LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-08-2012, 01:53 AM   #1
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Rep: Reputation: 16
Got Returned email from "MAILER-DAEMON@clamav02.foreshore.net


I don't think I want to open it even though I have HTML turned off in my Evolution (w/bogofilter) system. I'm NOT running clamav but maybe I should start.
I've been getting a bunch of similar bounced email stuff in the last ~3 days. On about 50% of them Evolution crashes the moment I try to display the text (that's WITHOUT showing html!!). The dmesg | tail shows only a single segfault line like:
[14812.289392] evolution[7173]: segfault at 7f99303eefc8 ip 00007f9955a39a1a sp 00007f99303eefd0 error 6 in libc-2.13.so[7f99559f3000+18d000]
and
Oct 6 07:55:57 UrsaMajor kernel: [ 5818.526895] evolution[3742]: segfault at 7f77d0c13fc8 ip 00007f77eec58a1a sp 00007f77d0c13fd0 error 6 in libc-2.13.so[7f77eec12000+18d000]
and
Oct 6 07:58:21 UrsaMajor kernel: [ 5961.850039] evolution[3792]: segfault at 7f86bc6c0fc8 ip 00007f86dc3f9a1a sp 00007f86bc6c0fd0 error 6 in libc-2.13.so[7f86dc3b3000+18d000]
These weren't returned from clamav-something. The were returned from addresses like:
MAILER-DAEMON@oproxy6-pub.bluehost.com
or " @cluster1.bresnan.net
The other 50% of the time, Evolution does NOT segfault/crash.

At first, Evolution started coming up pointing at the evil email, which meant it always immediately crashed. I finally had to emacs into the Evolution inbox to manually delete the text. I saved what I deleted into a separate file. Then Evolution came up, bitched loudly about the missing emails to which it had pointers then segfaulted. The next time I launched Evolution, it was happy.

rkhunter found NOTHING of 'course. Some sites are available to try >40 malware detectors. Word has it that trying all 40 only detects malware about 45% of the time when evil trojans are known to be present. (Clamav works only 10% of the time by the latest graph I saw.)

At the moment, I'm hoping that all this is happening because someone is spoofing my email as the sender/reply-to address...which means I can't stop getting sprayed. Otherwise I'm a worm victim.

Should I worry? Does anyone want to see my inbox incision? Is this even the correct forum to ask these questions? If not, where should I go?

Are other lunux users seeing this stuff? A quick google showed that others are seeing these addresses. But nobody mentioned using Evolution.

All comments are welcome.
 
Old 10-08-2012, 02:19 AM   #2
Thor_2.0
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,204
Blog Entries: 23

Rep: Reputation: 279Reputation: 279Reputation: 279
Hi,

From the first look of your mail, I see similarities. I've had a wave of these once (a while ago) and yes, you're right: it's spam/possibly infected/phishing/whatever/junk and rightfully not to be opened.
There are some easy ways to determine this, and you've figured out one way already: if you don't use some product/service and get "service mails" from just that stuff. Just had one the other day that my Internet banking account was blocked...but I don't do Internet banking...
Next, expand if possible, the mail address and look at the server it came from. If you get a mail from, say, your bank, but it says something like your_bank@gmail.com that's off. You bank (a respected institution I suspect) using Gmail? hmm...

Quote:
Should I worry? Does anyone want to see my inbox incision? Is this even the correct forum to ask these questions? If not, where should I go?
In short : no, no, YES, you have arrived.

Don't worry, everyone gets stuff like that. Hey, toons do that all the time: backing up to go forward, it's a bit like a cyber moonwalk in reverse...nobody can see in your inbox. If you use Linux, apply security updates whenever possible, and you'll be safe.
This forum/site is always the right place. Even to ask a question that may not fit in this section, there are friendly mods around that will move the question if appropriate...
By the way, if possible, consider something other than evolution, but...that's a suggestion.

Be well!

Thor
 
1 members found this post helpful.
Old 10-08-2012, 02:42 AM   #3
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
LOL!
I just excised this clamav rejected email from my inbox using emacs.
The excision had segfaulted with:
Oct 8 03:08:39 UrsaMajor kernel: [24485.488769] evolution[8841]: segfault at 7f923cdc2fc8 ip 00007f925a606a1a sp 00007f923cdc2fd0 error 6 in libc-2.13.so[7f925a5c0000+18d000]

Then I looked at the Interesting stuff.
(1) It does the old trick of <sexy comment> click on <href="http://www.potoloc1.ru/number> friendly-looking http:/www.youtube.com/watch</a>
so you think you're gonna see a babe on youtube but get hustled at www.nastysite.ru/gotcha .
(2) It has my email address all over it.
(3) X-Virus-Status: Clean (lmao)
(4) The supposed reason that clamav rejected it was
----- Transcript of session follows -----
... while talking to smtp.jerseymail.co.uk.:
>>> RCPT To:<d.gilmore@jerseymail.co.uk>
<<< 553 5.7.1 Exceeded maximum inbound message size
550 5.1.1 <d.gilmore@jerseymail.co.uk>... User unknown
>>> DATA
<<< 503 5.5.1 Bad sequence of commands.

So, I supposedly sent this abortion to some poor guy in the UK and it got bounced back to me.
If I'm reading this right.
Cheers and thanks MUCH for the comment
 
Old 10-08-2012, 02:47 AM   #4
Thor_2.0
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,204
Blog Entries: 23

Rep: Reputation: 279Reputation: 279Reputation: 279
...hmm, yeah, well, I guess
Quote:
Exceeded maximum inbound message size
"someone" should read his mail some more...however...this

Quote:
It has my email address all over it.
worries me more. This means that either someone is spoofing mail with your address, or you're sending out these mails, which could mean you've got a rootkit...in the latter case, clean your system. Using chkrootkit as a means, to name one, there will be others/better. If so, I invite the gang do help you out...

