View previous topic :: View next topic |
Author |
Message |
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17850 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Fri Aug 17, 2012 2:14 pm Post subject: Any way to see internet headers of attached messages? |
|
|
Recently spammers have been sending email pretending to be one of my websites.
Here's an example:
Code: | -----Original Message-----
From: Get Vigara-Today [mailto:195A569A7@curtpalme.com]
Sent: August-17-12 5:04 AM
To: dyeite5505@9ravens.com
Subject: SALE!
New sale prices:
----------------
Levtira ... 1.25$
Cilais ... 1.14$
Vigara ... 0.21$
Female Pack ... 1.20$
Family Pack ... 2.12$
Professional Pack ... 3.29$
-----------------
Follow special link:
http://fmHM.doctortach.ru/ |
I know of this because many of these bounce back so I get a message like this:
Code: | -----Original Message-----
From: Mail Delivery System [mailto:MAILER-DAEMON@vds003.din.or.jp]
Sent: August-17-12 5:04 AM
To: 195A569A7@curtpalme.com
Subject: Undelivered Mail Returned to Sender
This is the mail system at host vds003.din.or.jp.
I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can delete your own text from the attached returned message.
The mail system
<dyeite5505@www.9ravens.com> (expanded from <dyeite5505@9ravens.com>): User unknown in virtual alias table |
Attached to this bounced message are usually two files:
1. details.txt which in this case contains:
Code: | Reporting-MTA: dns; vds003.din.or.jp
X-Postfix-Queue-ID: 2139E79DD5
X-Postfix-Sender: rfc822; 195A569A7@curtpalme.com
Arrival-Date: Fri, 17 Aug 2012 18:03:43 +0900 (JST)
Final-Recipient: rfc822; dyeite5505@www.9ravens.com
Original-Recipient: rfc822;dyeite5505@9ravens.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; User unknown in virtual alias table |
2. The original message that I posted above.
I'd like to confirm (just to be sure) that my server is not actually sending out this message but I can't seem to figure out how I can see the internet headers of an attached email. I'm not sure it's even possible? I'm using Microsoft Outlook.
Normally to view the internet header of an email message I just right click on the message and choose "Message Options". Doing this on this message however shows me the internet header of the email sent to me saying that message bounced. It looks like this:
Code: | Return-Path: <MAILER-DAEMON@lded1.atcihosting.com>
Received: from vds003.din.or.jp (vds003.din.or.jp [210.135.89.102])
by lded1.atcihosting.com (8.13.8/8.13.8) with ESMTP id q7H93kNR022302
for <195A569A7@curtpalme.com>; Fri, 17 Aug 2012 04:03:46 -0500
Received: by vds003.din.or.jp (Postfix)
id CDA2179DEF; Fri, 17 Aug 2012 18:03:44 +0900 (JST)
Date: Fri, 17 Aug 2012 18:03:44 +0900 (JST)
From: MAILER-DAEMON@vds003.din.or.jp (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: 195A569A7@curtpalme.com
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="2139E79DD5.1345194224/vds003.din.or.jp"
Content-Transfer-Encoding: 8bit
Message-Id: <20120817090344.CDA2179DEF@vds003.din.or.jp>
X-Antivirus: avast! (VPS 120816-1, 16/08/2012), Inbound message
X-Antivirus-Status: Clean |
What I'd want to see in the attached (original) message is if the IP used for sending the message from 195A569A7@curtpalme.com matches my server IP (206.225.20.165).
In the message above I'm only seeing that the vds003.din.or.jp domain resolves to 210.135.89.102 which is the sender in this case as a new message was generated to bounce back to 195A569A7@curtpalme.com.
If I ping vds003.din.or.jp I see that is in fact 210.135.89.102. so I know they sent it. I want to see the same for the message *they* received (supposedly) sent from 195A569A7@curtpalme.com.
The other thing to do is to simply wait until I actually get a spam from one of these fake @curtpalme.com addresses but that might take a while.
So before someone asks... why is this even possible? SMTP email is completely insecure. You can "pretend" to be anyone out there but you can't (easily) spoof an IP address. When the receiving mail server receives mail from 195A569A7@curtpalme.com the first thing they do is contact the domain to get the IP. In the case of the spammers you'd get IP other than mine.
Spammers need a good domain for sending out spams so that when the receiving mail server gets the mail and does a lookup, that it's valid.
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
|
|
Back to top |
|
|
zaphod
Joined: 16 Jun 2006 Posts: 2002 Location: Cloverdale
|
Link Posted: Fri Aug 17, 2012 2:55 pm Post subject: |
|
|
i beleive that the forum s/w unix/linux box - right? can you check /var/log/maillog to see if the mail originates from your server?
the other thing i've done is that if your exchange server has an imap interface you can use mutt to grab the entire message and look at the raw headers of everything, or save the message and use munpack to pull it into pieces for examination.
_________________ walk gently. leave a good impression.
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17850 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Fri Aug 17, 2012 3:29 pm Post subject: |
|
|
Good point. Since it's a managed server I don't actually have access to download /var/log/maillog. So I've asked them to send it to me...
As an aside someone pointed out that I don't have SPF records on any of my domains. It can help with email spoofing. Anyone know if there are any downsides to implementing SPF? If it's only a good thing, why wouldn't it already be done?
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
|
|
Back to top |
|
|
zaphod
Joined: 16 Jun 2006 Posts: 2002 Location: Cloverdale
|
Link Posted: Fri Aug 17, 2012 4:00 pm Post subject: |
|
|
no real downside that i know of for SPF recs, but they're newish, not neccesarily supported very widely and a bit of a hack. UBC (the big university out here) doesn't use them, gmail.com does)
instead of defining an SPF dns record (like the old WKS - well known service, or HINFO - host info) they tucked the SPF info into a special format of the TXT record.
but will the receiving mailer respect them? who knows. and if the spammers are hitting your mail port and forging mail that way you are still hooped.
could you use iptables to firewall off mail from everyone except your own machine? or is that hard with this being a managed server? That would stop spam coming from your mailer
_________________ walk gently. leave a good impression.
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17850 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Fri Aug 17, 2012 5:39 pm Post subject: |
|
|
zaphod wrote: | could you use iptables to firewall off mail from everyone except your own machine? or is that hard with this being a managed server? That would stop spam coming from your mailer |
I can't really do anything given that it's a managed server, but that's the way I want it. I don't want to do this myself and pay the hosting company to manage.
So they've provided me with the last 7 days worth of maillog files but I have no idea how to really read them. How do I know if spam is originating from my server? There certainly seems to be some odd things going on here.
I'm not sure if some of this information is stuff I shouldn't be showing in public.
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Last edited by kal on Fri Aug 17, 2012 5:43 pm; edited 1 time in total
|
|
Back to top |
|
|
zaphod
Joined: 16 Jun 2006 Posts: 2002 Location: Cloverdale
|
Link Posted: Fri Aug 17, 2012 5:41 pm Post subject: |
|
|
i'll PM you my email.
_________________ walk gently. leave a good impression.
|
|
Back to top |
|
|
|
|