Spam problem
John Van Ostrand
john-Da48MpWaEp0CzWx7n4ubxQ at public.gmane.org
Thu Jun 14 00:09:05 UTC 2007
On Wed, 2007-06-13 at 18:46 -0400, Madison Kelly wrote:
> Hi all,
>
> One of the domains I maintain started getting a pile of bounce
> messages. All the messages have the 'From' headers set to '"Some
> Variable Name" <tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org>' which is not a valid
> address. At first I assumed this was just a couple mail servers falling
> for forged headers but now it's a steady stream of bounces.
>
> I've tried looking to see that it's not coming from/via my server but
> so far I can't see a problem. It looks like the source IP is in Poland
> but I worry I may be wrong. Here is a sample header from a bounce. Can
> you guys help reassure me that my server hasn't been opened/compromised?
>
> Thanks!!
>
> A concerned Madison
>
>
> -=-=-=-=-=-=-=-
> Reporting-MTA: dns; rly-ya01.mx.aol.com
> Arrival-Date: Wed, 13 Jun 2007 18:22:11 -0400 (EDT)
>
> Final-Recipient: RFC822; lui003-YDxpq3io04c at public.gmane.org
> Action: failed
> Status: 5.2.2
> Remote-MTA: DNS; air-ya02.mail.aol.com
> Diagnostic-Code: SMTP; 552 lui003 MAILBOX FULL
> Last-Attempt-Date: Wed, 13 Jun 2007 18:22:33 -0400 (EDT)
>
>
> Received: from h110277.serverkompetenz.net (h110277.serverkompetenz.net
> [81.169.140.18]) by rly-ya01.mx.aol.com (v115.17) with ESMTP id
> MAILRELAYINYA11-13746706e12262; Wed, 13 Jun 2007 18:22:11 -0400
> Received: (qmail 858 invoked by uid 60000); 13 Jun 2007 22:22:08 -0000
> Delivered-To: hint-b2wzkxdXO60bhb6IIWwbbQ at public.gmane.org
> Received: (qmail 842 invoked by uid 60000); 13 Jun 2007 22:22:07 -0000
> Delivered-To: hint-/xECjfLExT1BDgjK7y7TUQ at public.gmane.org
> Received: (qmail 808 invoked by uid 60000); 13 Jun 2007 22:22:07 -0000
> Received: from 62.121.109.141 by h110277 (envelope-from
> <tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org>, uid 60004) with
> qmail-scanner-1.24st visas
> (spamassassin: 2.55.
> Clear:RC:0(62.121.109.141):SA:0(2.1/8.0):.
> Processed in 0.458876 secs); 13 Jun 2007 22:22:07 -0000
> X-Spam-Status: No, hits=2.1 required=8.0
> X-Envelope-From: tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org
> Received: from 141-mo3-6.acn.waw.pl (62.121.109.141)
> by h110277.serverkompetenz.net with SMTP; 13 Jun 2007 22:22:07 -0000
> Received: from 192.139.81.120 (HELO mail.nouvelocity.com)
> by brannet.com with esmtp (I<0-2S932 N/-(Q)
> id (HX+F--AGAF-'-)7
> for home-/xECjfLExT1BDgjK7y7TUQ at public.gmane.org; Wed, 13 Jun 2007 22:21:32 -0100
> Date: Wed, 13 Jun 2007 22:21:32 -0100
> From: "Karen Sullivan" <tabnouvelocitydyh-UqHW2wehKNmfJOJzLBvvIA at public.gmane.org>
> X-Mailer: The Bat! (v2.10.03) Personal
> X-Priority: 3 (Normal)
> Message-ID: <834032768.79579868946668-VRR/Z2xxn2bR7s880joybQ at public.gmane.org>
> To: home-/xECjfLExT1BDgjK7y7TUQ at public.gmane.org
> Subject: Hey - Don't get ripped off
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----------0C38DAB4F29CABB"
> X-Spam: Not detected
> X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=2.1 required=8.0
> tests=AMAZING_STUFF,HTML_10_20,HTML_FONT_COLOR_UNSAFE,
> HTML_MESSAGE,MIME_LONG_LINE_QP
> version=2.55
> X-Spam-Level: **
> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> X-AOL-IP: 81.169.140.18
> X-AOL-SCOLL-SCORE: 0:2:386343366:6710886
> X-AOL-SCOLL-URL_COUNT: 0
> -=-=-=-=-=-=-=-
>
> In this case the source IP seems to be 62.121.109.141 which resolves as:
My guess is that it's actual from 192.139.81.120. It's a little odd that
there are headers between the Received lines. I have heard of forged
headers but I've yet to see one.
One way to deal with this is to add a signature to the headers of each
outgoing message. Then you check the bounce messages for that same
signature. If it's not there then the message didn't go through your
server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20070613/0d8c5bda/attachment.html>
More information about the Legacy
mailing list