Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] Spamming ...
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Fri, 01 Mar 2002 09:47:37 +0100
  • Message-id: <3C7F4029.7281E5AB@xxxxxxx>
Yuppa,

Martin Schichl wrote:
>
> Morning!
>
> Since some days I get Returned Mails from unknown mail-users which seems
> that someone is spamming from our machine.
>
> But when i analyze the header of the original mail i fin a line:
> >> Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) <<
> Although the IP of scc.co.at is 193.81.182.39
>
> The IP 210.97.42.1 will change permanently when reading other
> similar mails.

perfectly normal spam. Mail headers can be faked easily, and there are
plenty of spam-supporting MUAs out there (like the infamous Pegasus
mailer in its early versions).

Also, there are lots, lots of open relays on the internet, which is the
spammer's most important "infrastructure" to spew out their garbage. I
guess 3 out of 10 internet-connected MTAs suffer from improper
anti-relay configurations, some of them accidentally, some of them
deliberately; remember that spamming/direct marketing is a major
business nowadays, with lots of $$$ floating around.

> My questions:
> 1) Is it possible that someone beoke into our machine and sent this
> mail directly over scc.co.at

If you're worried about the From:-line in the mail header, calm down -
most spammers use Bcc (blind carbon copy) lists for their mails, to hide
the recipient list, and to make things looking "innocent".

> 2) What can I do to stop those spammers ...

first of all, if you're running sendmail, make sure your current
sendmail-config includes the ACCESS.db feature. If so, add the offending
FQDNs/IPs to the access file and reject any connection. Next, send a
cooperative mail to the admin of the real scc.co.at (abuse@,
hostmaster@, postmaster@, info@, etc.). Make sure you include the full
mail with its headers. Also you may want to collect the mail logs of the
incident, as well as any other log message connected with the spamming
activity. This may give you clues about other unusual events in your
logs as well.

> ThanX
>
> Martin
>
> The header file of the original Message
> ---------------------------------------------------------------
> X-Track: 92154: 2
> X-Rocket-Spam: 210.97.42.1
> X-YahooFilteredBulk: 210.97.42.1
> Return-Path: <rjnr3245i37@xxxxxxxxx>
> Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1)
> by mta514.mail.yahoo.com with SMTP; 28 Feb 2002 15:32:36 -0800 (PST)
> Reply-To: <rjnr3245i37@xxxxxxxxx>
> Message-ID: <001a07e37abc$2777d8d5$6ce83be4@lplwmr>
> From: <rjnr3245i37@xxxxxxxxx>
> To: <doctorbutcher@xxxxxxxxx>
> ---------------------------------------------------------------

Boris Lorenz <bolo@xxxxxxx>
---

< Previous Next >
Follow Ups
References