Is this spam coming from inside my network?
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Fri Feb 10 20:45:41 UTC 2006
On Fri, Feb 10, 2006 at 02:23:40PM -0500, Madison Kelly wrote:
> This may seem like a simple question but I am not sure enough to
> guess at an answer. I've been getting a lot of these messages in my
> server's root mailbox and I am not sure if they are coming from inside
> my network (ie: one of the office computers on our internal LAN or
> someone using one of the webmail interfaces).
>
> Can someone help me ID the source of this/these? Is this a sign of
> another problem?
>
> Madison
>
> [=- Sample email -=]
>
> The original message was received at Sun, 5 Feb 2006 11:56:39 -0500
> from srv01.nouvelocity.com [127.0.0.1]
>
> ----- The following addresses had permanent fatal errors -----
> <allissa-pVIobmzmUoTQT0dZR+AlfA at public.gmane.org>
> (reason: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address
> rejected: Domain not found)
> <allex-jKy1UvXD5lVBDgjK7y7TUQ at public.gmane.org>
> (reason: 450 4.1.8 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address
> rejected: Domain not found)
> <allyson-WSrdACHTE7hWk0Htik3J/w at public.gmane.org>
> <allanwongcti-QAVr7hiOBegAvxtiuMwx3w at public.gmane.org>
> (reason: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address
> rejected: Domain not found)
> <allen_prudenyahoo.de-IEmUKwnH1qrQT0dZR+AlfA at public.gmane.org>
> (reason: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address
> rejected: Domain not found)
> <allice-qZ6W2oxyGDIxHbG02/KK1g at public.gmane.org>
> (reason: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address
> rejected: Domain not found)
> <allenrice-/1Rj0zDCqbBfyO9Q7EP/yw at public.gmane.org>
> (reason: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address
> rejected: Domain not found)
> <allespaletti-holz-kqwajW2OMzyakBO8gow8eQ at public.gmane.org>
> (reason: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address
> rejected: Domain not found)
> <allyson-GCuQOguhwe8 at public.gmane.org>
> (reason: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address
> rejected: Domain not found)
>
> ----- Transcript of session follows -----
> ... while talking to email-pri.cobite.com.:
> >>> >>> DATA
> <<< 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain
> not found
> <allissa-pVIobmzmUoTQT0dZR+AlfA at public.gmane.org>... Deferred: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>:
> Sender address rejected: Domain not found
> <<< 554 Error: no valid recipients
> ... while talking to extrpfx1.extrasecurity.com.:
> >>> >>> DATA
> <<< 450 4.1.8 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected:
> Domain not found
> <allex-jKy1UvXD5lVBDgjK7y7TUQ at public.gmane.org>... Deferred: 450 4.1.8
> <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain not found
> <<< 554 5.5.1 Error: no valid recipients
> <allyson-WSrdACHTE7hWk0Htik3J/w at public.gmane.org>... Deferred: Connection timed out with gistrans.com.
> ... while talking to hknpx2.hknet.com.:
> >>> >>> DATA
> <<< 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain
> not found
> <allanwongcti-QAVr7hiOBegAvxtiuMwx3w at public.gmane.org>... Deferred: 450
> <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain not found
> <<< 421 Access denied. Good Bye!
> ... while talking to hknpx3.hknet.com.:
> >>> >>> DATA
> <<< 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain
> not found
> <allanwongcti-QAVr7hiOBegAvxtiuMwx3w at public.gmane.org>... Deferred: 450
> <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain not found
> <<< 421 Access denied. Good Bye!
> ... while talking to mail.bsiweb.com.:
> >>> >>> DATA
> <<< 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain
> not found
> <allen_prudenyahoo.de-IEmUKwnH1qrQT0dZR+AlfA at public.gmane.org>... Deferred: 450
> <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain not found
> <<< 554 Error: no valid recipients
> ... while talking to mail2.utfors.se.:
> >>> >>> DATA
> <<< 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain
> not found
> <allice-qZ6W2oxyGDIxHbG02/KK1g at public.gmane.org>... Deferred: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>:
> Sender address rejected: Domain not found
> <<< 554 Error: no valid recipients
> ... while talking to mx.uol.com.br.:
> >>> >>> DATA
> <<< 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain
> not found
> <allenrice-/1Rj0zDCqbBfyO9Q7EP/yw at public.gmane.org>... Deferred: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>:
> Sender address rejected: Domain not found
> <<< 554 Error: no valid recipients
> ... while talking to smtpin2.net-temps.com.:
> >>> >>> RCPT To:<allespaletti-holz-kqwajW2OMzyakBO8gow8eQ at public.gmane.org>
> <<< 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain
> not found
> <allespaletti-holz-kqwajW2OMzyakBO8gow8eQ at public.gmane.org>... Deferred: 450
> <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain not found
> ... while talking to spamfix.esc.de.:
> >>> >>> MAIL From:<apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org> SIZE=9094
