Return to the CurtPalme.com main site CurtPalme.com Home Theater Forum
A forum with a sense of fun and community for Home Theater enthusiasts!
Products for Sale ] [ FAQ: Hooking it all up ] [ CRT Primer/FAQ ] [ Best/Worst CRT Projectors List ] [ Setup Tips & Manuals ] [ Advanced Procedures ] [ Newsletters ]

 
Forum FAQForum FAQ   SearchSearch   MemberlistMemberlist  Photo AlbumsPhoto Albums  RegisterRegister 
 MembershipClub Membership   ProfileProfile   Private MessagesPrivate Messages   Log inLog in 
Blu-ray disc release list and must-have titles. Buy the latest and best Blu-ray titles to show off in your home theater!

Any way to see internet headers of attached messages?

 
Post new topic   Reply to topic   Printer-friendly view    CurtPalme.com Forum Index -> Forum Feedback
View previous topic :: View next topic  
Author Message
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Fri Aug 17, 2012 2:14 pm    Post subject: Any way to see internet headers of attached messages? Reply with quote


        Register to remove this ad. It's free!
Recently spammers have been sending email pretending to be one of my websites.

Here's an example:

Code:
-----Original Message-----
From: Get Vigara-Today [mailto:195A569A7@curtpalme.com]
Sent: August-17-12 5:04 AM
To: dyeite5505@9ravens.com
Subject: SALE!

New sale prices:
----------------

Levtira ... 1.25$

Cilais ... 1.14$

Vigara ... 0.21$

Female Pack ... 1.20$

Family Pack ... 2.12$

Professional Pack ... 3.29$

-----------------

Follow special link:

http://fmHM.doctortach.ru/


I know of this because many of these bounce back so I get a message like this:

Code:
-----Original Message-----
From: Mail Delivery System [mailto:MAILER-DAEMON@vds003.din.or.jp]
Sent: August-17-12 5:04 AM
To: 195A569A7@curtpalme.com
Subject: Undelivered Mail Returned to Sender

This is the mail system at host vds003.din.or.jp.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

                   The mail system

<dyeite5505@www.9ravens.com> (expanded from <dyeite5505@9ravens.com>): User unknown in virtual alias table


Attached to this bounced message are usually two files:

1. details.txt which in this case contains:

Code:
Reporting-MTA: dns; vds003.din.or.jp
X-Postfix-Queue-ID: 2139E79DD5
X-Postfix-Sender: rfc822; 195A569A7@curtpalme.com
Arrival-Date: Fri, 17 Aug 2012 18:03:43 +0900 (JST)

Final-Recipient: rfc822; dyeite5505@www.9ravens.com
Original-Recipient: rfc822;dyeite5505@9ravens.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; User unknown in virtual alias table


2. The original message that I posted above.


I'd like to confirm (just to be sure) that my server is not actually sending out this message but I can't seem to figure out how I can see the internet headers of an attached email. I'm not sure it's even possible? I'm using Microsoft Outlook.

Normally to view the internet header of an email message I just right click on the message and choose "Message Options". Doing this on this message however shows me the internet header of the email sent to me saying that message bounced. It looks like this:

Code:
Return-Path: <MAILER-DAEMON@lded1.atcihosting.com>
Received: from vds003.din.or.jp (vds003.din.or.jp [210.135.89.102])
   by lded1.atcihosting.com (8.13.8/8.13.8) with ESMTP id q7H93kNR022302
   for <195A569A7@curtpalme.com>; Fri, 17 Aug 2012 04:03:46 -0500
Received: by vds003.din.or.jp (Postfix)
   id CDA2179DEF; Fri, 17 Aug 2012 18:03:44 +0900 (JST)
Date: Fri, 17 Aug 2012 18:03:44 +0900 (JST)
From: MAILER-DAEMON@vds003.din.or.jp (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: 195A569A7@curtpalme.com
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
   boundary="2139E79DD5.1345194224/vds003.din.or.jp"
Content-Transfer-Encoding: 8bit
Message-Id: <20120817090344.CDA2179DEF@vds003.din.or.jp>
X-Antivirus: avast! (VPS 120816-1, 16/08/2012), Inbound message
X-Antivirus-Status: Clean


What I'd want to see in the attached (original) message is if the IP used for sending the message from 195A569A7@curtpalme.com matches my server IP (206.225.20.165).