Now, I am following this thread with more attention...

Thor
 
Old 10-08-2012, 04:04 AM   #5
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
There is no MIME/binary in what got bounced.
I have read that anytime there is a segfault, there's an exploit lurking somewhere near, possibly undiscovered as yet.
I got another one just 40 minutes ago while right here at my machine...roughly when I posted the last (above) response.
That one does NOT segfault Evolution.
The "Received: from ..." chain looks spoofed.
It looks very different from the ones that segfault evolution.
 
Old 10-08-2012, 04:16 AM   #6
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
Nothing found from chkrootkit except the suspicious files that seem mostly typical. I attached the output.
I had guessed my email address was merely being spoofed.
I changed the password about 8 hours ago.
rkhunter output is similarly benign-looking.
Attached Files
File Type: txt chkrootkit.out.txt (8.9 KB, 0 views)
 
Old 10-08-2012, 04:22 AM   #7
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
One more thing...
The named X-EN-OrigIP: 113.160.3.30
is NOT my IP.
also
X-EN-OrigOutIP: 10.1.18.1
looks kinda generic.
So I'm thinking that if *I* had sent this from MY machine, the bounced email would have MY ip on it, right??
Instead, it only has my email address.
Also, my name does not appear.
However,
...you HAVE succeeded in making me worry! lol!
 
Old 10-08-2012, 04:26 AM   #8
Thor_2.0
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,204
Blog Entries: 23

Rep: Reputation: 279Reputation: 279Reputation: 279
Quote:
I changed the password about 8 hours ago.
Good thinking. Then the threat (if any) will at least not affect this part...
I read that chkrootkit (or rkhunter? don't remember) can give false alerts...
If the segfault does not always originate from evolution, then it could be a lib that needs updating. Software depends on libs on the system (as you know), if there's a fault in one of those, bamm!

I think you're being spoofed, and someone is using your mailaddress to do that...that's out of your hands...
One more thing to check (it's a long shot) is the IP address of the mails...if at all possible. Try to find out your public address and compare that. Chances are they differ...you'll need to look at the message source for that, but, you know this...

Thor
 
1 members found this post helpful.
Old 10-08-2012, 04:28 AM   #9
Thor_2.0
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,204
Blog Entries: 23

Rep: Reputation: 279Reputation: 279Reputation: 279
Umm, wow, what do they say about great minds? You've beaten me to it...hehe

Yup, you're right, if the IP addresses differ, it's a fake.

You're in the clear....but it was educational.

Thor
Edit

Quote:
you HAVE succeeded in making me worry! lol!
Good, an admin (and anyone owning a PC is one) has to worry, in a healthy manner Worry is good, it keeps you on your toes...

Last edited by Thor_2.0; 10-08-2012 at 04:29 AM.
 
1 members found this post helpful.
Old 10-08-2012, 04:46 AM   #10
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
Also: None of the other dozen Evolution-crashing emails have my ip address anywhere within.
Also: My human name and/or loginID (as on this machine) do not appear.
Also: My email address is transcribed in a way that I've NEVER used. In other words, in normal emails I appear as
"My Human Name" <emailName@ISP.net>
Big however, ALL these email transcriptions have me listed as
"emailName" <emailName@ISP.net>
...i.e. BOTH kinds of bounced failure messages use this same pattern.
This similarity leads me to suspect that TWO different groups are spoofing my email address.

Sorry about the textual diarrhea. I'm just suddenly a bit paranoid.

Also: All the entire MTA chains seem thoroughly spoofed. It DID NOT go through my ISP's MTA.

I guess I'm calming down. This stuff could not have come from me else my ISP would have bounced it back to me right up front.
 
Old 10-08-2012, 04:50 AM   #11
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by Thor_2.0 View Post
Umm, wow, what do they say about great minds? You've beaten me to it...hehe

Yup, you're right, if the IP addresses differ, it's a fake.

You're in the clear....but it was educational.
Thor
WHEW!

and still...MANY thanks
 
Old 10-08-2012, 05:13 AM   #12
Thor_2.0
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,204
Blog Entries: 23

Rep: Reputation: 279Reputation: 279Reputation: 279
Quote:
and still...MANY thanks
Hey, that's what we're here for! I for one enjoyed this.

See ya!

Thor
 
Old 10-10-2012, 11:04 AM   #13
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
I made one final test just to satisfy myself beyond any doubt.

There were many bounced messages this morning. So I suspended my computer and unplugged my network cable. I powered it back up just to use it for work, but without any internet connectivity. I left it that way for ~90 minutes.

Then I re-suspended it and re-attached my network cable....and powered it back up.
While my computer was disconnected from the internet, there were SEVEN messages purportedly sent and bounced back to my computer, roughly one every 18 minutes.

Thus, it wasn't my computer!

This is what Thor and I had already decided.

Cheers, to all you who might have a species of this same problem.
 
  


Reply

Tags
clamav, evolution, spoofing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mailer Daemon Failure Notices guns90 Linux - Security 2 12-20-2011 11:07 AM
about sendmail -mailer daemon. romeo_tango Linux - Server 1 01-21-2008 04:44 AM
Email nightmares (sendmail and the local mailer) Elric of Grans Linux - Software 2 02-18-2007 04:25 PM
Mailer Daemon issue ApachePadowan Linux - Security 1 04-05-2006 01:56 AM
mailer-daemon kills evolution kooling Linux - General 3 08-06-2005 08:21 AM


All times are GMT -5. The time now is 09:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration