<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.10.3">
</HEAD>
<BODY>
On Wed, 2007-06-13 at 18:46 -0400, Madison Kelly wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">Hi all,</FONT>
<FONT COLOR="#000000"> One of the domains I maintain started getting a pile of bounce </FONT>
<FONT COLOR="#000000">messages. All the messages have the 'From' headers set to '"Some </FONT>
<FONT COLOR="#000000">Variable Name" <<A HREF="mailto:tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA@public.gmane.org">tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA@public.gmane.org</A>>' which is not a valid </FONT>
<FONT COLOR="#000000">address. At first I assumed this was just a couple mail servers falling </FONT>
<FONT COLOR="#000000">for forged headers but now it's a steady stream of bounces.</FONT>
<FONT COLOR="#000000"> I've tried looking to see that it's not coming from/via my server but </FONT>
<FONT COLOR="#000000">so far I can't see a problem. It looks like the source IP is in Poland </FONT>
<FONT COLOR="#000000">but I worry I may be wrong. Here is a sample header from a bounce. Can </FONT>
<FONT COLOR="#000000">you guys help reassure me that my server hasn't been opened/compromised?</FONT>
<FONT COLOR="#000000">Thanks!!</FONT>
<FONT COLOR="#000000">A concerned Madison</FONT>
<FONT COLOR="#000000">-=-=-=-=-=-=-=-</FONT>
<FONT COLOR="#000000">Reporting-MTA: dns; rly-ya01.mx.aol.com</FONT>
<FONT COLOR="#000000">Arrival-Date: Wed, 13 Jun 2007 18:22:11 -0400 (EDT)</FONT>
<FONT COLOR="#000000">Final-Recipient: RFC822; <A HREF="mailto:lui003-YDxpq3io04c@public.gmane.org">lui003-YDxpq3io04c@public.gmane.org</A></FONT>
<FONT COLOR="#000000">Action: failed</FONT>
<FONT COLOR="#000000">Status: 5.2.2</FONT>
<FONT COLOR="#000000">Remote-MTA: DNS; air-ya02.mail.aol.com</FONT>
<FONT COLOR="#000000">Diagnostic-Code: SMTP; 552 lui003 MAILBOX FULL</FONT>
<FONT COLOR="#000000">Last-Attempt-Date: Wed, 13 Jun 2007 18:22:33 -0400 (EDT)</FONT>
<FONT COLOR="#000000">Received: from h110277.serverkompetenz.net (h110277.serverkompetenz.net </FONT>
<FONT COLOR="#000000">[81.169.140.18]) by rly-ya01.mx.aol.com (v115.17) with ESMTP id </FONT>
<FONT COLOR="#000000">MAILRELAYINYA11-13746706e12262; Wed, 13 Jun 2007 18:22:11 -0400</FONT>
<FONT COLOR="#000000">Received: (qmail 858 invoked by uid 60000); 13 Jun 2007 22:22:08 -0000</FONT>
<FONT COLOR="#000000">Delivered-To: <A HREF="mailto:hint-b2wzkxdXO60bhb6IIWwbbQ@public.gmane.org">hint-b2wzkxdXO60bhb6IIWwbbQ@public.gmane.org</A></FONT>
<FONT COLOR="#000000">Received: (qmail 842 invoked by uid 60000); 13 Jun 2007 22:22:07 -0000</FONT>
<FONT COLOR="#000000">Delivered-To: <A HREF="mailto:hint-/xECjfLExT1BDgjK7y7TUQ@public.gmane.org">hint-/xECjfLExT1BDgjK7y7TUQ@public.gmane.org</A></FONT>
<FONT COLOR="#000000">Received: (qmail 808 invoked by uid 60000); 13 Jun 2007 22:22:07 -0000</FONT>
<FONT COLOR="#000000">Received: from 62.121.109.141 by h110277 (envelope-from </FONT>
<FONT COLOR="#000000"><<A HREF="mailto:tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA@public.gmane.org">tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA@public.gmane.org</A>>, uid 60004) with </FONT>
<FONT COLOR="#000000">qmail-scanner-1.24st visas</FONT>
<FONT COLOR="#000000"> (spamassassin: 2.55.</FONT>