In the message above I'm only seeing that the vds003.din.or.jp domain resolves to 210.135.89.102 which is the sender in this case as a new message was generated to bounce back to 195A569A7@curtpalme.com.

If I ping vds003.din.or.jp I see that is in fact 210.135.89.102. so I know they sent it. I want to see the same for the message *they* received (supposedly) sent from 195A569A7@curtpalme.com.

The other thing to do is to simply wait until I actually get a spam from one of these fake @curtpalme.com addresses but that might take a while.

So before someone asks... why is this even possible? SMTP email is completely insecure. You can "pretend" to be anyone out there but you can't (easily) spoof an IP address. When the receiving mail server receives mail from 195A569A7@curtpalme.com the first thing they do is contact the domain to get the IP. In the case of the spammers you'd get IP other than mine.

Spammers need a good domain for sending out spams so that when the receiving mail server gets the mail and does a lookup, that it's valid.

Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Back to top
View user's photo album (18 photos)
zaphod




Joined: 16 Jun 2006
Posts: 2002
Location: Cloverdale


PostLink    Posted: Fri Aug 17, 2012 2:55 pm    Post subject: Reply with quote

i beleive that the forum s/w unix/linux box - right? can you check /var/log/maillog to see if the mail originates from your server?

the other thing i've done is that if your exchange server has an imap interface you can use mutt to grab the entire message and look at the raw headers of everything, or save the message and use munpack to pull it into pieces for examination.

_________________
walk gently. leave a good impression.
Back to top
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Fri Aug 17, 2012 3:29 pm    Post subject: Reply with quote

Good point. Since it's a managed server I don't actually have access to download /var/log/maillog. So I've asked them to send it to me...

As an aside someone pointed out that I don't have SPF records on any of my domains. It can help with email spoofing. Anyone know if there are any downsides to implementing SPF? If it's only a good thing, why wouldn't it already be done?

Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Back to top
View user's photo album (18 photos)
zaphod




Joined: 16 Jun 2006
Posts: 2002
Location: Cloverdale


PostLink    Posted: Fri Aug 17, 2012 4:00 pm    Post subject: Reply with quote

no real downside that i know of for SPF recs, but they're newish, not neccesarily supported very widely and a bit of a hack. UBC (the big university out here) doesn't use them, gmail.com does)

instead of defining an SPF dns record (like the old WKS - well known service, or HINFO - host info) they tucked the SPF info into a special format of the TXT record.

but will the receiving mailer respect them? who knows. and if the spammers are hitting your mail port and forging mail that way you are still hooped.

could you use iptables to firewall off mail from everyone except your own machine? or is that hard with this being a managed server? That would stop spam coming from your mailer

_________________
walk gently. leave a good impression.
Back to top
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Fri Aug 17, 2012 5:39 pm    Post subject: Reply with quote

zaphod wrote:
could you use iptables to firewall off mail from everyone except your own machine? or is that hard with this being a managed server? That would stop spam coming from your mailer

I can't really do anything given that it's a managed server, but that's the way I want it. I don't want to do this myself and pay the hosting company to manage.

So they've provided me with the last 7 days worth of maillog files but I have no idea how to really read them. How do I know if spam is originating from my server? There certainly seems to be some odd things going on here.

I'm not sure if some of this information is stuff I shouldn't be showing in public.

Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0


Last edited by kal on Fri Aug 17, 2012 5:43 pm; edited 1 time in total
Back to top
View user's photo album (18 photos)
zaphod




Joined: 16 Jun 2006
Posts: 2002
Location: Cloverdale


PostLink    Posted: Fri Aug 17, 2012 5:41 pm    Post subject: Reply with quote

i'll PM you my email.
_________________
walk gently. leave a good impression.
Back to top
Display posts from previous:   
Post new topic   Reply to topic   Printer-friendly view    CurtPalme.com Forum Index -> Forum Feedback All times are GMT
Page 1 of 1
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum