Spam problem

Madison Kelly linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Wed Jun 13 22:46:47 UTC 2007 

Hi all,

   One of the domains I maintain started getting a pile of bounce 
messages. All the messages have the 'From' headers set to '"Some 
Variable Name" <tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org>' which is not a valid 
address. At first I assumed this was just a couple mail servers falling 
for forged headers but now it's a steady stream of bounces.

   I've tried looking to see that it's not coming from/via my server but 
so far I can't see a problem. It looks like the source IP is in Poland 
but I worry I may be wrong. Here is a sample header from a bounce. Can 
you guys help reassure me that my server hasn't been opened/compromised?

Thanks!!

A concerned Madison


-=-=-=-=-=-=-=-
Reporting-MTA: dns; rly-ya01.mx.aol.com
Arrival-Date: Wed, 13 Jun 2007 18:22:11 -0400 (EDT)

Final-Recipient: RFC822; lui003-YDxpq3io04c at public.gmane.org
Action: failed
Status: 5.2.2
Remote-MTA: DNS; air-ya02.mail.aol.com
Diagnostic-Code: SMTP; 552 lui003 MAILBOX FULL
Last-Attempt-Date: Wed, 13 Jun 2007 18:22:33 -0400 (EDT)


Received: from h110277.serverkompetenz.net (h110277.serverkompetenz.net 
[81.169.140.18]) by rly-ya01.mx.aol.com (v115.17) with ESMTP id 
MAILRELAYINYA11-13746706e12262; Wed, 13 Jun 2007 18:22:11 -0400
Received: (qmail 858 invoked by uid 60000); 13 Jun 2007 22:22:08 -0000
Delivered-To: hint-b2wzkxdXO60bhb6IIWwbbQ at public.gmane.org
Received: (qmail 842 invoked by uid 60000); 13 Jun 2007 22:22:07 -0000
Delivered-To: hint-/xECjfLExT1BDgjK7y7TUQ at public.gmane.org
Received: (qmail 808 invoked by uid 60000); 13 Jun 2007 22:22:07 -0000
Received: from 62.121.109.141 by h110277 (envelope-from 
<tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org>, uid 60004) with 
qmail-scanner-1.24st visas
  (spamassassin: 2.55.
  Clear:RC:0(62.121.109.141):SA:0(2.1/8.0):.
  Processed in 0.458876 secs); 13 Jun 2007 22:22:07 -0000
X-Spam-Status: No, hits=2.1 required=8.0
X-Envelope-From: tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org
Received: from 141-mo3-6.acn.waw.pl (62.121.109.141)
   by h110277.serverkompetenz.net with SMTP; 13 Jun 2007 22:22:07 -0000
Received: from 192.139.81.120 (HELO mail.nouvelocity.com)
      by brannet.com with esmtp (I<0-2S932 N/-(Q)
      id (HX+F--AGAF-'-)7
      for home-/xECjfLExT1BDgjK7y7TUQ at public.gmane.org; Wed, 13 Jun 2007 22:21:32 -0100
Date: Wed, 13 Jun 2007 22:21:32 -0100
From: "Karen Sullivan" <tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org>
X-Mailer: The Bat! (v2.10.03) Personal
X-Priority: 3 (Normal)
Message-ID: <834032768.79579868946668-VRR/Z2xxn2bR7s880joybQ at public.gmane.org>
To: home-/xECjfLExT1BDgjK7y7TUQ at public.gmane.org
Subject: Hey - Don't get ripped off
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="----------0C38DAB4F29CABB"
X-Spam: Not detected
X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=2.1 required=8.0
	tests=AMAZING_STUFF,HTML_10_20,HTML_FONT_COLOR_UNSAFE,
	      HTML_MESSAGE,MIME_LONG_LINE_QP
	version=2.55
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-AOL-IP: 81.169.140.18
X-AOL-SCOLL-SCORE: 0:2:386343366:6710886
X-AOL-SCOLL-URL_COUNT: 0
-=-=-=-=-=-=-=-

In this case the source IP seems to be 62.121.109.141 which resolves as:

-=-=-=-=-=-=-=-
dig -x 62.121.109.141

; <<>> DiG 9.3.4 <<>> -x 62.121.109.141
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50754
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;141.109.121.62.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
141.109.121.62.in-addr.arpa. 86401 IN   PTR     141-mo3-6.acn.waw.pl.

;; AUTHORITY SECTION:
109.121.62.in-addr.arpa. 86401  IN      NS      dns.astercity.net.
109.121.62.in-addr.arpa. 86401  IN      NS      dns1.astercity.net.

;; ADDITIONAL SECTION:
dns.astercity.net.      172800  IN      A       212.76.32.1
dns1.astercity.net.     172800  IN      A       212.76.33.1

;; Query time: 549 msec
;; SERVER: 192.168.2.10#53(192.168.2.10)
;; WHEN: Wed Jun 13 18:45:23 2007
;; MSG SIZE  rcvd: 161
-=-=-=-=-=-=-=-
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list