real netblock owner of the company that is being promoted in the spam: here I get the best results, mainly (guessing) cause the evidence is soo clear. I've already had quite a few web-sites knocked over, always giving ye that "make my day" feeling :>) Lets all promise to make at least one serious complaint a week! There's obviously not enough people that do... Some things I found out while complaining: be friendly, brief, do include the full headers, skip all the traceroute and whois info (them are professional folk and are probably better than yourself), have your servers NTP synchronized and tell them that and which timezone you're in (so they can cross-reference their logs). I think any form of auto complain or auto reject will remain largely a dream. One very cool tool I found recently (though I did not use it myself yet): http://software.libertine.org/tmda/
participants (9)
-
Bob Vickers -
Boris Lorenz -
Evert Smit -
Martin Schichl -
neroot@franceonline.fr -
Peter van den Heuvel -
Reto Inversini -
Robert Klein -
Yarrel