Web Hosting Forums

Results 1 to 13 of 13

This is a discussion on Relayed SPAM in the Hosting Talk & Chit-chat forum
Guys n Gals, I have started getting a ton of bounced spam messages back to my default email account on one of my JaguarPC accounts. ...

  1. #1
    Loyal Client
    Join Date
    Oct 2003
    Location
    Washington, DC
    Posts
    129

    Relayed SPAM

    Guys n Gals,

    I have started getting a ton of bounced spam messages back to my default email account on one of my JaguarPC accounts. First DO NOT suggest that I set the default to fail. Not only does this not address my problem, it breaks all my forwarders. If my server is being used as a spam relay, I want it shut down. I do not want to bury my head in the sand by simply not seeing the bounced messages.

    What I am concerned about is that upon examining the email headers, my JaguarPC IP address is the originating IP address of the spam. I have verified that if you do not authenticate, normal sending of mail through the server is rejected. That leaves me with one of four possibilities:

    1. a legitimate account in the domain has been compromised and someone is using the account to relay email.
    2. someone has hacked the server and added an account for relaying email.
    3. someone has found a way around the required authentication to relay email.
    4. someone has found a way to forge the IP address headers in email.

    As for #1, this is unlikely. There is only one account. I changed the password and the problem still exists. So I am trying to determine if there is a problem on the server or if #4 is true. I have been trying to get support to look at the sendmail logs for me and determine if my Jaguar server is in fact the true originator or not. Unfortunately the support person doesn't seem to understand at all, and I am just about out of patience.

    Now my question. Has anyone else seen anything like this and if so, have you been able to attribute it to anything in particular?

    Any insight anyone can provide would be greatly appreciated.

    Thanks.

  2. #2
    Loyal Client
    Join Date
    Oct 2003
    Location
    Washington, DC
    Posts
    129
    OK. I just discovered that the password change (done via the SSH shell) did not take, so it is not clear that #1 is off the table. I just changed it in CPANEL and verified the change. I want to rule out #1.

  3. #3
    Community Leader jason's Avatar
    Join Date
    Sep 2001
    Location
    Rochester, NY
    Posts
    5,884
    First off, if your server was being used as a spam relay it is very very very likely that the techs would notice and either notify you or shut you down. Since neither has happened then it probably isn't originating on your server.

    However, if you are running any kind of web form-to-mail type script there is a possibility that that is being exploited. In fact it doesn't even need to be a form-to-mail script--any script can potentially be a target. If you are using any kind of app software (blog, message board, CMS) be sure it is up to date.

    Email is one of the easiest mechanisms to forge headers on, so I'm weighing that highly too. Without seeing the actual email its hard to say too much, but most of the time when I've seen bounces like that it is because of email that originated elsewhere.

    --Jason
    Jason Pitoniak
    Interbrite Communications
    www.interbrite.com www.kodiakskorner.com

  4. #4
    Loyal Client
    Join Date
    Oct 2003
    Location
    Washington, DC
    Posts
    129
    Jason,

    Thanks so much for the reply.

    if your server was being used as a spam relay it is very very very likely that the techs would notice and either notify you or shut you down.
    This is what I would hope...

    The web site is very basic -- no cgi, blogs, forums, etc of any kind.

    Here's a sample bounced spam message header -- there are hundreds of them with all the same content, of course!:

    [Note: I replaced my IP address with 69.73.138.X and my domain name with "mydomain.org".

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
    From: [email protected]
    To: [email protected]
    Subject: Delivery Status Notification (Failure)

    This is an automatically generated Delivery Status Notification.

    Delivery to the following recipients failed.

    [email protected]




    Reporting-MTA: dns;calbrexch01.calibre-network.local
    Received-From-MTA: dns;ppp85-140-78-95.pppoe.mtu-net.ru
    Arrival-Date: Thu, 28 Jun 2007 20:49:25 -0700

    Final-Recipient: rfc822;[email protected]
    Action: failed
    Status: 5.1.1

    Received: from ppp85-140-78-95.pppoe.mtu-net.ru ([85.140.78.95]) by calbrexch01.calibre-network.local with Microsoft SMTPSVC(6.0.3790.1830);
    Thu, 28 Jun 2007 20:49:25 -0700
    Return-Path: <[email protected]>
    Received: from 69.73.138.X (HELO mydomain.org)
    by alcraft.com with esmtp (H81SX+989U0 84-;<)
    id .*,*X(--,4'.8-CD
    for [email protected]; Fri, 29 Jun 2007 03:47:37 -0300
    From: "[email protected]" <[email protected]>
    To: <[email protected]>
    Subject: Urgent Request ID812250
    Date: Fri, 29 Jun 2007 03:47:37 -0300
    Message-ID: <[email protected] nmnsdgs>
    MIME-Version: 1.0
    Content-Type: multipart/related;
    boundary="----=_NextPart_000_000A_01C7BA21.C308F620"
    X-Mailer: Microsoft Office Outlook, Build 11.0.6353
    X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
    Thread-Index: Aca6Q-3>YV++4'VB30*DK5D2L9:0,>==
    X-OriginalArrivalTime: 29 Jun 2007 03:49:26.0132 (UTC) FILETIME=[7CE24B40:01C7BA00]

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~

    I do agree that headers can be forged, but I've not seen any in which the relay IP address shows as the originator of the email unless that server is an open relay. That's why I'm wondering if someone has figured out how to get around the authentication required to send email through these servers. But another data point is that I have several servers here and this is the only one on which I am seeing this problem.

    It is possible that what appears to be the originating email is forged, but question: what would be the goal of purposely setting up bounced spam so that hundreds go back to the originator? Certainly not to sell anything. DOS maybe? There's not enough to do that.

  5. #5
    the Windlord Gwaihir's Avatar
    Join Date
    Jun 2002
    Posts
    2,570
    Quote Originally Posted by tinnel View Post
    What I am concerned about is that upon examining the email headers, my JaguarPC IP address is the originating IP address of the spam.
    Quote Originally Posted by jason View Post
    First off, if your server was being used as a spam relay it is very very very likely that the techs would notice and either notify you or shut you down. Since neither has happened then it probably isn't originating on your server.
    Hmm.. you can't both be right here and it is a very important point. If it isn't from your server, there's nothing you can do. Most of the times that's the case. However, if it is, you must find and fix the loophole on the double.

    I trust you've been examining one or several of the bounced messages, not the bounce notices themselves? If you're in anyway unsure how to interpret them, I can recommend www.spamcop.net for the analysis (though you don't want to actually send of the report if it is from your own server).

    If at that point you still suspect it to be from your server, bring support in on it right away. They can verify once more that it is and help you figure it out. Do'n t let it slide: I'm equally sure they'll lock your account down if all by themselves they come across it spamming.

    BTW: would you happen to be on dione? I noticed a few irregularities with it over the last few days, one of them being on Yahoo's spam list.
    Regards,

    Wim Heemskerk
    ---
    Visit MeCCG.net - Cardgaming in J.R.R. Tolkien's Middle-earth
    And Gwaihir.net - The Middle-earth CCG store

  6. #6
    the Windlord Gwaihir's Avatar
    Join Date
    Jun 2002
    Posts
    2,570
    Quote Originally Posted by tinnel View Post

    Reporting-MTA: dns;calbrexch01.calibre-network.local
    Received-From-MTA: dns;ppp85-140-78-95.pppoe.mtu-net.ru
    Arrival-Date: Thu, 28 Jun 2007 20:49:25 -0700

    Final-Recipient: rfc822;[email protected]
    Action: failed
    Status: 5.1.1

    Received: from ppp85-140-78-95.pppoe.mtu-net.ru ([85.140.78.95]) by calbrexch01.calibre-network.local with Microsoft SMTPSVC(6.0.3790.1830);
    Thu, 28 Jun 2007 20:49:25 -0700
    Return-Path: <[email protected]>
    Received: from 69.73.138.X (HELO mydomain.org)
    by alcraft.com with esmtp (H81SX+989U0 84-;<)
    id .*,*X(--,4'.8-CD
    for [email protected]; Fri, 29 Jun 2007 03:47:37 -0300

    [..]

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~

    I do agree that headers can be forged, but I've not seen any in which the relay IP address shows as the originator of the email unless that server is an open relay.
    This isn't from your server. It comes from the IP I put in bold.

    Goes to show why the spamcop tool is so handy. It reads headers like an expert and gives you a (free) answer in seconds, one that is almost always good for your peace of mind (i.e. NOT from your server).

    The stuff further down the line is forged that way to add credibility. (Note that if you're on a shared account, that helo doesn't match either with what it would really send.)
    Last edited by Gwaihir; 06-29-2007 at 05:30 AM.
    Regards,

    Wim Heemskerk
    ---
    Visit MeCCG.net - Cardgaming in J.R.R. Tolkien's Middle-earth
    And Gwaihir.net - The Middle-earth CCG store

  7. #7
    Loyal Client
    Join Date
    Oct 2003
    Location
    Washington, DC
    Posts
    129
    Quote Originally Posted by Gwaihir View Post
    If it isn't from your server, there's nothing you can do. Most of the times that's the case. However, if it is, you must find and fix the loophole on the double.
    I wholeheartedly agree! That's what I'm doing here.

    Quote Originally Posted by Gwaihir View Post
    I trust you've been examining one or several of the bounced messages, not the bounce notices themselves?
    Not sure what you mean. I don't have any of the original email cause I didn't send 'em. All I have are the final bounced messages that go to the default account.

    Quote Originally Posted by Gwaihir View Post
    If you're in anyway unsure how to interpret them, I can recommend www.spamcop.net for the analysis (though you don't want to actually send of the report if it is from your own server).
    Thank you for the pointer. I know a lot about email headers, but will definitely take a look. If there's a gap in my knowledge, I wanna fill it!

    Quote Originally Posted by Gwaihir View Post
    If at that point you still suspect it to be from your server, bring support in on it right away. They can verify once more that it is and help you figure it out. Do'n t let it slide.
    I'm trying to get their help, but they don't seem to understand the problem. They keep asking about things like do I have the right email accounts and telling me to use :fail: for my default email, which will only mask the problem if it is a problem. Sorry, but I'm rather underwhelmed at present. If only Masood were around...
    Quote Originally Posted by Gwaihir View Post
    BTW: would you happen to be on dione? I noticed a few irregularities with it over the last few days, one of them being on Yahoo's spam list.
    Nope.

  8. #8
    Loyal Client
    Join Date
    Oct 2003
    Location
    Washington, DC
    Posts
    129
    Quote Originally Posted by Gwaihir View Post
    This isn't from your server. It comes from the IP I put in bold.

    Goes to show why the spamcop tool is so handy. It reads headers like an expert and gives you a (free) answer in seconds, one that is almost always good for your peace of mind (i.e. NOT from your server).

    The stuff further down the line is forged that way to add credibility. (Note that if you're on a shared account, that helo doesn't match either with what it would really send.)
    Cool. I'll definitely be going there to take a look. Like I said before, the spam relaying appears to be properly turned off here at Jag... so it had to either be forged or someone had some new fangled way around the required authentication.

  9. #9
    Loyal Client
    Join Date
    Oct 2003
    Location
    Washington, DC
    Posts
    129
    (Finally!) Steve at tech support says they have checked the logs in detail. They don't see that the server is generating this, which correlates with what spamcop told you. Sounds like case closed...

    Thanks so much for your help!!!!!!!!!!!!!!!!!!!!!!!

  10. #10
    Community Leader jason's Avatar
    Join Date
    Sep 2001
    Location
    Rochester, NY
    Posts
    5,884
    Quote Originally Posted by tinnel View Post
    Not sure what you mean. I don't have any of the original email cause I didn't send 'em. All I have are the final bounced messages that go to the default account.
    When you get the bounce message it should have the original message as it was received by the server that issued the bounce. Usually it will be an attachment but some (generally older) servers stick the entire message into the body of the message. You want to be sure that you are looking at the headers of the attached message, not the bounce message itself.

    Thank you for the pointer. I know a lot about email headers, but will definitely take a look. If there's a gap in my knowledge, I wanna fill it!
    As I said, mail headers are very easy to forge. In this case the spammer did an nslookup on your domain name, found your IP, and added a fake Received header to make it look as though it passed through your server. MTA's don't try to validate where the message has been, so you can pretty much stick anything in the headers and it will go through.

    The dead giveaway to which Gwaihir alluded is that, on a JPC shared server, your server will respond introduce itself by its name, not your domain name. So a valid header would look like

    Code:
    Received from 123.45.67.89 (HELO myname.nocdirect.com) by ...
    There are some other subtleties that I speculate may indicate that that Received header is forged--such as the fact that the message ID is higher than the list than the first Received header--but I don't know enough about the SMTP standard to definitely say without a doubt that this is really meaningful. (I've always seen the message ID below the first Received header, but I've also only looked at a handful of the thousands of messages I've received over the years.) That's why SpamCop is such a great tool--they know and understand these things so that you don't need to.

    --Jason
    Jason Pitoniak
    Interbrite Communications
    www.interbrite.com www.kodiakskorner.com

  11. #11
    the Windlord Gwaihir's Avatar
    Join Date
    Jun 2002
    Posts
    2,570
    Quote Originally Posted by jason View Post
    When you get the bounce message it should have the original message as it was received by the server that issued the bounce. Usually it will be an attachment but some (generally older) servers stick the entire message into the body of the message. You want to be sure that you are looking at the headers of the attached message, not the bounce message itself.
    Exactly. And in my experience those attached originals ARE the complete original, headers and all, whereas the stuff stuck into the body of a message isn't always complete, as well as takes more careful seperating out on your part. So, if you get like 50+ bounces from different recipient's servers and need to pick just *some* for analysis & reporting, I suggest you pick those nice attached originals and ignore the rest.


    As for the -very little- you can do about this abuse of your name. This is as far as I've got:
    - You can report some of the spams (again: the spams themselves, without the bounce message wrapped around by the time you get them), using that spamcop system.
    - You can set up SPF records for your domain name (see other info on the board and in the kb).
    These are not miracle cures, but taking such action does help to make abusing your domain name slightly less interesting for spammers than abusing one of the many others out there.
    Regards,

    Wim Heemskerk
    ---
    Visit MeCCG.net - Cardgaming in J.R.R. Tolkien's Middle-earth
    And Gwaihir.net - The Middle-earth CCG store

  12. #12
    Loyal Client
    Join Date
    Oct 2003
    Location
    Washington, DC
    Posts
    129
    When you get the bounce message it should have the original message as it was received by the server that issued the bounce. Usually it will be an attachment but some (generally older) servers stick the entire message into the body of the message. You want to be sure that you are looking at the headers of the attached message, not the bounce message itself.
    Got it. This is what I was already doing. I didn't know if you were talking about some other actual files/email.

    You can set up SPF records for your domain name
    I will definitely check this out! Of course, I've not heard of this before, so you'll probably be seeing questions from me on this down stream...

  13. #13
    Loyal Client
    Join Date
    May 2002
    Location
    Wisconsin, USA
    Posts
    564
    This thread had a good discussion about setting up SPF records:
    http://www.jaguarpc.com/forums/showt...&highlight=spf

    Which includes a post or two by Masood giving detailed instructions.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •