On Mon, 2003-01-27 at 12:09, will trillich wrote: > does this [see attachment] indicate that some spammer has found > a way to get me to relay his mail? aaugh! > > this looks bad. i have serensoft.com running in my basement on a > woody (and freshly-upgraded 2.4.20-k6 kernel) and i allow pop3 > and smtp connections for my serensoft mail users. > > passwords are in-the-clear there, of course; but with restricted > shells (/bin/false) there's not much danger, is there? > > still, if you look at the attached bounce, it looks like somehow > a spammer is trying to use my exim (or worse, IS using my exim) > to relay/forward his junk. > > i did `zgrep zimmerman /var/log/exim/mainlog*` and came up > empty. and since it says it arrived on '26 Jan 2003 23:51:44' > i also looked for ':51:44' (thinking maybe the time zone might > affect the log entry, i looked for minutes:seconds) and found > nothing. same for '211.144.100.21', the incoming ip address. > > paniclog and rejectlog are empty... > > where should i look? what should i look for? The place to look for information is in the headers of the email sent. Looking them over from here, there are no signs that there were any intermediate steps between the sender's system and that of the intended recipient - the only connection to serensoft.com is that in order to try to avoid nastygrams from spam recipients, random addresses from *somewhere* (be it a spam targets list or whatever) get tossed in as From entries for those that can't work the "Reply-To" function. The interesting point is the use of Disposition-Notification-To in the headers - that it is the same as the Reply-To header. For those systems that are set to respond to it, it should advise the sender if the message went through. ec3000@foundertop.com looks to be the originator, which is likely Shanghai Foundertop Tech Co.,Ltd. (in China) although while I can find a whois entry for it, I can't find an IP for that itself, and trying to ping foundertop.com reports unknown host. That doesn't say that it doesn't exist, but it could well be that it is set up in a small area but not propogating upstream (sometimes people bugger up their DNS settings - surprising as it may seem! ;) It could also be a dynamic IP arrangement where the lookup info for any related fqdn is allowed to expire quickly when the target machine is not active. But from the headers in what got sent back to you from lexis-nexis.com, it never went through serensoft.com or any other machine. You are an innocent bystander in this, with no involvement by your equipment. If anything, the sender is claiming to be lexisnexis.com to the targetted server when they are most definitely not. A spammer being less than fully ethical??? Who would have thought it??? -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: kahnt@hosehead.dyndns.org
Attachment:
signature.asc
Description: This is a digitally signed message part