Spoofed??

Question

Spoofed??

Have been having issues for a few days... apparently someone is spoofing my ip address/server name to send scads of spam out over the net.

See attached (finesse is me)

The Helo server name and ip address is correct (for me) but I am pretty positive that this did NOT originate from our server.

Questions:-
A) Can they spoof ip addresses? - I assume so
B) HOW do I stop this???

I am bombarded with all the bouncebacks/ bad email addresses etc!! very frustrating.

Any advise would be appreciated - Rohin

From: Mailer-Daemon@jeffmackler.com
Subject: Mail delivery failed: returning message to sender
Date: January 31, 2007 11:54:58 AM EST
To: bfinessexmbroideriese@finessexmbroideries.com

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

james@martula.com

------ This is a copy of the message, including all the headers. ------

Return-path: <bfinesseembroideriese@finesseembroideries.com>
Received: from mail by jeffmackler.com with spam-scanned (Exim 4.24)
id 1HCIjW-0007Iv-PA
for james@martula.com; Wed, 31 Jan 2007 11:54:57 -0500
Received: from [88.230.41.24] (helo=mx.richardbenson.it)
by jeffmackler.com with esmtp (Exim 4.24)
id 1HCIjV-0007Hk-Hg
for james@martula.com; Wed, 31 Jan 2007 11:54:53 -0500
Received: from 66.88.193.247 (HELO mail.finesseembroideries.com)
by martula.com with esmtp ((7<P1J0=S+ 91@5)
id U4I2YQ-,FQAH@-@E
for james@martula.com; Tue, 30 Jan 2007 16:54:35 -0120
From: "Ines Neff" <bfinesseembroideriese@finesseembroideries.com>
To: <james@martula.com>
Subject: fwd:Special discounts.
Date: Tue, 30 Jan 2007 16:54:35 -0120
Message-ID: <01c7448f$5237cff0$6c822ecf@bfinesseembroideriese>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----= NextPart_000_000601C744A0.15C09FF0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
Thread-Index: Aca6QC7X/6JKR4(?)1=5=74?6LM)44==

This is a multi-part message in MIME format.

------= NextPart_000_000601C744A0.15C09FF0
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: 7bit

Dear Customer,80% of the people in the USA admit that their or their relatives' bad health is the thing that gets them down the most. This is a serious problem that needs a really serious solution - LegalRXmedications!The meds offered at our pharmacy are as qualitative as those offered at leading USA drug stores - and the prices are up to 30% lower! Besides, you get a chance to shop for drugs without having to leave your PC!Hardly anyone will refuse to make his/her life that much simpler
Sincerely yours, LegalRXmedications!

------= NextPart_000_000601C744A0.15C09FF0
Content-Type: text/html;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dwindows-1250">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
</head>
<body>
<html>
<body bgcolor=3D"#FFFFFF" link=3D"#507E1A">

Dear Customer,</b=

80% of the people in the U=
SA admit that their or their relatives' bad health is the thing that gets t=
hem down the most. This is a serious problem that needs a really serious so=
lution - LegalRXmedications!

=

The meds offered at our pharmacy are as qualitative as those offered at leadi=
ng USA drug stores - and the prices are up to 30% lower! Besides, you get a=
chance to shop for drugs without having to leave your PC!

<fo=
nt face=3D"Verdana" size=3D"2">Hardly anyone will refuse to make his/her li=
fe that much simpler=85

Sincerely yours,
LegalRXmedications!

</body></html>
</body>
</html>

------= NextPart_000_000601C744A0.15C09FF0--

PowerMac G5, xserve, Mac OS X (10.4.8)

Posted on Jan 31, 2007 6:51 PM

Reply

Answer 1

Jan 31, 2007 7:15 PM in response to Rohin Hattiangadi

Here's another... NO OUTBOUND logs to this server... in either mail.log or even ipfw.log??
See the received from 68-118-93.88.dhcp.... does this mean these are the people originating this junk?? 66.88.193.247 is my ip.

I am so confused and p'd off about this!#@#!#!@!

