Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Email origin - forged address

1 view
Skip to first unread message

Robert M. Opalko

unread,
Mar 30, 2010, 10:56:47 AM3/30/10
to
I had several users today complain of receiving a spam message from
their own email address, forged. However, I cannot tell if this message
is being generated from withing our network internally from a trojan or
if it is coming from an external source that CGPro is letting through as
if it were a valid client. Here are the headers from the message
(account name changed to "user"):

Return-Path:<us...@oxfordms.net>
Received: from zorak.unsl.edu.ar ([170.210.174.89] verified)
by oxfordms.net (CommuniGate Pro SMTP 5.3.4)
with SMTPS id 1834916 for us...@oxfordms.net; Tue, 30 Mar 2010 08:18:39 -0500
From: Approved VIAGRA® Store<us...@oxfordms.net>
Subject: Your Future Order with 73% off retail
To:<us...@oxfordms.net>
MIME-Version: 1.0
Content-Type: text/html
X-Antivirus: avast! (VPS 100330-0, 30/03/2010), Outbound message
X-Antivirus-Status: Clean
Date: Tue, 30 Mar 2010 08:18:40 -0500
Message-ID:<auto-000...@oxfordms.net>

And the relevant log item from CGPro (which I unfortunately have turned
way down):

08:18:40.777 2 SMTPI-004726(zorak.unsl.edu.ar) [1834916] received encrypted, 2781 bytes
08:18:40.777 2 QUEUE([1834916]) from<us...@oxfordms.net>, 2781 bytes (<auto-000...@oxfordms.net>)
08:18:40.779 2 QUEUE([1834916]) enqueued
08:18:40.781 2 ACCOUNT(user) [1834916] delivered
08:18:40.781 2 DEQUEUER [1834916] LOCAL(user) delivered: Delivered to the user mailbox
08:18:40.781 2 QUEUE([1834916]) deleted

I think I'm missing the forest for the trees here, but I don't know
what. Any help appreciated.
Cheers
Robert Opalko

#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePr...@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePr...@mail.stalker.com>
Send administrative queries to <CGatePro...@mail.stalker.com>

Paul Chauvet

unread,
Mar 30, 2010, 11:07:16 AM3/30/10
to
Hello Robert,

It looks to me as if zorak.unsl.edu.ar sent the message with the spoofed from address of your user to that same user.  I don't see anything that indicates the message was sent from within your network (and since its to a local user, there's no improper relaying going on).



------------------------------------------
Paul Chauvet
UNIX/Linux Systems Administrator
State University of New York at New Paltz
845-257-3828
chau...@newpaltz.edu
------------------------------------------

----- "Robert M. Opalko" <opa...@oxfordms.net> wrote:
I had several users today complain of receiving a spam message from
their own email address, forged.  However, I cannot tell if this message
is being generated from withing our network internally from a trojan or
if it is coming from an external source that CGPro is letting through as
if it were a valid client.  Here are the headers from the message
(account name changed to "user"):

Return-Path:<us...@oxfordms.net>
Received: from zorak.unsl.edu.ar ([170.210.174.89] verified)
   by oxfordms.net (CommuniGate Pro SMTP 5.3.4)
   with SMTPS id 1834916 for us...@oxfordms.net; Tue, 30 Mar 2010 08:18:39 -0500
From: Approved VIAGRA® Store<us...@oxfordms.net>
Message has been deleted

Robert M. Opalko

unread,
Mar 30, 2010, 11:50:35 AM3/30/10
to
Thanks, the odd thing is the message does not appear in our Barracuda (spam appliance which hands off mail to our CGPro server) log as a message that has been received.  Shouldn't it?  Again, I'm missing the obvious I think.
Cheers,
Robert Opalko

Paul Chauvet

unread,
Mar 30, 2010, 12:58:06 PM3/30/10
to
Hi Robert,

Does your CGP server accept mail from outside if it hasn't passed through the Barracuda yet?  Even though the Barracuda may be what is in your MX record, some spammers will still try to send directly to your mail server.

What we do here is basically blacklist all IP addresses on the Internet, excluding our own servers.  This way messages which are sent from users (via SMTP AUTH), from our mail gateway, or other servers on our network goes through.  All other mail that tries to send to our CGP server (non-authenticated, and not from our client IPs) is rejected - even to internal users.

Gib Henry

unread,
Mar 31, 2010, 8:52:50 AM3/31/10
to
On 3/31/10 at 4:00 AM -0700, CommuniGate Pro Discussions wrote:
Date: Tue, 30 Mar 2010 09:56:47 -0500
From: "Robert M. Opalko" <opa...@oxfordms.net>
Subject: Email origin - forged address
Content-Type: text/plain; format=flowed
Content-Transfer-Encoding: 8bit
I had several users today complain of receiving a spam message from their own email address, forged.  However, I cannot tell if this message is being generated from withing our network internally from a trojan or if it is coming from an external source that CGPro is letting through as if it were a valid client.  Here are the headers from the message (account name changed to "user"):

Return-Path:<us...@oxfordms.net> ...

I suspect turning on either AUTH to Everybody, Reverse Check, or SPF Checking (if you have SPF records in your DNS setup) at Settings/Mail/SMTP/Receiving would have stopped that message cold, before you even received it.  I use all three, and see a lot of log entries rejecting messages ostensibly from some user at our domain, like these from this morning:

01:57:02.507 1 SMTPI-007416([117.242.28.187]) Return-Path 'g...@realpeople.com' rejected: sender requires authentication
02:43:34.406 1 SMTPI-007440([122.161.247.9]) Return-Path 'g...@gibhenry.com' rejected: sender requires authentication
02:54:22.761 1 SMTPI-007448(host-70-45-173-189.onelinkpr.net) Return-Path 'ag...@realpeople.com' rejected: sender requires authentication
03:24:49.097 1 SMTPI-007454([213.85.230.199]) Return-Path 'mic...@realpeople.com' rejected: sender requires authentication
04:35:52.407 1 SMTPI-007487([109.96.46.2]) Return-Path 'ag...@realpeople.com' rejected: sender requires authentication
06:57:08.169 1 SMTPI-007572([94.232.8.180]) Return-Path 'ag...@realpeople.com' rejected: sender requires authentication

However, I do receive a lot of bounces and complaints from other domains complaining about spam supposedly from some user at our domain, probably because they neglect to use SPF checking.  We only have 5 users, and we've never spammed anyone since 1994!  Cheers,
--
Gib Henry
0 new messages