> <<< 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender address rejected: Domain
> not found
> <allyson-GCuQOguhwe8 at public.gmane.org>... Deferred: 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender
> address rejected: Domain not found
> Message could not be delivered for 5 days
> Message will be deleted from queue
>
>
>
> Reporting-MTA: dns; srv01.nouvelocity.com
> Arrival-Date: Sun, 5 Feb 2006 11:56:39 -0500
>
> Final-Recipient: RFC822; allissa-pVIobmzmUoTQT0dZR+AlfA at public.gmane.org
> Action: failed
> Status: 4.4.7
> Remote-MTA: DNS; email-pri.cobite.com
> Diagnostic-Code: SMTP; 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender
> address rejected: Domain not found
> Last-Attempt-Date: Fri, 10 Feb 2006 13:57:18 -0500
>
> Final-Recipient: RFC822; allex-jKy1UvXD5lVBDgjK7y7TUQ at public.gmane.org
> Action: failed
> Status: 4.4.7
> Remote-MTA: DNS; extrpfx1.extrasecurity.com
> Diagnostic-Code: SMTP; 450 4.1.8 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender
> address rejected: Domain not found
> Last-Attempt-Date: Fri, 10 Feb 2006 14:00:29 -0500
>
> Final-Recipient: RFC822; allyson-WSrdACHTE7hWk0Htik3J/w at public.gmane.org
> Action: failed
> Status: 4.4.7
> Remote-MTA: DNS; gistrans.com
> Last-Attempt-Date: Fri, 10 Feb 2006 14:02:29 -0500
>
> Final-Recipient: RFC822; allanwongcti-QAVr7hiOBegAvxtiuMwx3w at public.gmane.org
> Action: failed
> Status: 4.4.7
> Remote-MTA: DNS; hknpx3.hknet.com
> Diagnostic-Code: SMTP; 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender
> address rejected: Domain not found
> Last-Attempt-Date: Fri, 10 Feb 2006 14:11:17 -0500
>
> Final-Recipient: RFC822; allen_prudenyahoo.de-IEmUKwnH1qrQT0dZR+AlfA at public.gmane.org
> Action: failed
> Status: 4.4.7
> Remote-MTA: DNS; mail.bsiweb.com
> Diagnostic-Code: SMTP; 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender
> address rejected: Domain not found
> Last-Attempt-Date: Fri, 10 Feb 2006 14:11:20 -0500
>
> Final-Recipient: RFC822; allice-qZ6W2oxyGDIxHbG02/KK1g at public.gmane.org
> Action: failed
> Status: 4.4.7
> Remote-MTA: DNS; mail2.utfors.se
> Diagnostic-Code: SMTP; 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender
> address rejected: Domain not found
> Last-Attempt-Date: Fri, 10 Feb 2006 14:13:23 -0500
>
> Final-Recipient: RFC822; allenrice-/1Rj0zDCqbBfyO9Q7EP/yw at public.gmane.org
> Action: failed
> Status: 4.4.7
> Remote-MTA: DNS; mx.uol.com.br
> Diagnostic-Code: SMTP; 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender
> address rejected: Domain not found
> Last-Attempt-Date: Fri, 10 Feb 2006 14:13:49 -0500
>
> Final-Recipient: RFC822; allespaletti-holz-kqwajW2OMzyakBO8gow8eQ at public.gmane.org
> Action: failed
> Status: 4.4.7
> Remote-MTA: DNS; smtpin2.net-temps.com
> Diagnostic-Code: SMTP; 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender
> address rejected: Domain not found
> Last-Attempt-Date: Fri, 10 Feb 2006 14:14:39 -0500
>
> Final-Recipient: RFC822; allyson-GCuQOguhwe8 at public.gmane.org
> Action: failed
> Status: 4.4.7
> Diagnostic-Code: SMTP; 450 <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>: Sender
> address rejected: Domain not found
> Last-Attempt-Date: Fri, 10 Feb 2006 14:16:40 -0500
>
>
>
> Subject:
> Hello
> From:
> ThePickOfTheYear847-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org
> Date:
> Sun, 5 Feb 2006 11:54:26 -0500
> BCC:
> Return-Path:
> <apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>
> Received:
> from srv01.nouvelocity.com (srv01.nouvelocity.com [127.0.0.1]) by
> srv01.nouvelocity.com (8.13.1/8.13.1) with ESMTP id k15Gud7q019218; Sun,
> 5 Feb 2006 11:56:39 -0500
> Received:
> (from apache at localhost) by srv01.nouvelocity.com (8.13.1/8.13.1/Submit)
> id k15GsQ2U019214; Sun, 5 Feb 2006 11:54:26 -0500
> Message-ID:
> <200602051654.k15GsQ2U019214-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org>
> Content-Type:
> text/html; charset="us-ascii"
> MIME-Version:
> 1.0
> Content-Transfer-Encoding:
> 7bit
>
> <actual spam snippet>
>
> [=- End sample email -=]
Hmm, it really does look like the user apache on srv01.nouvelocity.com
(or at least the server thinks that is its name) is being asked to email
those people and that since there probably is no DNS record for such a
server the remote mail servers are denying it.
Does the server in question have any code on the web server that should
send email to anyone ever?
Any chance you installed one of those stupid perl formmail.pl or whatever
they are called things which are known to have major security problems
and allow remote creation of mail essentially making an open spam
relay system?
Any chance you have a script on the server that is buggy and permitting
someone to run code that tries to send spam?
Check the web logs around the time of each email was supposedly sent to
see what requests were coming in.
Of course there is also the chance someone managed to hack the server
and gain access to run as the apache user (which can't usually do much,
but it can try to sent email).
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list