Please help me!!
Thanks - Rohin

From: postmaster@buzzle.com
Subject: Undeliverable Mail
Date: January 31, 2007 9:52:02 PM EST
To: bfinesseembroideriese@finesseembroideries.com

User mailbox exceeds allowed size: ranger@buzzle.com

Original message follows.

Received: from 68-118-93-88.dhcp.kgpt.tn.charter.com [68.118.93.88] by buzzle.com with ESMTP
(SMTPD32-7.07) id A5D05E600C0; Wed, 31 Jan 2007 21:52:00 -0500
Return-Path: <bfinesseembroideriese@finesseembroideries.com>
Received: from 66.88.193.247 (HELO mail.finesseembroideries.com)
by buzzle.com with esmtp (I 0=2CH J.<U.)
id M*K(7C-4N;,7;-)S
for ranger@buzzle.com; Thu, 1 Feb 2007 02:51:48 +0300
From: "Kendall Goldman" <bfinesseembroideriese@finesseembroideries.com>
To: <ranger@buzzle.com>
Subject: Special offer from our store.
Date: Thu, 1 Feb 2007 02:51:48 +0300
Message-ID: <01c745ab$eb1d0420$6c822ecf@bfinesseembroideriese>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----= NextPart_000_000601C74582.0246FC20"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Thread-Index: Aca6Q(AL0=-7:>;L9A084/K6L/?X+(==
X-Antivirus: avast! (VPS 0709-1, 01/31/2007), Outbound message
X-Antivirus-Status: Clean

This is a multi-part message in MIME format.

------= NextPart_000_000601C74582.0246FC20
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

Dear,Let me inform you that now you have an excellent opportunity to buy medications avoiding embarrassment and loss of time. Enjoy the convenience of ordering from your own home or office at the time that suits you best!Now you can buy high quality Viagra with USDrugs. It’s a reliable source of pharmaceutical products. USDrugs store is situated in the USA, so the quality of your medications is guaranteed. Excellent service and prompt delivery!Click here to make order. http://www.zazad.hkAbsolute security, strict confidentiality! Good service! Best regards,Kendall Goldman

------= NextPart_000_000601C74582.0246FC20
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns=3D"http://www.w3.org/TR/REC-html40">

[message truncated]

Reply

Answer 2

pterobyte

Level 6

11,098 points

Jan 31, 2007 11:15 PM in response to Rohin Hattiangadi

Rohin,

IP spoofing is possible, but quite tricky to do. Since it is not trivial I have seldom seen IP spoofing used for spamming. HELO is a different issue though. Spoofing the name in the HELO negotiation is a piece of cake, but nothing to be concerned of.

Without more info, the headers you posted look just like some form of backscatter.

In order to be able to help you, I'd need to see the unmodfied output of postconf -n

Also if you haven't done so, I strongly recommend implementing my "Frontline spam defense for Mac OS X Server" tutorial available here:
http://osx.topicdesk.com/downloads/

If you happen to use virtual domains, I'd also consider moving them to postfix style aliases.

Alex

Reply

Answer 3

Feb 1, 2007 5:22 AM in response to pterobyte

Alex,

Here it is.. I just had some additional networks in my networks which I have removed (for obvious reasons- we are not alone on this board!). Thks - Rohin

always_bcc = Tracker@localhost
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
enable serveroptions = yes
html_directory = no
inet_interfaces = all
local recipientmaps =
luser_relay = postmaster
mail_owner = postfix
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 10485760
mydestination = $myhostname,localhost.$mydomain,localhost,mail.finesseembroideries.com,smtp.fin esseembroideries.com,finesseembroideries.com,ftp.finesseembroideries.com,66.88.1 93.247
mydomain = localhost.local
mydomain_fallback = localhost
myhostname = mail.finesseembroideries.com
mynetworks = 127.0.0.1/32,192.168.254.200/32,192.168.254.201/32
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd clientrestrictions = permit saslauthenticated permit_mynetworks hash:/etc/postfix/smtpdreject reject rblclient sbl-xbl.spamhaus.org reject rblclient bl.spamcop.net reject rblclient cbl.abuseat.org permit
smtpd pw_server_securityoptions = login,plain
smtpd recipientrestrictions = permit sasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpd sasl_authenable = yes
smtpd tls_keyfile =
smtpd use_pwserver = yes
unknown local_recipient_rejectcode = 550

Reply

Answer 4

Feb 1, 2007 5:26 AM in response to pterobyte

Alex,

My problem is I am literally getting bombarded with bouncebacks - not enough to cripple the server or anything, but literally 150 or so a day??

