[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Spamming my customers -sorry forgot attachment

Subject: Re: [cobalt-users] Spamming my customers -sorry forgot attachment
From: Graeme Fowler <graeme.f@xxxxxxxxxxxxxxx>
Date: Sun Dec 10 23:14:00 2000
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Folks 

[Sending this again, the previous copy didn't get through...]

> the question is was this sent to the postmaster@xxxxxxxxxxxxxx address
> or to the smtp.usa.net@xxxxxxxxxxxxx address and am I, somehow, 
> bradcasting this email to my customers ?

It is *incredibly* trivial to forge email to look like it has been sent
to, or come from somewhere it has not. I'll endeavour to explain it
here, using the headers from your message.

When your (or whoever's) email client connects to a server to begin an
SMTP transaction, it sends a number of commands in sequence and then
sends the mail data. The sequence is (or should be) as follows:

[Bear in mind some lines may differ using different SMTP servers! I'm
using sendmail 8.9.3 for this demo]

<connection made to port 25>
Server says: 220 server.name.domain ESMTP mailer v1.2.3; Date string
Client says: HELO i.am.client.domain
Server says: 250 server.name.domain Hello i.am.client.domain
[ip.ad.dr.ess], pleased to meet you
Client says: MAIL FROM: sender@xxxxxxxxxx
Server says: 250 sender@xxxxxxxxxxxxx Sender OK
Client says: RCPT TO: target@xxxxxxxxxxxxxx
Server says: 250 target@xxxxxxxxxxxxxxxxx Recipient OK
Client says: RCPT TO: target2@xxxxxxxxxxxxxxx
Server says: 250 target2@xxxxxxxxxxxxxxxxxx Recipient OK
[...and so on until list of recipients is finished for that server]
Client says: DATA
Server says: 354 Enter mail, end with "." on a line by itself
Client then inputs the following:

From: sender@xxxxxxxxxx
To: target@xxxxxxxxxxxxxx, target2@xxxxxxxxxxxxxxxxxx (end of list)
Subject: Spamming email is easy!
Date: 45th January 20004
X-Random-Header: blah

This is simple!
.

Server says: 250 ZZA12345 Message accepted for delivery
Client says: QUIT
Server says: 221 server.name.domain closing connection

And that's it.

The headers which the client sees (From:, To:, Subject:, Date:,
X-Random-Header:) are *all* input during the DATA part of the
transaction. A header input here will override any header generated
automagically by the server since that is what the sender wishes the
recipient to see - and that's where the magic art of SMTP forgery
occurs.

To send a spam message and forge it, you do the following:

MAIL FROM: me@xxxxxxxxxxxxxxxxx
RCPT TO: target-address@xxxxxxxxxxxxxxxxxxxxx
DATA
To: a@xxxxx
From: b@xxxxx
Subject: BUY THIS FROM ME!

or in your case...

> Received: from machine01.machinesources.com.tw
> (h65-203-73-206.machinesources.com.tw [203.73.206.65] (may be forged))
>  by web.ozdns.net (8.9.3/8.9.3) with ESMTP id MAA09944
>  for <postmaster@xxxxxxxxxxxxxx>; Tue, 5 Dec 2000 12:42:43 +1100

Comes from MAIL FROM: unknown-sender@xxxxxxxxxxxxxxx
and RCPT TO: postmaster@xxxxxxxxxxxxxx

> DATE: 04 Dec 00 7:39:45 PM
> Reply-to: markie323@xxxxxxx
> Message-ID: <g53BQ948I9rp5>
> Received: From smtp.usa.net by stmp.mail.net;Mon, 4 Dec 2000 19:39:45
-400
> (EDT)
> TO: smtp.usa.net@xxxxxxxxxxxxx
> SUBJECT: Forbidden and Secret Internet Files & Reports          83

Come from the DATA part of the message, and are probably forged.

How do we know this?

The DATE, TO and SUBJECT headers are capitalised; normally only the
first letter is a capital. The message ID contains no server name - this
could indicate a broken mailer (of which there are many...) but more
than likely indicates an injected message-ID header. And lastly, the
Received line has a broken time offset in it - any self-respecting time
offset would say *-0400* and not just -400... plus smtp.mail.net? Going
to a specific server? Highly unlikely - possible, but still unlikely.
Also, the Reply-to: address is probably a generic one - name12334 is
very common these days...

I'd say, looking at the lines from your particular headers, that the
message has been sent by a spammer utilising an open relay in Taiwan
Almost certainly - as these headers are added *by the mailer, not by the
client*, via an open-relay MS Exchange server. If only they'd applied a
recent service pack, this wouldn't happen:

> Received: from 91TnoeB2d (1cust155.tnt2.waldorf.md.da.uu.net
[63.20.80.155])
> by machine01.machinesources.com.tw with SMTP (Microsoft Exchange
Internet
> Mail Service Version 5.5.2448.0) id YGT06XTP; Tue, 5 Dec 2000 09:42:26
+0800

Send your spam complaints to abuse@xxxxxx, including all the headers you
sent in this one... then they might TOS (Terms-Of-Service) the person
misusing that account.

To summarise: No, you're not advertising an address that you shouldn't.
Your client has probably posted to Usenet using
postmaster@xxxxxxxxxxxxxx and is now reaping the rewards...

HTH

Graeme

-- 
Graeme Fowler
WebFusion Internet Solutions
http://www.webfusion.co.uk

Prev by Date: [cobalt-users] [RaQ3i w Chlili ASP 3.5.01a] Error 507
Next by Date: [cobalt-users] Calling European/Aussie domain pointing help?
Previous by thread: Re: [cobalt-users] Spamming my customers -sorry forgot attachment
Next by thread: Re: FW: [cobalt-users] Spamming my customers -sorry forgot attachment

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index