From: "Kelson" <[EMAIL PROTECTED]>
> Matt Kettler wrote:
> > At 07:01 PM 1/28/2005, Kelson wrote:
> >
> >> Meanwhile, we've been getting complaints about spam which, on
> >> analysis, clearly contains forged Received headers. They have our IP
> >> but the wrong HELO, and no or wrong reverse DNS...and of course they
> >> don't show up in our logs. So we know spammers are out there forging
> >> our IP address. (Why ours? I have no idea. Probably the same reason
> >> they like forging our domain name and sending us 90,000 bounces a day.)
> >
> > Are you sure it's a forgery?
>
> 99% sure. Here's an example:
>
> Received: from cs242433-246.satx.rr.com (cs242433-246.satx.rr.com
> [24.243.3.246])
> by REMOVED (8.13.0/8.13.0) with SMTP id j0M2345S019022;
> Fri, 21 Jan 2005 21:03:13 -0500
I presume the REMOVED address is the address for the complainer.
Unless you are at 24.243.3.246, a roadrunner address, this did not
come from you at all.
> Received: from marlene.futuramail.com ([203.86.166.22])
> by pervert.worldmexico.com
> (InterMail vK.4.04.00.00 337-975-986 license
> 361259ju95bm9tvp7uf761t3s10l5y96)
> with ESMTP
> id <[EMAIL PROTECTED]>
> for <REMOVED>; Fri, 21 Jan 2005 18:03:11 -0800
This is likely forged as it does not chain with the above address. (I
also note that somebody has setup an actual DNS entry for the RFC1918
address space 192.168.1.111. It might be interesting to trace this
out.) The 203.86.166.22 address traces to http1.hk.outblaze.com. But
it, too, is likely a forgery at a wild guess. Over all I'd not believe
this header chiefly because it does not chain the message's custody
to the top header shown.
> Received: from worn (maxwell.futuramail.com [204.212.42.4])
> by marlene.futuramail.com (Mirapoint Messaging Server MOS 3.3.8-GR)
> with SMTP id CAI07584;
> Fri, 21 Jan 2005 19:55:11 -0600 (IST)
>
> Here it's the third Received line, the one claiming to be "worn" in the
> HELO and "maxwell.fururamail.com" in the reverse DNS. Assuming the
> first line (from the reporter's ISP) is accurate, they picked up the
> message from a Roadrunner broadband account. Probably a zombie, so who
> knows whether lines 2 and 3 can be trusted.
That's my reading of it.
> None of the reports we have received have indicated that the mail came
> directly from "our" server. They've all been several lines in like this
> one.
>
> > Just because it's not in your mail logs does not mean it didn't come
> > from your box. I can fire up a telnet client on xanadu and connect to an
> > external server and drop it spam. That won't be in xanadu's logs but
> > the mail will have been transfered from there.
>
> Good point!
>
> > The lack of RDNS doesn't mean much, as the recipient coudl have disabled
> > this.
>
> Perhaps, but invalid RDNS suggests something's up.
Doesn't it, though. I'm wondering about who has infected the root
name servers with the pervert.worldmexico.com address. That is "not
nice" to say the least.
> > IP forgery over established TCP connections is not a trivial matter if
> > you don't control one of the boxes or a box along the route between the
> > two (ie: your router, or their router)
>
> No IP forgery is needed: all this takes is making up your own Received
> lines and putting them in the message headers before you send it.
>
> > I'd check your box for trojans and/or proxy weaknesses just to be safe.
>
> I run relay tests on it periodically. Someone else actually ran the
> DSBL test against it a few weeks ago. (Nothing went through.) It's a
> linux box with everything but needed services blocked using IPtables,
> the daemons are kept up to date, we use smrsh to limit potential
> sendmail exploits, there's no third-party web content on the system... I
> find it highly unlikely that the box has been trojaned.
>
> I'll do some more checks just in case.
I would ask the tweebs who black listed you precisely how they track it
to your address. I'd love to hear their reasoning.
{^_^}
