[CLUE-Tech] Email Delivery Question
Randy Arabie
rrarabie at arabie.org
Tue Oct 1 10:27:59 MDT 2002
On Tue, 1 Oct 2002, Dave Hahn wrote:
> The key is:
>
> by voldemort.arabie.org (8.11.6/8.11.6) with SMTP id g91CMl830470
> for <randy at arabie.org>; Tue, 1 Oct 2002 06:22:48 -0600
>
> Most likely the other machine, h134-210-66-221.seed.net.tw, sent the message
> with 'RCPT TO: randy at arabie.org' in the SMTP conversation, but put the To:
> line that you see following the DATA statement. This is a way for spammers
> to hide to whom they really sent the message. Most e-mail clients happily
> display the To: line without regard for anything earlier in the messages.
>
> As to how they got through, your domain name, arabie.org resolves by itself.
> A simple routine to harvest IP addresses and attempt connections to them on
> port 25 and, if connected, harvest information from the headers (see yours
> below) and make up some e-mail addresses. As to getting to your randy
> address, that could have been harvested from the net. Once harvested,
> connect to arabie.org on port 25 and send mail until I feel I've spammed
> enough.
>
> arabie.org port 25 SMTP headers:
> 220 voldemort.arabie.org ESMTP Sendmail 8.11.6/8.11.6; Tue, 1 Oct 2002
> 09:40:37 -0600
>
> So, the non-resolving, non-published name, voldermort, is exposed to the
> world. This could be used to falsify headers going to another machine. The
> output from this appears to be the default sendmail macro listed next to the
> SMTPGreeting. I would change this so that:
> (1) The actual name of the machine isn't exposed
> (2) You are letting them know that you run sendmail
> (3) Hide sendmail version
> (4) Hide timezone
>
> These items can be used to falsify e-mail headers and leave all the right
> footprints to make it appear as though spam is sent from your machine. (You
> do have relaying turned off, so that's good. Any test@ addresses in your
> logs was just me)
>
> The reason I've gone down this long road is that if with this easily
> harvested information your mail server could be blocked by anti-spam
> organizations if all or some of the headers appear to be correct. Then, any
> mail server using their databases may block mail from arabie.org. It's a
> nasty trick spammers use, but, it keeps their machines from being blocked an
> generally caused a pain in the butt for everyone else.
Thanks for the education and the tips, Dave.
I new I should take that extra step to hide that SMTPGreeting info, but have
never done it...lazy. I'll have to pop open my config files and do that.
> -----Original Message-----
> From: clue-tech-admin at clue.denver.co.us
> [mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Randy Arabie
> Sent: Tuesday, October 01, 2002 8:46 AM
> To: Clue Tech
> Subject: [CLUE-Tech] Email Delivery Question
>
>
> Hi,
>
> I got some spam today, and am curious on how it was routed to me. Here are
> message headers:
>
>
> >From birdy at arabie.org Tue Oct 1 08:09:39 2002
> Return-Path: <aBEk3q at saturn.seed.net.tw>
> Received: from USER (h134-210-66-221.seed.net.tw [210.66.221.134] (may be
> forged))
> by voldemort.arabie.org (8.11.6/8.11.6) with SMTP id g91CMl830470
> for <randy at arabie.org>; Tue, 1 Oct 2002 06:22:48 -0600
> Date: Tue, 1 Oct 2002 06:22:48 -0600
> Received: from venus
> by tpts7.seed.net.tw with SMTP id CiHNO0W4QSTeG1SgV5UUP0rl;
> Tue, 01 Oct 2002 18:00:56 +0800
> Message-ID: <VAnO at pchome.com.tw>
> From: birdy at arabie.org
> To: 300902-6.txt at voldemort.arabie.org, 300902-2.txt at voldemort.arabie.org,
> 300902-3.txt at voldemort.arabie.org, 300902-4.txt at voldemort.arabie.org,
> 300902-5.txt at voldemort.arabie.org, 1.txt at voldemort.arabie.org
> Subject: =?big5?Q?=C0=B0=B9L=B3\=A6h=A4H=A4]=B3\=A7A=A4]=BB=DD=ADn?=
> MIME-Version: 1.0
> Content-Type: multipart/related;
> type="multipart/alternative";
> boundary="----=_NextPart_IYi7xVbE0XvTGKpPCqCT5brFxsv5"
> X-Mailer: Vd8wCs1qKl2bFmmLT
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-SpamBouncer: 1.4 (10/07/01)
> X-SBRule: Small Fry
> X-SBRule: Spam Mailer/Dmailer
> X-SBRule: Chinese Big 5
> X-SBClass: Spam
>
>
> The 'From:' header was forged, I don't have any 'birdy' users on my system.
> That I understand, it is easy to do.
>
> What really puzzles me is the 'To:' headers. The messages were addressed to
> invalid recipients like 300902-6.txt at voldmort.arabie.org.
> voldemort.arabie.org
> is the fully qualified name of my email server. But, that server is on my
> LAN,
> and voldemort.arabie.org does not resolve....or shouldn't! I only have one
> public IP, and DNS Lookups should only work for www.arabie.org,
> mail.arabie.org.
> I port forward all mail traffic to voldemort.
>
> The only think I can think is that someone has a DNS server with voldemort
> in
> its cache resolving it to my public IP. Is that possible?
>
> I know the headers contain the name of my mail server, but all my email goes
> out as [user]@arabie.org. I tried to send myself email addressed using the
> [user]@voldemort.arabie.org, and it gets bounced....'Host Unkown'. Tried
> from
> my work email and from Yahoo.
>
> Can anyone out there educate me on this, I'd like to learn more.
> --
> Allons Rouler!
>
> Randy
> http://www.arabie.org/
> Stats: 8:05am up 64 days, 10:05, 1 user, load average: 1.01, 1.03, 1.00
>
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
--
Allons Rouler!
Randy
http://www.arabie.org/
More information about the clue-tech
mailing list