1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

fake headers ?

Discussion in 'Plesk for Linux - 8.x and Older' started by fishface, Oct 6, 2005.

  1. fishface

    fishface Guest

    0
     
    Im getting a lot of bounced emails coming back to server with hundreds of different usernames@mydomain in the headers. These are false usernames and there are no formmail scripts that i can see have been compromised.

    Any ideas how they are doing this ?
     
  2. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Infected PC with it's own SMTP engine sending out emails with random generated names @yourdomain. Since your domain is listed as the 'From', the bounces end up being sent to your domain's email server when they are rejected by the recipient mail server.

    Cannot comment further unless you post full header examples to be examined.
     
  3. fishface

    fishface Guest

    0
     
    header

    Hi , heres an example :

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <rheta.Finch@mydomain>
    Received: from [220.113.133.40] (helo=66.179.21.196)
    by elara.cascadia.net with smtp (Exim 4.20)
    id 1ENOOT-00036z-95; Wed, 05 Oct 2005 22:34:14 -0700
    Received: from mx01.noromgt.com (220.113.133.40 [220.113.133.40])
    by 220.113.133.40 (Postfix) with SMTP id A01099CE04
    for <moody@bungee.com>;
    Wed, 05 Oct 2005 22:25:21 -0800
    Message-ID: <829j643h.3847885@noromgt.com>
    Date: Wed, 05 Oct 2005 22:25:21 -0800
    From: "Miss. odele" <rheta.Finch@mydomain>
    User-Agent: Microsoft Mail Corporate v4.1
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    X-Accept-Language: en-us, en
    MIME-Version: 1.0
    To: moody@bungee.com, baird@bungee.com, norman@bungee.com, robertson@bungee.com
    Subject: I tried calling you...
    Content-Type: multipart/related; boundary="------------Next_Part_61147160==.OLA"

    This is a multi-part message in MIME format. --------------Next_Part_61147160==.OLA
    Content-Type: text/html; charset=ISO-8859-1
    Content-Transfer-Encoding: 7bit
    ---------------------------------------------------------------------------------

    And another :

    Hi. This is the qmail-send program at qmail.arpanet.ch.
    I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out.

    <edwin@bobtail.net>:
    Sorry, no mailbox here by that name. (#5.1.1)

    <dorothy@bobtail.net>:
    Sorry, no mailbox here by that name. (#5.1.1)

    <dolphin@bobtail.net>:
    Sorry, no mailbox here by that name. (#5.1.1)

    <dwight@bobtail.net>:
    Sorry, no mailbox here by that name. (#5.1.1)

    <dory@bobtail.net>:
    Sorry, no mailbox here by that name. (#5.1.1)

    <ernie@bobtail.net>:
    Sorry, no mailbox here by that name. (#5.1.1)

    <elena@bobtail.net>:
    Sorry, no mailbox here by that name. (#5.1.1)

    <dj@bobtail.net>:
    Sorry, no mailbox here by that name. (#5.1.1)

    --- Below this line is a copy of the message.

    Return-Path: <chelsy.Naquin@mydomain>
    Received: (qmail-ldap/ctrl 12299 invoked from network); 6 Oct 2005 11:48:24 -0000
    Received: from unknown (HELO 213.158.135.11) ([220.75.119.13])
    (envelope-sender <chelsy.Naquin@mydomain>)
    by qmail.arpanet.ch (qmail-ldap-1.03) with SMTP
    for <edwin@bobtail.net>; 6 Oct 2005 11:48:24 -0000
    Received: from unknown (HELO rubberbanding) (220.75.119.13)
    by ikt.es with SMTP; Thu, 06 Oct 2005 04:56:35 -0800
    Message-ID: <786g158b.9974889@ikt.es>
    Date: Thu, 06 Oct 2005 04:56:35 -0800
    From: "Ms. heidie Boucher" <chelsy.Naquin@mydomain>
    User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
    X-Antivirus-SCAN-Associates-Sdn-Bhd-Mail-From: chelsy.Naquin@mydomain
    via mail.ikt.es
    X-Antivirus-SCAN-Associates-Sdn-Bhd: SCAN-QMAIL-v1.0
    (Clear:RC:1(220.75.119.13):. Processed in 1.833452 secs
    Process 42796)
    MIME-Version: 1.0
    To: edwin@bobtail.net
    Cc: dorothy@bobtail.net, dolphin@bobtail.net, dwight@bobtail.net, dory@bobtail.net, ernie@bobtail.net, elena@bobtail.net, dj@bobtail.net
    Subject: FW: FJBVCH
     
  4. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Pretty standard looking for messages which are sent out from an infected PC using forged credentials.

    Unless you can find any trace in your log files (such as /usr/local/psa/var/maillog) of the IP addresses (220.113.133.40 or 220.75.119.13) then your server is not the one sending the messages, and you most likely won't find any entries.

    I am assuming that none of the IPs in the headers are actually yours since you did not remove them from the post.

    There is not much you can do to block bounce messages from coming back to your domain mail server.

    Server admins in this day and age should have any bounce feature turned off IMO, that way instead of sending a bounce message back to the forged 'From' domain, it just drops the message.
     
Loading...