[CLUE-Tech] Email Delivery Question

Randy Arabie rrarabie at arabie.org
Tue Oct 1 10:27:59 MDT 2002 

On Tue, 1 Oct 2002, Dave Hahn wrote:

> The key is:
> 
> by voldemort.arabie.org (8.11.6/8.11.6) with SMTP id g91CMl830470
> 	for <randy at arabie.org>; Tue, 1 Oct 2002 06:22:48 -0600
> 
> Most likely the other machine, h134-210-66-221.seed.net.tw, sent the message
> with 'RCPT TO: randy at arabie.org' in the SMTP conversation, but put the To:
> line that you see following the DATA statement.  This is a way for spammers
> to hide to whom they really sent the message.  Most e-mail clients happily
> display the To: line without regard for anything earlier in the messages.
> 
> As to how they got through, your domain name, arabie.org resolves by itself.
> A simple routine to harvest IP addresses and attempt connections to them on
> port 25 and, if connected, harvest information from the headers (see yours
> below) and make up some e-mail addresses.  As to getting to your randy
> address, that could have been harvested from the net.  Once harvested,
> connect to arabie.org on port 25 and send mail until I feel I've spammed
> enough.
> 
> arabie.org port 25 SMTP headers:
> 220 voldemort.arabie.org ESMTP Sendmail 8.11.6/8.11.6; Tue, 1 Oct 2002
> 09:40:37 -0600
> 
> So, the non-resolving, non-published name, voldermort, is exposed to the
> world.  This could be used to falsify headers going to another machine.  The
> output from this appears to be the default sendmail macro listed next to the
> SMTPGreeting.  I would change this so that:
> (1) The actual name of the machine isn't exposed
> (2) You are letting them know that you run sendmail
> (3) Hide sendmail version
> (4) Hide timezone
> 
> These items can be used to falsify e-mail headers and leave all the right
> footprints to make it appear as though spam is sent from your machine.  (You
> do have relaying turned off, so that's good.  Any test@ addresses in your
> logs was just me)
> 
> The reason I've gone down this long road is that if with this easily
> harvested information your mail server could be blocked by anti-spam
> organizations if all or some of the headers appear to be correct.  Then, any
> mail server using their databases may block mail from arabie.org.  It's a
> nasty trick spammers use, but, it keeps their machines from being blocked an
> generally caused a pain in the butt for everyone else.
 
Thanks for the education and the tips, Dave.

I new I should take that extra step to hide that SMTPGreeting info, but have 
never done it...lazy.  I'll have to pop open my config files and do that.

> -----Original Message-----
> From: clue-tech-admin at clue.denver.co.us
> [mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Randy Arabie
> Sent: Tuesday, October 01, 2002 8:46 AM
> To: Clue Tech
> Subject: [CLUE-Tech] Email Delivery Question
> 
> 
> Hi,
> 
> I got some spam today, and am curious on how it was routed to me.  Here are
> message headers:
> 
> 
> >From birdy at arabie.org Tue Oct  1 08:09:39 2002
> Return-Path: <aBEk3q at saturn.seed.net.tw>
> Received: from USER (h134-210-66-221.seed.net.tw [210.66.221.134] (may be
>     forged))
> 	by voldemort.arabie.org (8.11.6/8.11.6) with SMTP id g91CMl830470
> 	for <randy at arabie.org>; Tue, 1 Oct 2002 06:22:48 -0600
> Date: Tue, 1 Oct 2002 06:22:48 -0600
> Received: from venus
> 	by tpts7.seed.net.tw with SMTP id CiHNO0W4QSTeG1SgV5UUP0rl;
> 	Tue, 01 Oct 2002 18:00:56 +0800
> Message-ID: <VAnO at pchome.com.tw>
> From: birdy at arabie.org
> To: 300902-6.txt at voldemort.arabie.org, 300902-2.txt at voldemort.arabie.org,
>    300902-3.txt at voldemort.arabie.org, 300902-4.txt at voldemort.arabie.org,
>    300902-5.txt at voldemort.arabie.org, 1.txt at voldemort.arabie.org
> Subject: =?big5?Q?=C0=B0=B9L=B3\=A6h=A4H=A4]=B3\=A7A=A4]=BB=DD=ADn?=
> MIME-Version: 1.0
> Content-Type: multipart/related;
> 	type="multipart/alternative";
> 	boundary="----=_NextPart_IYi7xVbE0XvTGKpPCqCT5brFxsv5"
> X-Mailer: Vd8wCs1qKl2bFmmLT
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-SpamBouncer: 1.4 (10/07/01)
> X-SBRule: Small Fry
> X-SBRule: Spam Mailer/Dmailer
> X-SBRule: Chinese Big 5
> X-SBClass: Spam
> 
> 
> The 'From:' header was forged, I don't have any 'birdy' users on my system.
> That I understand, it is easy to do.
> 
> What really puzzles me is the 'To:' headers.  The messages were addressed to
> invalid recipients like 300902-6.txt at voldmort.arabie.org.
> voldemort.arabie.org
> is the fully qualified name of my email server.  But, that server is on my
> LAN,
> and voldemort.arabie.org does not resolve....or shouldn't!  I only have one
> public IP, and DNS Lookups should only work for www.arabie.org,
> mail.arabie.org.
> I port forward all mail traffic to voldemort.
> 
> The only think I can think is that someone has a DNS server with voldemort
> in
> its cache resolving it to my public IP.  Is that possible?
> 
> I know the headers contain the name of my mail server, but all my email goes
> out as [user]@arabie.org.  I tried to send myself email addressed using the
> [user]@voldemort.arabie.org, and it gets bounced....'Host Unkown'.  Tried
> from
> my work email and from Yahoo.
> 
> Can anyone out there educate me on this, I'd like to learn more.
> --
> Allons Rouler!
> 
> Randy
> http://www.arabie.org/
> Stats:    8:05am up 64 days, 10:05, 1 user, load average: 1.01, 1.03, 1.00
> 
> 
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
> 
> 
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
> 

-- 
Allons Rouler!
        
Randy
http://www.arabie.org/

More information about the clue-tech mailing list