I am afraid MY server will get blacklisted!!

It is a serious nuisance, and how do I notify the authorities(?) and hopefully get this stopped? - Rohin

Reply

Answer 5

pterobyte

Level 6

11,098 points

Feb 1, 2007 5:38 AM in response to Rohin Hattiangadi

Rohin,

looking at your configuration, you do not make use of virtual domains. By implementing my aforementioned tutorial, you will significantly reduce rogue mail, backscatter, etc. and furthermore lessen the load on your content-filter.

A few considerations re your configuration:

-mydestination should not contain IP numbers
-unless you need it for any legal reasons, get rid of always_bcc
-sbl-xbl.spamhaus.org into zen.spamhaus.org (sbl-xbl will be replaced soon)
-If you implement my tutorial spamhaus will be enough. Drop spamcop and abuseat and save yourself a couple of network roundtrips.

Alex

Reply

Answer 6

Feb 1, 2007 6:04 AM in response to pterobyte

Alex,

Will implement your tutorial tonight.. thanks for the tips..

ALSO Interesting discovery. I noticed some spurious "undeliverable" msgs in my mail queue. One was to a party called iStick. I then went through my logs and found this. Apparently I am getting hit by a spammer, the message is rejected (due to content?) and then it is bounced back to an unsuspecting target? Is this how they are doing it? :-

Jan 31 22:01:13 dns postfix/qmgr[78]: 7D13E58244: from=<istick_m@greatcoast.com>, size=9479, nrcpt=2 (queue active)
** Note - Inbound message received **
Jan 31 22:01:14 dns postfix/smtpd[26101]: connect from localhost[127.0.0.1]
Jan 31 22:01:14 dns postfix/smtpd[26101]: ACE2358255: client=localhost[127.0.0.1]
Jan 31 22:01:14 dns postfix/cleanup[26092]: ACE2358255: message-id=<5038838419.20070201030100@greatcoast.com>
Jan 31 22:01:14 dns postfix/qmgr[78]: ACE2358255: from=<istick_m@greatcoast.com>, size=10065, nrcpt=2 (queue active)
Jan 31 22:01:14 dns postfix/smtpd[26101]: disconnect from localhost[127.0.0.1]
Jan 31 22:01:15 dns postfix/pipe[26107]: ACE2358255: to=<Tracker@localhost.localhost.local>, relay=cyrus, delay=1, status=sent (mail.finesseembroideries.com)
Jan 31 22:01:15 dns postfix/qmgr[78]: ACE2358255: removed

** Note Msg BOUNCED due to content being rejected? It has some text at the bottom in a foreign language... so the language filters must hv got it **

Jan 31 22:01:15 dns postfix/smtp[26093]: 7D13E58244: to=<tte@finesseembroideries.com>, relay=127.0.0.1[127.0.0.1], delay=33, status=bounced (host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=25996-02 (in reply to end of DATA command))
Jan 31 22:01:15 dns postfix/smtp[26093]: 7D13E58244: to=<Tracker@localhost.localhost.local>, relay=127.0.0.1[127.0.0.1], delay=33, status=bounced (host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=25996-02 (in reply to end of DATA command))
Jan 31 22:01:15 dns postfix/cleanup[26092]: 2FD9F58263: message-id=<20070201030115.2FD9F58263@mail.finesseembroideries.com>
Jan 31 22:01:15 dns postfix/qmgr[78]: 2FD9F58263: from=, size=11881, nrcpt=1 (queue active)
Jan 31 22:01:15 dns postfix/qmgr[78]: 7D13E58244: removed
Jan 31 22:01:37 dns postfix/smtpd[26091]: 45DE858265: client=pitts-69-72-21-162.dynamic-dialup.coretel.net[69.72.21.162]
Jan 31 22:01:49 dns postfix/smtp[26125]: connect to greatcoast.com[205.178.145.65]: Operation timed out (port 25)
Jan 31 22:01:49 dns postfix/smtp[26125]: 2FD9F58263: to=<istick_m@greatcoast.com>, relay=none, delay=34, status=deferred (connect to greatcoast.com[205.178.145.65]: Operation timed out)
** NOTE This fortunately "timed out" and no Whammy was sent to unsuspecting target**

