[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] RAQ 3 SPAM - How can they do this and how to prevent it again
- Subject: Re: [cobalt-security] RAQ 3 SPAM - How can they do this and how to prevent it again
- From: "Stephen Rice" <support@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 9 Nov 2001 09:32:10 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Right, I'm no expert on this, but I'll give it a shot...
Chae wrote:
> This header is from a spam mail that arrived in my email this afternoon,
> opened it up to check the header and noticed it had come through one of
our
> Cobalt Raq3's and had a customers domain as a receipient.
This makes sense. It would come into your Raq if it was intended for a
recipient that your Raq was handling mail for. That's how your customers
receive mail! It's not relaying mail for other domains, but it will accept
mail for its own users, else how else will they receive it!
> The servers been checked for old versions of formmail and other similiar
> scripts - so how can the spammer manage to still filter stuff through this
> server??
It hasn't!
Just to go through the headers:
> Return-Path: <1029843@xxxxxxxxxxx>
This is a fake hotmail address, they don't do addresses with just numbers.
> Delivered-To: me@xxxxxxxxxxxx (my private address ommitted)
> X-Envelope-To: me@xxxxxxxxxxxx
It looks like the Raq has used its forwarding list to send this mail onto
you as you are the administrator.
> Received: (qmail 90355 invoked by alias); 9 Nov 2001 04:32:52 -0000
> Received: from unknown (HELO ns.our-raq3.com) (xxx.xxx.xxx.xxx)
> by debbie.paradise.net.nz with SMTP; 9 Nov 2001 04:32:52 -0000
> Received: from femail19.sdc1.sfba.home.com (femail19.sdc1.sfba.home.com
> [24.0.95.128])
> by ns.our-raq3.com (8.9.3/8.9.3) with ESMTP id VAA03451
> for <postmaster@xxxxxxxxxxxxxxxxxxxxxxxx>; Thu, 8 Nov 2001 21:32:46 -0700
It looks like it was sent from the spammer (femail19.sdc1.sfba.home.com)
(which could be an open relay on someone's DSL connection or something like
that) to your customer's machine (ns.our-raq3.com) which has then
*forwarded* (not relayed) it to you as you are the administrator.
> From: 1029843@xxxxxxxxxxx
Fake email address.
> Received: from [24.5.52.138] by femail19.sdc1.sfba.home.com
> (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP
> id
> <20011109043240.YJWP25027.femail19.sdc1.sfba.home.com@[24.5.52.138]>;
> Thu, 8 Nov 2001 20:32:40 -0800
These lines are most likely fake. All the genuine Received: lines will be
contiguous.
> Date: Thu, 08 Nov 01 19:49:57 EST
> To: Friend@xxxxxxxxxx
> Subject: AD: Tired Of Foul Language?
> Message-ID: <>
The To: line is irrelevant, the envelope (above) sets who this copy of the
mail is intended for.
Was the message ID really blank?
> Now after checking the customers hosting space and GUI ...
> they have no relaying - the only thing they do have is two
> aliases the catch-all activated and a forward to his ISP mail account
which
> happens to be an AOL address.
As the email was sent to the postmaster@xxxxxxxxxxxxxxx, I guess it would
not have been caught by the forward to his AOL account, but instead to the
catch-all address, which I presume is a forward to your private address. Has
the Raq accepted an email for this domain, then forwarded it to you as you
are postmaster / catch-all? Is your Raq in fact working exactly as it
should?
Any corrections gratefully received, this is only a guess :o)
Cheers
Stephen