[cobalt-security] spoofed spam slipping through pop before relay?

Tue, 25 Feb 2003 16:42:08 -0800 

I think someone is relaying spam through our servers, by spoofing
their originating IP, so the spam appears to come from one of my
legitimate hosting customers' home IP addresses.

I've noticed a repeating pattern of short bursts, similar to the events
listed below... which seem to last from 2 - 5 minutes each. Since my
up-to-date RaQ4 includes pop-before-relay (with a 5 minute window),
I'm wondering if the spoofer is randomly catching my customer's
relay window, then exploiting it, by spoofing my customer's IP. (?)

I'd be very grateful if anyone with relevant expertise or experience
would share some information with me (and the rest of the list).
Thank you all very much, for your valuable time and knowledge.
I'd be lost without you :·)

Sincerely,
--
David Black
Houston, TX

suspicious maillog events follow...

Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401:
from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]


 ('size=0' repeats 77 times between 14:03:11 and 14:04:09)


Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874:
from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]

Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876:
from=<>, size=2649, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]

Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879:
from=<>, size=2571, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]

Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882:
from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]

Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883:
from=<>, size=2901, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]


 (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2
successful relays)


Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525:
from=<>, size=2842, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]


 (108 more successful relays - snipped - )


Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347:
from=<>, size=2790, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]

(this (above) was the last related event, for several hours)

_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

Reply via email to