• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

My web/email server: Open Relay or spoofing?

D

DJFuji

Diamond Member
My domain gets spoofed as the "from" address all the time when spammers are doing their thing but i'm sort of worried that maybe my server is actually being used to send said spam out. Is there a way to tell by looking at the bounceback email headers? Will it help if i post the headers here?

I've already verified that the server IP is not showing up at all in the headers but not sure if that makes any difference.
 
Yeah, post them, and we can look at them. MY experience is that it is nearly always just someone spoofing the domain.
 
Hi. This is the qmail-send program at ra2.newseoul.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<info@chunguapt.com>:
Sorry, no mailbox here by that name. vpopmail (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <info@djfuji.com>
Received: (qmail 25015 invoked by uid 1090); 22 Aug 2006 04:28:58 +0900
Received: from unknown (HELO emailrecorder.com) (83.5.141.142)
by 0 (qmail 1.03 + ejcp v14) with SMTP;
22 Aug 2006 04:28:58 +0900
Received: from 63.204.233.4
(SquirrelMail authenticated user cnpokiae);
by emailrecorder.com with HTTP id J85Gz002339828;
Mon, 21 Aug 2006 19:22:06 +0000
Message-Id: <3tBRyY.squirrel@63.204.233.4>
Date: Mon, 21 Aug 2006 19:22:06 +0000
Subject: How to double your company recognition on the market?
From: "Lizeth" <cnpokiae>
To: <info@chunguapt.com>
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
Importance: Normal

There are three important things about the company image:
1. There should be a good marketing idea standing behind your product or company; 2. It should be perfectly visualized, be catchy and worth 1000 words; 3. The marketing strategy should be targeted and consistent.

You know everything about your company and its strong points. It's high time to order the design which is worth your company, because we have a special suggestion for small and medium business.
Let us know about your company and we'll create the best image for you.

Logo, stationery, website, package and many other types of design, produced by our creative artists, helped many people. Check our website to see how you can benefit with our company.

Have a look here: http://www.design-fast.com


PS. Mark the price: our design services really help to make a marketing break-through without making breaks in your pocket!
 
Nah... just typical spoofed crap. All that you really need to look at are the Received: lines...

Received: (qmail 25015 invoked by uid 1090); 22 Aug 2006 04:28:58 +0900
Received: from unknown (HELO emailrecorder.com) (83.5.141.142)
by 0 (qmail 1.03 + ejcp v14) with SMTP;
22 Aug 2006 04:28:58 +0900
Received: from 63.204.233.4
(SquirrelMail authenticated user cnpokiae);
by emailrecorder.com with HTTP id J85Gz002339828;
Mon, 21 Aug 2006 19:22:06 +0000

Simplify that by taking out timestamps, version strings, and other junk...

Received: (qmail 25015 invoked by uid 1090)
Received: from unknown (HELO emailrecorder.com) (83.5.141.142) by 0
Received: from 63.204.233.4 by emailrecorder.com

Lines are added from bottom to top as the message is delivered, so the bottom line is the earliest. I think the top line is generated internally by the bounce for the unknown address, so it's not really relevant. The second line shows the qmail server for the destination (chunguapt.com, which MX's to chunguapt.com, which is the same IP as ra2.newseoul.com) receiving the message. The client talking to chunguapt.com identified itself (HELO) as emailrecorder.com (which, if you check the site, looks pretty skeezy as well), but the IP address of the client, 83.5.141.142, reverses to an ADSL block in Poland. Which means that you're probably just seeing a virus-infected Polish spambot pretending to be emailrecorder.com. Anything after that (i.e. just the third line in this case) is irrelevant, since it can be and usually is forged. In short, read from top to bottom until you find a client HELO that doesn't match the IP and stop reading there - that's as much of the mail path that's likely to be accurate.

Basically, if you don't see your SMTP server's name and IP show up in the Received: lines, then it's just a Return-Path spoof.


 
Two things:
-first, besides analyzing the message, an easy way to tell if you're producing the spam is to check your logs and monitor your outgoing traffic. 🙂
-second, maybe somebody in Poland is spoofing your email address, or maybe somebody at ra2.newseoul.com has an interesting way of fooling your spam filter while passing the blame off to someone in Poland :evil:
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top