[Declude.JunkMail] How did this Spammer get through?
I've got several held emails from a spammer trying to use our system for relay. I've got the box locked down to only accept relay from authenticated users, but somehow this guy got through. Luckily, I've got hijack on the box, which has blocked all of his emails. Here's an example of the email he's trying to relay through: Received: from 208.253.112.160 [169.207.38.237] by richmond.com (SMTPD32-7.07) id A450F9200BE; Wed, 12 Mar 2003 18:35:44 -0500 Received: from 0e.ygr0.net ([143.95.123.108]) by 208.253.112.160 with SMTP; Wed, 12 Mar 2003 22:30:43 -0100 Message-ID: [EMAIL PROTECTED] From: Mervin Crow [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: re: Increase Your Gas Mileage by up to 27% ohvs eex Date: Wed, 12 Mar 03 22:30:43 GMT X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: The Bat! (v1.52f) Business MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=15978B3_057.85AE_.850_ This is a multi-part message in MIME format. --15978B3_057.85AE_.850_ Content-Type: text/html Content-Transfer-Encoding: quoted-printable htmlbodyPaul athwartship,a href=3Dhttp://[EMAIL PROTECTED] averpro.com img src=3Dhttp://[EMAIL PROTECTED]/the.jpg width=3D536= height=3D505 /asalute beacon stumpweapon gapbr%RA= NDOM_WORDhum implantation party dish/body/html --15978B3_057.85AE_.850_-- How is he successfully getting through? Also, how can I block him from coming through again? Thanks. Brian -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HELO contains SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? That will work fine, just so long as you don't have any other mailservers that identify themselves as imail.fament.com. If your IMail server is the only one that does, the filter will work fine. If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! Correct. There might be odd cases where the IMail server would connect to itself, but if that happens, you've got another problem on your hands (as it would cause a mail loop). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How did this Spammer get through?
Here's an example of the email he's trying to relay through: The key information isn't in the headers in this case -- it's in the IMail SMTP log file. Most importantly are the RCPT TO: lines, which will show who the E-mail was actually addressed to, and whether or not some hack was used to relay the E-mail. If you post the IMail SMTP log file entries, I should be able to let you know what is going on. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How did this Spammer get through?
Here you go: 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] HELO 208.253.112.160 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] MAIL FROM: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] RCPT TO: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] RCPT TO: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] ERR richmond.com invalid user [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] RCPT TO: [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] ERR richmond.com invalid user [EMAIL PROTECTED] 03:12 18:35 SMTPD(0F9200BE) [169.207.38.237] d:\IMail\spool\Dc4500f9200bec554.SMD 1114 So is he authenticating as a real user? b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 12 Mar 2003 19:11:04 -0500 Here's an example of the email he's trying to relay through: The key information isn't in the headers in this case -- it's in the IMail SMTP log file. Most importantly are the RCPT TO: lines, which will show who the E-mail was actually addressed to, and whether or not some hack was used to relay the E-mail. If you post the IMail SMTP log file entries, I should be able to let you know what is going on. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How did this Spammer get through?
What's strange is that the only thing consistent around all of the spam emails is the IP address 169.207.38.237, which is listed with SpamCop. Should declude pick that up? I've got spamcop listed as an automatic hold, but somehow he keeps getting through. Thanks. b -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 12 Mar 2003 19:11:04 -0500 Here's an example of the email he's trying to relay through: The key information isn't in the headers in this case -- it's in the IMail SMTP log file. Most importantly are the RCPT TO: lines, which will show who the E-mail was actually addressed to, and whether or not some hack was used to relay the E-mail. If you post the IMail SMTP log file entries, I should be able to let you know what is going on. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for Viruses and Spam by Richmond.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.