Spam problem

Thu Jun 14 00:09:05 UTC 2007

On Wed, 2007-06-13 at 18:46 -0400, Madison Kelly wrote:

> Hi all,
> 
>    One of the domains I maintain started getting a pile of bounce 
> messages. All the messages have the 'From' headers set to '"Some 
> Variable Name" <tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org>' which is not a valid 
> address. At first I assumed this was just a couple mail servers falling 
> for forged headers but now it's a steady stream of bounces.
> 
>    I've tried looking to see that it's not coming from/via my server but 
> so far I can't see a problem. It looks like the source IP is in Poland 
> but I worry I may be wrong. Here is a sample header from a bounce. Can 
> you guys help reassure me that my server hasn't been opened/compromised?
> 
> Thanks!!
> 
> A concerned Madison
> 
> 
> -=-=-=-=-=-=-=-
> Reporting-MTA: dns; rly-ya01.mx.aol.com
> Arrival-Date: Wed, 13 Jun 2007 18:22:11 -0400 (EDT)
> 
> Final-Recipient: RFC822; lui003-YDxpq3io04c at public.gmane.org
> Action: failed
> Status: 5.2.2
> Remote-MTA: DNS; air-ya02.mail.aol.com
> Diagnostic-Code: SMTP; 552 lui003 MAILBOX FULL
> Last-Attempt-Date: Wed, 13 Jun 2007 18:22:33 -0400 (EDT)
> 
> 
> Received: from h110277.serverkompetenz.net (h110277.serverkompetenz.net 
> [81.169.140.18]) by rly-ya01.mx.aol.com (v115.17) with ESMTP id 
> MAILRELAYINYA11-13746706e12262; Wed, 13 Jun 2007 18:22:11 -0400
> Received: (qmail 858 invoked by uid 60000); 13 Jun 2007 22:22:08 -0000
> Delivered-To: hint-b2wzkxdXO60bhb6IIWwbbQ at public.gmane.org
> Received: (qmail 842 invoked by uid 60000); 13 Jun 2007 22:22:07 -0000
> Delivered-To: hint-/xECjfLExT1BDgjK7y7TUQ at public.gmane.org
> Received: (qmail 808 invoked by uid 60000); 13 Jun 2007 22:22:07 -0000
> Received: from 62.121.109.141 by h110277 (envelope-from 
> <tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org>, uid 60004) with 
> qmail-scanner-1.24st visas
>   (spamassassin: 2.55.
>   Clear:RC:0(62.121.109.141):SA:0(2.1/8.0):.
>   Processed in 0.458876 secs); 13 Jun 2007 22:22:07 -0000
> X-Spam-Status: No, hits=2.1 required=8.0
> X-Envelope-From: tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org
> Received: from 141-mo3-6.acn.waw.pl (62.121.109.141)
>    by h110277.serverkompetenz.net with SMTP; 13 Jun 2007 22:22:07 -0000
> Received: from 192.139.81.120 (HELO mail.nouvelocity.com)
>       by brannet.com with esmtp (I<0-2S932 N/-(Q)
>       id (HX+F--AGAF-'-)7
>       for home-/xECjfLExT1BDgjK7y7TUQ at public.gmane.org; Wed, 13 Jun 2007 22:21:32 -0100
> Date: Wed, 13 Jun 2007 22:21:32 -0100
> From: "Karen Sullivan" <tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org>
> X-Mailer: The Bat! (v2.10.03) Personal
> X-Priority: 3 (Normal)
> Message-ID: <834032768.79579868946668-VRR/Z2xxn2bR7s880joybQ at public.gmane.org>
> To: home-/xECjfLExT1BDgjK7y7TUQ at public.gmane.org
> Subject: Hey - Don't get ripped off
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>    boundary="----------0C38DAB4F29CABB"
> X-Spam: Not detected
> X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=2.1 required=8.0
> 	tests=AMAZING_STUFF,HTML_10_20,HTML_FONT_COLOR_UNSAFE,
> 	      HTML_MESSAGE,MIME_LONG_LINE_QP
> 	version=2.55
> X-Spam-Level: **
> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> X-AOL-IP: 81.169.140.18
> X-AOL-SCOLL-SCORE: 0:2:386343366:6710886
> X-AOL-SCOLL-URL_COUNT: 0
> -=-=-=-=-=-=-=-
> 
> In this case the source IP seems to be 62.121.109.141 which resolves as:

My guess is that it's actual from 192.139.81.120. It's a little odd that
there are headers between the Received lines. I have heard of forged
headers but I've yet to see one.

One way to deal with this is to add a signature to the headers of each
outgoing message. Then you check the bounce messages for that same
signature. If it's not there then the message didn't go through your
server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20070613/0d8c5bda/attachment.html>