LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-29-2007, 12:28 AM   #1
jantman
Member
 
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492

Rep: Reputation: 31
SPAM spoofed from my domain


Lately I've been getting a lot of mail Returned To Sender at my postmaster account.

It's all obviously spam, and not sent from my domain - the sender addresses are all random strings.

The headers spit out in the Postfix return message are something like:

Code:
Subject:
Unlike computer-based simulations, real attacks will be played out against real equipment.
From:
Chase K.Joan <qxbcww@jasonantman.com>
Date:
Thu, 25 Jan 2007 04:27:05 +0100
To:
eydi@tasc.de
Received:
from 83.138.47.29.AtlasInternet.net (83.138.47.29.AtlasInternet.net [83.138.47.29]) by venus.tasc.de (Postfix) with SMTP id BD95A804E for <eydi@tasc.de>; Thu, 25 Jan 2007 04:33:26 +0100 (CET)
Received:
from [73.171.232.155] (helo=uiac) by 83.138.47.29.AtlasInternet.net with smtp (Exim 4.62 (FreeBSD)) id 1H9vI6-0008Qk-Oi; Thu, 25 Jan 2007 04:28:46 +0100
Message-ID:
<45B82389.1080904@jasonantman.com>
User-Agent:
Thunderbird 1.5.0.9 (Windows/20061207)
Any idea on how I can prevent this, or at least not look like an @$$?
 
Old 01-29-2007, 01:58 AM   #2
raskin
Senior Member
 
Registered: Sep 2005
Location: Russia
Distribution: NixOS (http://nixos.org)
Posts: 1,893

Rep: Reputation: 68
Sorry, you can do nearly nothing. Technically there is nothing you can do to prevent anyone from putting your domain in From: if relay allows it (it is out of your control). Legally.. well, Microsoft fails to do it, and not that companies like that kind of mentions.
 
Old 01-29-2007, 02:01 AM   #3
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
You can try to add an spf record to your DNS. It looks like this:

example.com. IN TXT "v=spf1 mx -all"

What that tells is that the only valid IP addresses for mail from example.com to come from are the mail exchanger (MX). Google for spf1, as just spf will get hits for shortest path first, the routing protocol. There are many options for what to put, the example I used was for a setup with just one mail server.

Peace,
JimBass
 
Old 01-29-2007, 02:07 AM   #4
raskin
Senior Member
 
Registered: Sep 2005
Location: Russia
Distribution: NixOS (http://nixos.org)
Posts: 1,893

Rep: Reputation: 68
It will work to protect only well-configured domain from receiving SPAM marked as coming from you. Or am I wrong and most mail servers do check this record by default?
 
Old 01-29-2007, 04:07 AM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Click here and then click on "Joe Job" for the explanation. Basically as has already been stated, all you can do is post an SPF record and hope that the domains who are receiving the spoofed spam will do an SPF lookup and reject it.
 
Old 01-30-2007, 05:32 AM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Interestingly enough, it looks like someone read this thread and decided to try it on me. Only a few hours after I posted this I started receiving bounces from a Joe Job attack. Too bad, whoever you are. The mail server is doing fine.
 
Old 02-07-2007, 11:19 AM   #7
jantman
Member
 
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492

Original Poster
Rep: Reputation: 31
If the From: header is spoofed, how accurate are the rest of the headers?

Specifically, what is the likelihood that I can trace it back to a machine (or ISP) and complain to the admin?
 
Old 02-07-2007, 11:28 AM   #8
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
The received header is much more difficult to mess with. All the big anti-spam services (http://spamcop.net) use the from line in conjunction with other techniques to trace the spam.

You won't have much luck going to the IP address itself, as most IT people won't bother investigating a report that you received spam from them. The thing to do is to forward the entire email message with headers included to the ISP of that address. They can then threaten to disconnect the person/company that is generating the spam.

This page from spamcop is great for doing just that, and it is free and automated. It does has the option of pay service which I use just to support them, but the results are no different based on pay/free service: http://www.spamcop.net/anonsignup.shtml

Peace,
JimBass
 
Old 02-07-2007, 12:20 PM   #9
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
I'm not expert but you don't receive spam as you said? And this headers are real (probably) ? What IP would you use and what would you tell them?

We have had some like this, sending a polite detailed email to the remote admin did it, giving the email ID.

Contact tasc ?

They even have a "IT-Security" part in the website


Tracking headers forgery:
http://www.google.com/search?q=tracking+spam+headers
In theory, from down to top, people have to check their Ids . You can always look for incoherency but some spammers are better than the average.
 
Old 02-07-2007, 01:18 PM   #10
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally Posted by JimBass
The received header is much more difficult to mess with.
I wouldn't say "much" more difficult. The recent Joe Job attack directed at my domain used spoofed Received: headers. Basically they inserted a Received: header from my hostname & IP address at the bottom of the list saying that the message had been received from me, by the destination domain. Then the next Received: header was the real one that the actual destination mail server put on the message indicating what the real IP address was that connected to them. To anyone other than an expert, it looked like my mail server sent the mail. You have to know exactly what to look for to spot that fake.

Check out the front page of www.SMTPS.net for an example. I put bold text and arrows indicating the real Received: header, the line below that is the fake one that spoofed my domain name.
 
Old 02-07-2007, 01:29 PM   #11
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
2nd link in google:
http://www.rahul.net/falk/mailtrack.html

Quote:
They are completely unforgeable after the point where it was injected. Up to that point, they may be forgeries.
Hum in my previous post I was wrong, its from up to down (until you find the "injection")
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
spam filter that puts spam into spam folder? paul_mat Linux - Software 3 03-31-2009 04:18 AM
My domain in a spam blacklist gabsik Linux - Networking 8 01-24-2007 01:03 AM
Spoofed emails? twantrd Linux - Security 1 07-05-2006 08:14 PM
procmail and spam -- do not send out of office auto replay to spam draix Linux - Software 0 12-30-2004 08:35 AM
spoofed packeting exigent Linux - Security 3 11-24-2002 03:57 PM


All times are GMT -5. The time now is 08:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration