Yuppa, Martin Schichl wrote:
Morning!
Since some days I get Returned Mails from unknown mail-users which seems that someone is spamming from our machine.
But when i analyze the header of the original mail i fin a line:
Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) << Although the IP of scc.co.at is 193.81.182.39
The IP 210.97.42.1 will change permanently when reading other similar mails.
perfectly normal spam. Mail headers can be faked easily, and there are plenty of spam-supporting MUAs out there (like the infamous Pegasus mailer in its early versions). Also, there are lots, lots of open relays on the internet, which is the spammer's most important "infrastructure" to spew out their garbage. I guess 3 out of 10 internet-connected MTAs suffer from improper anti-relay configurations, some of them accidentally, some of them deliberately; remember that spamming/direct marketing is a major business nowadays, with lots of $$$ floating around.
My questions: 1) Is it possible that someone beoke into our machine and sent this mail directly over scc.co.at
If you're worried about the From:-line in the mail header, calm down - most spammers use Bcc (blind carbon copy) lists for their mails, to hide the recipient list, and to make things looking "innocent".
2) What can I do to stop those spammers ...
first of all, if you're running sendmail, make sure your current sendmail-config includes the ACCESS.db feature. If so, add the offending FQDNs/IPs to the access file and reject any connection. Next, send a cooperative mail to the admin of the real scc.co.at (abuse@, hostmaster@, postmaster@, info@, etc.). Make sure you include the full mail with its headers. Also you may want to collect the mail logs of the incident, as well as any other log message connected with the spamming activity. This may give you clues about other unusual events in your logs as well.
ThanX
Martin
The header file of the original Message --------------------------------------------------------------- X-Track: 92154: 2 X-Rocket-Spam: 210.97.42.1 X-YahooFilteredBulk: 210.97.42.1 Return-Path:
Received: from 210.97.42.1 (HELO scc.co.at) (210.97.42.1) by mta514.mail.yahoo.com with SMTP; 28 Feb 2002 15:32:36 -0800 (PST) Reply-To: Message-ID: <001a07e37abc$2777d8d5$6ce83be4@lplwmr> From: To: ---------------------------------------------------------------
Boris Lorenz