On 14/10/15 11:53, Stephen Powell wrote: > On Tue, 13 Oct 2015 04:15:21 -0400 (EDT), Jochen Spieker wrote: >> >> Stuart Longland: >>> On 13/10/15 09:58, Stephen Powell wrote: >>>> >>>> Unfortunately, I don't. Attached below is one of the mail delivery >>>> failure notices, which includes the headers of the original message. >>>> But I don't understand what it all means. >> … >>>> Authentication-Results: smtp02.wow.cmh.synacor.com smtp.user=thecoughingcanary; auth=pass (LOGIN) >>>> >>> Not sure about this one. >> >> It looks like the mail was delivered directly through >> smtp02.wow.cmh.synacor.com by a user who successfully authenticated >> using the username thecoughingcanary. >> >> @Stephen: is that you? > > No. My id on this mail server is "zlinuxman". I have no idea who > "thecoughingcanary" is. Nor do I understand why the SMTP server would > allow "thecoughingcanary" to send out e-mails in my name, unless > "thecoughingcanary" is an administrator account. This is making a lot more sense now. So 'wowway.com' is your ISPs server, and 'thecoughingcanary' is another customer of theirs. Likely a compromised one. Your ISP needs to know about this. Why did it allow the email to be relayed? Well, the credentials were correct, that's all that was needed. (Yes, SMTP is that basic.) You'd probably find you can send email from *any* email address you choose, provided that the email address domain permits that server to send emails from that domain. (e.g. my domain has SPF records that only permit a small handful of servers to send emails with a 'longlandclan.id.au' domain. Anyone else will trigger a "soft-failure".) This isn't level 1 helpdesk material, you'll actually need a technical contact there. > Registrant Name: WIDEOPENWEST LLC > Registrant Organization: WIDEOPENWEST LLC > Registrant Street: 1323 Bond St. > Registrant City: Naperville > Registrant State/Province: IL > Registrant Postal Code: 60563 > Registrant Country: US > Registrant Phone: +1.6305363161 > Registrant Phone Ext: > Registrant Fax: +1.6305363108 > Registrant Fax Ext: > Registrant Email: unixadmins@wideopenwest.com My first point of call would be that 'unixadmins@wideopenwest.com' as it now appears you're seeing the bounce traffic from another customer's compromised host. I'd forward them a sample of the bounce traffic. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Attachment:
signature.asc
Description: OpenPGP digital signature