On Mon, Jul 21, 2003 at 11:10:50PM +0000, Bob Crandell wrote: > Hi, > > The computer they are complaining about [216.239.175.40] is not > running sendmail or qmail, yet spamers are using it somehow. Please > tell me there is enough information here to determine that they are > spoofing. This computer is not supposed to be handling email at all. > > I'm trying to help this guy but I don't know enough to be very good at > it. > > Thanks.
> > Received: from mail by f21.mail.ru with local > > id 19MDlt-000PpF-00 > > for [EMAIL PROTECTED]; Sun, 01 Jun 2003 01:20:13 +0400 > > Received: from [216.239.175.40] by koi.mail.ru with HTTP; > > Sun, 01 Jun 2003 01:20:13 +0400 > > From: "ipxsn_ln19umzu3 ipxsn_ln19umzu3" <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: > > These are interesting lines. Assuming we can trust what koi.mail.ru is saying, recieved with HTTP. Looking at other mail headers I see these: local, smtp or esmtp. Local would be something like what kbob talked about: $ cat spamfile | sendmail [EMAIL PROTECTED] smtp/esmtp would be if one mta connects to another. Notice that f21.mail.ru gets mail locally from "mail" right after koi.mail.ru receives it. It is not an smtp/esmtp transfer. I suspect then that they may be the same machine and the mail is being passed around outside of an mta (ie procmail or some script or webmail). Looking up the ip addresses, they are different machines. HTTP would probably be for webmail. > > X-Mailer: mPOP Web-Mail 2.19 > > X-Originating-IP: 127.0.0.1 via proxy [216.239.175.40] These are more interesting lines found in the mail header. If koi.mail.ru is running webmail, specifically mPOP web-mail, then the originating ip makes sense. I don't get the via proxy though, unless they add that to systems that connect to them and send mail. This should be the originating ip though. Looking at koi.mail.ru, one sees it is a search engine, with maybe some other features such as mailing out. I can't tell because it is all in russian. I think kbob's suggestion is right on. I would look for zombies and worms on the box found at 216.239.175.40. Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
