Unless Mrblue is on a road trip somewhere accessing his mail... Then yes.
I would do a nslookup 72.189.129.134 and see who it belongs to.
mainly what country it is in.
On 8/26/2014 1:51 PM, Jim Shupert wrote:
Dan,
Thank you for the lesson on mail headers.
I very much need to know more about that sort of thing in order to do
the kind of forensics of these sort of problems.
1st let me say that if I look at a "legit" MrBlue email
it says in the header only and always
mrb...@theppjgroup.com
so when we see
(mrb...@theppjgroup.com@72.189.129.134)
that num 72.189.129.134 is alien to me
so woyuld you say that mrBlue has been hacked?
thanks again
Let me see if I have an understanding of your statement.
On 8/26/2014 10:53 AM, Dan McAllister wrote:
On 8/25/2014 11:27 AM, Jim Shupert wrote:
friends,
I have one user [ MrBlue } who is a valid user on my domain of
theppjgroup.com
It seems MrBlue has been getting overloaded with failure notices..
I *Think
that someone is sending mail spoofing MrBlue -- but they do not have
the password -- so it fails
and My ( actual ) MrBlue then gets a a failure notice.
well,
my mr blue is red with rage.
I wonder what i can do to relieve some of the pain?
below please find one of the failure notice
Thanks
-----Original Message-----
From: mailer-dae...@mailhost.theppjgroup.com
[mailto:mailer-dae...@mailhost.theppjgroup.com]
Sent: Friday, August 22, 2014 6:49 AM
To: mrb...@theppjgroup.com
Subject: failure notice
Hi. This is the qmail-send program at mailhost.theppjgroup.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<ca...@hotmail.com>:
User and password not set, continuing without authentication.
65.54.188.126 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox
unavailable Giving
up on 65.54.188.126.
--- Below this line is a copy of the message.
Return-Path: <mrb...@theppjgroup.com>
Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 -0000
Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s
scanners: attach: 1.3.1 clamav: 0.95.2/m:
Received: from unknown (HELO ?192.168.249.85?)
(mrb...@theppjgroup.com@72.189.129.134)
by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 -0000
Content-Type: multipart/alternative;
boundary="===============0847007466868061251=="
MIME-Version: 1.0
Message-ID: <53f7202f.2848...@theppjgroup.com>
Date: Fri, 22 Aug 2014 13:49:19 +0300
From: "K&L Gates international" <mrb...@theppjgroup.com>
Subject: Urgent indebtedness notification
To: ca...@hotmail.com
OK - So I want to take this opportunity to educate on the reading of
Mail Headers....
First, new header entries always go to the TOP, so to trace the path
of a message, start at the bottom (of the header).
In the above example, the message STARTED with a header of:
Date: Fri, 22 Aug 2014 13:49:19 +0300
From: "K&L Gates international" <mrb...@theppjgroup.com>
Subject: Urgent indebtedness notification
To: ca...@hotmail.com
At which point, your SMTP server collected it and added:
Received: from unknown (HELO ?192.168.249.85?)
(mrb...@theppjgroup.com@72.189.129.134)
by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 -0000
Content-Type: multipart/alternative;
boundary="===============0847007466868061251=="
MIME-Version: 1.0
Message-ID: <53f7202f.2848...@theppjgroup.com>
And HERE is where you'll find how this message is coming in...
The end-user connected to you with a PC (or other client device) that
had a LOCAL (LAN) IP address of *192.168.249.85*
- Is this the LAN IP address range of Mr Blue? If not, someone's
logging into your server from another LAN
The Public IP address of this client system is *72.189.129.134* (That
is, the public IP address of the source of the SMTP connection)
- Is this the WAN IP address of Mr Blue's office? Again, if not,
someone's logging into your mail server with falsified credentials)
The _SMTP AUTH credential provided_ was *mrb...@theppjgroup.com* --
so if someone's been hacked, it's Mr. Blue himself!
The remaining headers (moving up) are the internal processing of your
QMT:
Return-Path: <mrb...@theppjgroup.com>
Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 -0000
Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s
scanners: attach: 1.3.1 clamav: 0.95.2/m:
Now you could argue at which point any of these lines gets added, but
the point in reading a mail header is that you work from the bottom up!
So, while others have suggested MrBlue is being spoofed, or that this
is back-scatter, I think the proof here is that he may have been
HACKED (that is, if the LAN and WAN IPs don't match Mr Blue's
environment, someone is impersonating him - so change the password,
pronto!), or that he has a MALWARE infection (if those are his
addresses). That LAN host -- ending in 249.85 -- likely is the system
with the malware, so scan that system (and change the account
password as well).
I hope this helps...
Dan
IT4SOHO
--
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
--
