Security Basics mailing list archives

RE: Receiving spam from my own server

From: "Adam Rosen" <ajrosen () buffdata com>
Date: Wed, 6 Dec 2006 08:31:16 -0500

Dave,

When you say "I am receiving spam e-mails", what inbox is getting those
emails? Is it your dave.j.moore () gmail com account? Do you have any
forwarding set up for any email to someone () foobar net to go to that
address? If info () foobar net for example is set to forward to your gmail
account, than this is common - and the sender address is the easiest
thing to forge. Making it look as if someone inside your domain is the
sender is an old trick. I'd say that someone sent an email to
info () foobar net where it got picked up by an internal mail server which
then forwarded the mail to gmail.

Adam

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Dave Moore
Sent: Friday, December 01, 2006 5:38 PM
To: security-basics () securityfocus com
Subject: Receiving spam from my own server

Hello all-

I run a webserver, let's call it foobar.net

I am receiving spam e-mails from addresses such as info () foobar net,
admin () foobar net, etc. I ran the open relay tests at ordb.org, and they
report that my server is not an open relay.

I'd appreciate any suggestions as to where I should go next.

Here are some headers that i've attempted to sanitize (i.e. remove my
hostname and ip)

Delivered-To: dave.j.moore () gmail com
Received: by 10.82.163.14 with SMTP id l14cs33696bue;
        Fri, 1 Dec 2006 13:26:41 -0800 (PST)
Received: by 10.90.103.2 with SMTP id a2mr5744854agc.1165008401102;
        Fri, 01 Dec 2006 13:26:41 -0800 (PST)
Return-Path: <info () avitas net>
Received: from www.foobar.net (www.foobar.net [66.xx.xx.xx])
        by mx.google.com with ESMTP id
12si654066wrl.2006.12.01.13.26.40;
        Fri, 01 Dec 2006 13:26:41 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
info () foobar net designates 66.xx.xx.xx as permitted sender)
Received: from e180234232.adsl.alicedsl.de (e180234232.adsl.alicedsl.de
[85.180.234.232])
        by www.foobar.net (8.13.1/8.13.1) with SMTP id kB1LQbEt016235
        for <info () foobar net>; Fri, 1 Dec 2006 15:26:39 -0600
Date: Fri, 1 Dec 2006 15:26:37 -0600
From: info () foobar net
Message-Id: <200612012126.kB1LQbEt016235 () www foobar net>
To: info () foobar net


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

Current thread:

Receiving spam from my own server Dave Moore (Dec 04)
- RE: Receiving spam from my own server Murda Mcloud (Dec 06)
- Re: Receiving spam from my own server Chris Largret (Dec 06)
- <Possible follow-ups>
- Re: Receiving spam from my own server krymson (Dec 06)
  - Re: Receiving spam from my own server Dave Moore (Dec 07)
  - Re: Receiving spam from my own server Will Yonker (Dec 07)
- RE: Receiving spam from my own server Adam Rosen (Dec 06)
  - Re: Receiving spam from my own server Dave Moore (Dec 07)