<FONT COLOR="#000000"> Clear:RC:0(62.121.109.141):SA:0(2.1/8.0):.</FONT>
<FONT COLOR="#000000"> Processed in 0.458876 secs); 13 Jun 2007 22:22:07 -0000</FONT>
<FONT COLOR="#000000">X-Spam-Status: No, hits=2.1 required=8.0</FONT>
<FONT COLOR="#000000">X-Envelope-From: <A HREF="mailto:tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA@public.gmane.org">tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA@public.gmane.org</A></FONT>
<FONT COLOR="#000000">Received: from 141-mo3-6.acn.waw.pl (62.121.109.141)</FONT>
<FONT COLOR="#000000"> by h110277.serverkompetenz.net with SMTP; 13 Jun 2007 22:22:07 -0000</FONT>
<FONT COLOR="#000000">Received: from 192.139.81.120 (HELO mail.nouvelocity.com)</FONT>
<FONT COLOR="#000000"> by brannet.com with esmtp (I<0-2S932 N/-(Q)</FONT>
<FONT COLOR="#000000"> id (HX+F--AGAF-'-)7</FONT>
<FONT COLOR="#000000"> for <A HREF="mailto:home-/xECjfLExT1BDgjK7y7TUQ@public.gmane.org">home-/xECjfLExT1BDgjK7y7TUQ@public.gmane.org</A>; Wed, 13 Jun 2007 22:21:32 -0100</FONT>
<FONT COLOR="#000000">Date: Wed, 13 Jun 2007 22:21:32 -0100</FONT>
<FONT COLOR="#000000">From: "Karen Sullivan" <<A HREF="mailto:tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA@public.gmane.org">tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA@public.gmane.org</A>></FONT>
<FONT COLOR="#000000">X-Mailer: The Bat! (v2.10.03) Personal</FONT>
<FONT COLOR="#000000">X-Priority: 3 (Normal)</FONT>
<FONT COLOR="#000000">Message-ID: <<A HREF="mailto:834032768.79579868946668-VRR/Z2xxn2bR7s880joybQ@public.gmane.org">834032768.79579868946668-VRR/Z2xxn2bR7s880joybQ@public.gmane.org</A>></FONT>
<FONT COLOR="#000000">To: <A HREF="mailto:home-/xECjfLExT1BDgjK7y7TUQ@public.gmane.org">home-/xECjfLExT1BDgjK7y7TUQ@public.gmane.org</A></FONT>
<FONT COLOR="#000000">Subject: Hey - Don't get ripped off</FONT>
<FONT COLOR="#000000">MIME-Version: 1.0</FONT>
<FONT COLOR="#000000">Content-Type: multipart/alternative;</FONT>
<FONT COLOR="#000000"> boundary="----------0C38DAB4F29CABB"</FONT>
<FONT COLOR="#000000">X-Spam: Not detected</FONT>
<FONT COLOR="#000000">X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=2.1 required=8.0</FONT>
<FONT COLOR="#000000"> tests=AMAZING_STUFF,HTML_10_20,HTML_FONT_COLOR_UNSAFE,</FONT>
<FONT COLOR="#000000"> HTML_MESSAGE,MIME_LONG_LINE_QP</FONT>
<FONT COLOR="#000000"> version=2.55</FONT>
<FONT COLOR="#000000">X-Spam-Level: **</FONT>
<FONT COLOR="#000000">X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)</FONT>
<FONT COLOR="#000000">X-AOL-IP: 81.169.140.18</FONT>
<FONT COLOR="#000000">X-AOL-SCOLL-SCORE: 0:2:386343366:6710886</FONT>
<FONT COLOR="#000000">X-AOL-SCOLL-URL_COUNT: 0</FONT>
<FONT COLOR="#000000">-=-=-=-=-=-=-=-</FONT>
<FONT COLOR="#000000">In this case the source IP seems to be 62.121.109.141 which resolves as:</FONT>
</PRE>
</BLOCKQUOTE>
My guess is that it's actual from <FONT COLOR="#000000">192.139.81.120</FONT>. It's a little odd that there are headers between the Received lines. I have heard of forged headers but I've yet to see one.<BR>
<BR>
One way to deal with this is to add a signature to the headers of each outgoing message. Then you check the bounce messages for that same signature. If it's not there then the message didn't go through your server.
</BODY>
</HTML>