[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mystery email message...

To: luci-discuss@luci.org
Subject: Re: Mystery email message...
From: Danny Sauer <sauer@cloudmaster.com>
Date: Fri, 15 Mar 2002 10:48:58 -0600
Cc: aaron@cronkright.com
In-Reply-To: <200203151315.HAA30467@c529951-a.cronkright.com>; from aaron@cronkright.com on Fri, Mar 15, 2002 at 07:15:39AM -0600
Organization: Linux Users of Central Illinois
References: <200203151315.HAA30467@c529951-a.cronkright.com>
Reply-To: luci-discuss@luci.org
Sender: luci-discuss-owner@luci.org

That message does not mean that you were compromised or that you're
an open relay, though I suppose that it's still possible.

To illustrate how this could happen, here's me telnetting to our mail
server on port 25:

---
bash-2.05$ telnet mail 25
Trying 10.1.1.5...
Connected to www.
Escape character is '^]'.
220 mail.teleologic.net ESMTP Postfix
HELO spamhost
250 mail.teleologic.net
MAIL FROM:"big stupid spammer"<spam@spam.spam>
250 Ok
RCPT TO:Danny<danny@dannysauer.com>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Make Money Fast!
To: "Fake Reply Addr"<spammer@neverfindme.com>

Hey, this is spam!
.
250 Ok: queued as EDA6E4719F
QUIT
221 Bye
Connection closed by foreign host.
---

and here's the message that those commands would generate

---
Return-Path: <spam@spam.spam>
Delivered-To: dsauer@teleologic.net
Received: from spamhost (danny-pc.internal.teleologic.net [10.1.1.23])
        by mail.teleologic.net (Postfix) with SMTP id EDA6E4719F
        for <danny@dannysauer.com>; Fri, 15 Mar 2002 10:42:12 -0600 (CST)
Subject: Make Money Fast!
To: "Fake Reply Addr" <spammer@neverfindme.com>
Message-Id: <20020315164212.EDA6E4719F@mail.teleologic.net>
Date: Fri, 15 Mar 2002 10:42:12 -0600 (CST)
From: spam@spam.spam

Hey, this is spam!
---

Notice how postfix as configured here records the actual recipient and the
address that the mesage was delivered to, as opposed to your mta, which
apperently is not configured to do so.  It's really handy to have that
information in your headers, especially if you have several aliases that
forward to a single account.  I'm not sure how to do that on other mta's,
and postfix does it out of the box, so I'm not really sure how to do it
there, either. :)

--Danny, including your complete message for unknown reasons...

On Fri, Mar 15, 2002 at 07:15:39AM -0600, aaron@cronkright.com wrote:
> Hello all,
> 
> I received this email on my linux box at work this morning and I have no idea how it got thru.  My main concern is that somebody turned my mail server into a relay.
> 
> I am only sending the headers since the body was an ad for something that is "too good to be true"
> 
> 
> Thanks,
> 
> <message>
> 
> Return-Path: <murlene@omanmail.com>
> Received: from pdc.LDI-ZA ([196.11.240.91])
> 	by kermit.ics-inc.org (8.9.3/8.9.3) with ESMTP id BAA13875;
> 	Fri, 15 Mar 2002 01:26:49 -0600
> Received: from mail.qatarmail.com ([209.253.231.176] RDNS failed) by pdc.LDI-ZA with Microsoft SMTPSVC(5.0.2195.2966);
> 	 Thu, 14 Mar 2002 16:53:51 +0200
> Message-ID: <0000178e34ca$00001af6$000072cd@mail.desertmail.com>
> To: <Smart.Property.Holder@kermit.ics-inc.org>
> From: "Walter Smith" <murlene@omanmail.com>
> Subject: Free - No games - No BS
> Date: Thu, 14 Mar 2002 07:07:45 -2000
> MIME-Version: 1.0
> Content-Type: text/plain;
> 	charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> Reply-To: murlene@omanmail.com
> X-OriginalArrivalTime: 14 Mar 2002 14:53:52.0437 (UTC) FILETIME=[0E8EEE50:01C1CB68]
> X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
> Status:   
> 
> </message>
> 
> -
> To unsubscribe, send email to majordomo@luci.org with
> "unsubscribe luci-discuss" in the body.

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

References:
- Mystery email message...
  - From: aaron@cronkright.com

Prev by Date: Re: kernel error in syslog
Next by Date: Install Fest
Prev by thread: Re: Mystery email message...
Next by thread: kernel error in syslog
Index(es):
- Date
- Thread