I believe this is what is happening?!?! Now the catch-22 is HOW do I stop this... I do obviously want to filter for foreign nonsense (other than italian/french) but perhaps I should just put it in junkdepot rather than bouncing it.

HOW do I do this, and shouldn't this become standard protocol for OS X language filter configuration?

Your thoughts - Rohin

Reply

Answer 7

Feb 1, 2007 6:08 AM in response to pterobyte

Alex,

Will remove number from -mydestination
bcc I NEED for legal reasons (archive)
I tried zen.spamhaus.org, but it is not allowing me to relay from my verizondsl account 😟 - Hence switched back to sbl-xbl

Tutorial = tonight!

Reply

Answer 8

pterobyte

Level 6

11,098 points

Feb 1, 2007 6:19 AM in response to Rohin Hattiangadi

Rohin,

again, much of this will disappear once you strengthen your postfix configuration. You are mainly seeing backscatter and similar from forged headers.

I tried zen.spamhaus.org, but it is not allowing me to
relay from my verizondsl account 😟 -
Hence switched back to sbl-xbl

You are avoiding a problem, rather than fixing it. Just use authentication and your dynamic IP won't even be checked.

Alex

P.S.
connect from localhost[127.0.0.1] is your content filter reinjecting into the postfix queue. It's not as connection from an outside server. The outside connection took place earlier.

Reply

Answer 9

Feb 1, 2007 6:33 AM in response to pterobyte

Thanks Alex, will implement immediately... and update this thread with results.

Thanks again so much for all your kind help!

Reply

Answer 10

rhwalker

Level 3

589 points

Feb 1, 2007 9:16 AM in response to Rohin Hattiangadi

Have you tested your server to make sure it's not an open relay?
http://www.abuse.net/relay.html

Is it possible that spam is being injected through some web CGI form that you have on a site on the server?

Russ

Xserve G5 2.0 GHz 2 GB RAM Mac OS X (10.4.8) Apple Hardware RAID, ATTO UL4D, Exabyte VXA-2 1x10 1u

Reply

Answer 11

David_x

Level 4

3,011 points

Feb 1, 2007 12:57 PM in response to Rohin Hattiangadi

All of these headers in the returned mail make no sense...

Received: from [88.230.41.24] (helo=mx.richardbenson.it)
by jeffmackler.com with esmtp (Exim 4.24)
id 1HCIjV-0007Hk-Hg
for james@martula.com; Wed, 31 Jan 2007 11:54:53 -0500
Received: from 66.88.193.247 (HELO mail.finesseembroideries.com)
by martula.com with esmtp ((7<P1J0=S+ 91@5)>
id U4I2YQ-,FQAH@-@E

The IP addresses have no reverse DNS and the hostname which does resolve does so to a different IP. They all look spoofed.

It is possible that you have just been 'unlucky' in that your email address has been in someone else's (PC) addressbook which has been infected by a virus and your name/domain has been selected to be the false sender. It will all die down in a week or so as someone elses domain takes over (I've been there myself 😟

Apart from Pterobyte's excellent Frontline Defense, I note you are copying undeliverable mail to 'postmaster'. Do you really need to do this as most incoming spam/bounces will be for non existent users and so would otherwise get rejected?

-david

Server 10.4.8

Reply

Answer 12

Feb 3, 2007 5:53 AM in response to David_x

David,

That is generally the conclusion I am coming to as well... have been going NUTS looking through all the logs etc., and I see no proof at all of these messages leaving from my machine.
All I can verify through logs are the inevitable "bouncebacks" due to my spoofed ip address.

I hope this dies down soon! =)- Rohin

Reply