Ok, Ben and Cory, first one to respond gets a paycheck. Cory Petkovsek ([EMAIL PROTECTED]) wrote: > >On Mon, Jul 21, 2003 at 11:10:50PM +0000, Bob Crandell wrote: >> Hi, >> >> The computer they are complaining about [216.239.175.40] is not >> running sendmail or qmail, yet spamers are using it somehow. Please >> tell me there is enough information here to determine that they are >> spoofing. This computer is not supposed to be handling email at all. >> >> I'm trying to help this guy but I don't know enough to be very good at >> it. >> >> Thanks. > > >> > Received: from mail by f21.mail.ru with local >> > id 19MDlt-000PpF-00 >> > for [EMAIL PROTECTED]; Sun, 01 Jun 2003 01:20:13 +0400 >> > Received: from [216.239.175.40] by koi.mail.ru with HTTP; >> > Sun, 01 Jun 2003 01:20:13 +0400 >> > From: "ipxsn_ln19umzu3 ipxsn_ln19umzu3" <[EMAIL PROTECTED]> >> > To: [EMAIL PROTECTED] >> > Subject: >> > > >These are interesting lines. Assuming we can trust what koi.mail.ru is >saying, recieved with HTTP. Looking at other mail headers I see these: >local, smtp or esmtp. Local would be something like what kbob talked >about: >$ cat spamfile | sendmail [EMAIL PROTECTED] >smtp/esmtp would be if one mta connects to another. Notice that >f21.mail.ru gets mail locally from "mail" right after koi.mail.ru >receives it. It is not an smtp/esmtp transfer. I suspect then that >they may be the same machine and the mail is being passed around outside >of an mta (ie procmail or some script or webmail). Looking up the ip >addresses, they are different machines. HTTP would probably be for >webmail. > >> > X-Mailer: mPOP Web-Mail 2.19 >> > X-Originating-IP: 127.0.0.1 via proxy [216.239.175.40] > >These are more interesting lines found in the mail header. If >koi.mail.ru is running webmail, specifically mPOP web-mail, then the >originating ip makes sense. I don't get the via proxy though, unless >they add that to systems that connect to them and send mail. This >should be the originating ip though. > >Looking at koi.mail.ru, one sees it is a search engine, with maybe some >other features such as mailing out. I can't tell because it is all in >russian. > >I think kbob's suggestion is right on. I would look for zombies and >worms on the box found at 216.239.175.40. > >Cory > >EuG-LUG mailing list >[EMAIL PROTECTED] >http://mailman.efn.org/cgi-bin/listinfo/eug-lug >
-- Bob Crandell Assured Computing When you need to be sure. [EMAIL PROTECTED] www.assuredcomp.com Voice - 541-689-9159 FAX - 541-463-1627 Eugene, Oregon _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
