At 07:01 PM 1/28/2005, Kelson wrote:
Meanwhile, we've been getting complaints about spam which, on analysis, clearly contains forged Received headers. They have our IP but the wrong HELO, and no or wrong reverse DNS...and of course they don't show up in our logs. So we know spammers are out there forging our IP address. (Why ours? I have no idea. Probably the same reason they like forging our domain name and sending us 90,000 bounces a day.)
Are you sure it's a forgery?
99% sure. Here's an example:
Received: from cs242433-246.satx.rr.com (cs242433-246.satx.rr.com [24.243.3.246])
by REMOVED (8.13.0/8.13.0) with SMTP id j0M2345S019022;
Fri, 21 Jan 2005 21:03:13 -0500
Received: from marlene.futuramail.com ([203.86.166.22])
by pervert.worldmexico.com
(InterMail vK.4.04.00.00 337-975-986 license 361259ju95bm9tvp7uf761t3s10l5y96)
with ESMTP
id <[EMAIL PROTECTED]>
for <REMOVED>; Fri, 21 Jan 2005 18:03:11 -0800
Received: from worn (maxwell.futuramail.com [204.212.42.4])
by marlene.futuramail.com (Mirapoint Messaging Server MOS 3.3.8-GR)
with SMTP id CAI07584;
Fri, 21 Jan 2005 19:55:11 -0600 (IST)
Here it's the third Received line, the one claiming to be "worn" in the HELO and "maxwell.fururamail.com" in the reverse DNS. Assuming the first line (from the reporter's ISP) is accurate, they picked up the message from a Roadrunner broadband account. Probably a zombie, so who knows whether lines 2 and 3 can be trusted.
None of the reports we have received have indicated that the mail came directly from "our" server. They've all been several lines in like this one.
Just because it's not in your mail logs does not mean it didn't come from your box. I can fire up a telnet client on xanadu and connect to an external server and drop it spam. That won't be in xanadu's logs but the mail will have been transfered from there.
Good point!
The lack of RDNS doesn't mean much, as the recipient coudl have disabled this.
Perhaps, but invalid RDNS suggests something's up.
IP forgery over established TCP connections is not a trivial matter if you don't control one of the boxes or a box along the route between the two (ie: your router, or their router)
No IP forgery is needed: all this takes is making up your own Received lines and putting them in the message headers before you send it.
I'd check your box for trojans and/or proxy weaknesses just to be safe.
I run relay tests on it periodically. Someone else actually ran the DSBL test against it a few weeks ago. (Nothing went through.) It's a linux box with everything but needed services blocked using IPtables, the daemons are kept up to date, we use smrsh to limit potential sendmail exploits, there's no third-party web content on the system... I find it highly unlikely that the box has been trojaned.
I'll do some more checks just in case.
-- Kelson Vibber SpeedGate Communications <www.speed.net>
