[CLUE-Tech] Email Delivery Question

Dave Hahn dhahn at techangle.com
Tue Oct 1 09:50:29 MDT 2002 

The key is:

by voldemort.arabie.org (8.11.6/8.11.6) with SMTP id g91CMl830470
	for <randy at arabie.org>; Tue, 1 Oct 2002 06:22:48 -0600

Most likely the other machine, h134-210-66-221.seed.net.tw, sent the message
with 'RCPT TO: randy at arabie.org' in the SMTP conversation, but put the To:
line that you see following the DATA statement.  This is a way for spammers
to hide to whom they really sent the message.  Most e-mail clients happily
display the To: line without regard for anything earlier in the messages.

As to how they got through, your domain name, arabie.org resolves by itself.
A simple routine to harvest IP addresses and attempt connections to them on
port 25 and, if connected, harvest information from the headers (see yours
below) and make up some e-mail addresses.  As to getting to your randy
address, that could have been harvested from the net.  Once harvested,
connect to arabie.org on port 25 and send mail until I feel I've spammed
enough.

arabie.org port 25 SMTP headers:
220 voldemort.arabie.org ESMTP Sendmail 8.11.6/8.11.6; Tue, 1 Oct 2002
09:40:37 -0600

So, the non-resolving, non-published name, voldermort, is exposed to the
world.  This could be used to falsify headers going to another machine.  The
output from this appears to be the default sendmail macro listed next to the
SMTPGreeting.  I would change this so that:
(1) The actual name of the machine isn't exposed
(2) You are letting them know that you run sendmail
(3) Hide sendmail version
(4) Hide timezone

These items can be used to falsify e-mail headers and leave all the right
footprints to make it appear as though spam is sent from your machine.  (You
do have relaying turned off, so that's good.  Any test@ addresses in your
logs was just me)

The reason I've gone down this long road is that if with this easily
harvested information your mail server could be blocked by anti-spam
organizations if all or some of the headers appear to be correct.  Then, any
mail server using their databases may block mail from arabie.org.  It's a
nasty trick spammers use, but, it keeps their machines from being blocked an
generally caused a pain in the butt for everyone else.

-d

-----Original Message-----
From: clue-tech-admin at clue.denver.co.us
[mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Randy Arabie
Sent: Tuesday, October 01, 2002 8:46 AM
To: Clue Tech
Subject: [CLUE-Tech] Email Delivery Question


Hi,

I got some spam today, and am curious on how it was routed to me.  Here are
message headers:


>From birdy at arabie.org Tue Oct  1 08:09:39 2002
Return-Path: <aBEk3q at saturn.seed.net.tw>
Received: from USER (h134-210-66-221.seed.net.tw [210.66.221.134] (may be
    forged))
	by voldemort.arabie.org (8.11.6/8.11.6) with SMTP id g91CMl830470
	for <randy at arabie.org>; Tue, 1 Oct 2002 06:22:48 -0600
Date: Tue, 1 Oct 2002 06:22:48 -0600
Received: from venus
	by tpts7.seed.net.tw with SMTP id CiHNO0W4QSTeG1SgV5UUP0rl;
	Tue, 01 Oct 2002 18:00:56 +0800
Message-ID: <VAnO at pchome.com.tw>
From: birdy at arabie.org
To: 300902-6.txt at voldemort.arabie.org, 300902-2.txt at voldemort.arabie.org,
   300902-3.txt at voldemort.arabie.org, 300902-4.txt at voldemort.arabie.org,
   300902-5.txt at voldemort.arabie.org, 1.txt at voldemort.arabie.org
Subject: =?big5?Q?=C0=B0=B9L=B3\=A6h=A4H=A4]=B3\=A7A=A4]=BB=DD=ADn?=
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_IYi7xVbE0XvTGKpPCqCT5brFxsv5"
X-Mailer: Vd8wCs1qKl2bFmmLT
X-Priority: 3
X-MSMail-Priority: Normal
X-SpamBouncer: 1.4 (10/07/01)
X-SBRule: Small Fry
X-SBRule: Spam Mailer/Dmailer
X-SBRule: Chinese Big 5
X-SBClass: Spam


The 'From:' header was forged, I don't have any 'birdy' users on my system.
That I understand, it is easy to do.

What really puzzles me is the 'To:' headers.  The messages were addressed to
invalid recipients like 300902-6.txt at voldmort.arabie.org.
voldemort.arabie.org
is the fully qualified name of my email server.  But, that server is on my
LAN,
and voldemort.arabie.org does not resolve....or shouldn't!  I only have one
public IP, and DNS Lookups should only work for www.arabie.org,
mail.arabie.org.
I port forward all mail traffic to voldemort.

The only think I can think is that someone has a DNS server with voldemort
in
its cache resolving it to my public IP.  Is that possible?

I know the headers contain the name of my mail server, but all my email goes
out as [user]@arabie.org.  I tried to send myself email addressed using the
[user]@voldemort.arabie.org, and it gets bounced....'Host Unkown'.  Tried
from
my work email and from Yahoo.

Can anyone out there educate me on this, I'd like to learn more.
--
Allons Rouler!

Randy
http://www.arabie.org/
Stats:    8:05am up 64 days, 10:05, 1 user, load average: 1.01, 1.03, 1.00


_______________________________________________
CLUE-Tech mailing list
CLUE-Tech at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-tech

More information about the clue-tech mailing list