LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-15-2013, 04:39 AM   #1
Mikro
Member
 
Registered: Oct 2007
Distribution: Slackware
Posts: 40

Rep: Reputation: 17
Someone is phishing using my domain name


Hi, I received today a spam message apparently sent from an unexistant account in my virtual server.

The email was sent to some real and some random adresses, all of them belonging to my domain. I've checked a bit (logs, access ...) and there are no clear signs of intrusion (but I am no security expert).

I've edited the personal data. server.vhost.interdominios.com is my vserver and server.es the domain name. The apparent sender is pablo@server.es (non existant). The email was sent to my mail group, group@server.es which points to info@server.es and redirected to my gmail account at XXXX@gmail.com. That is how I arranged it, so it is perfectly normal.

Partial message header:

Code:
Delivered-To: XXXX@gmail.com
Received: by 10.205.68.3 with SMTP id xw3csp55484bkb;
        Sun, 14 Apr 2013 15:05:27 -0700 (PDT)
X-Received: by 10.194.103.72 with SMTP id fu8mr28247392wjb.42.1365977127748;
        Sun, 14 Apr 2013 15:05:27 -0700 (PDT)
Return-Path: <gentleab91@google.com>
Received: from server.vhost.interdominios.com ([89.248.100.21])
        by mx.google.com with ESMTPS id a4si2230151wic.64.2013.04.14.15.05.27
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Sun, 14 Apr 2013 15:05:27 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning gentleab91@google.com does not designate 89.248.100.21 as permitted sender) client-ip=89.248.100.21;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning gentleab91@google.com does not designate 89.248.100.21 as permitted sender) smtp.mail=gentleab91@google.com
Received: from server.vhost.interdominios.com (localhost.localdomain [127.0.0.1])
	by server.vhost.interdominios.com (Postfix) with ESMTP id 0125023400B9
	for <XXXX@gmail.com>; Sun, 14 Apr 2013 23:52:43 +0200 (CEST)
Received: by server.vhost.interdominios.com (Postfix, from userid 110)
	id E94782340148; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
X-Original-To: info@server.es
Delivered-To: info@server.es
Received: from server.vhost.interdominios.com (localhost.localdomain [127.0.0.1])
	by server.vhost.interdominios.com (Postfix) with ESMTP id D392A6080A6
	for <info@server.es>; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
Received: by server.vhost.interdominios.com (Postfix, from userid 110)
	id BE8C56080A5; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
X-Original-To: group@server.es
Delivered-To: group@server.es
Received: from server.vhost.interdominios.com (localhost.localdomain [127.0.0.1])
	by server.vhost.interdominios.com (Postfix) with ESMTP id 3C5CB23400B9
	for <group@server.es>; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
Received: from pc-82-137-44-190.cm.vtr.net (pc-82-137-44-190.cm.vtr.net [190.44.137.82])
	by server.vhost.interdominios.com (Postfix) with ESMTP
	for <group@server.es>; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
Received: from [221.197.51.196] (account expostulationx8@google.com HELO kwyqzwvysh.pnvqsitm.tv)
	by pc-82-137-44-190.cm.vtr.net (CommuniGate Pro SMTP 5.2.3)
	with ESMTPA id 853941885 for pablo@server.es; Sun, 14 Apr 2013 19:05:24 -0300
Date: Sun, 14 Apr 2013 19:05:24 -0300
From: <pablo@server.es>
Cc: <proair@server.es>,
	<admin@server.es>,
	<abernardos@server.es>,
	<arancha@server.es>,
	<jose@server.es>,
	<jairo@server.es>,

X-Mailer: The Bat! (v2.00.0) Educational
X-Priority: 3 (Normal)
Message-ID: <7137911244.NEG05YX0597699@rdtpooyzf.fmpmjje.net>
To: <pablo@server.es>

...
As I understand, the message was faked to look like it had been sent from my server but the original address is (somehow, probably faked too) expostulationx8@google.com and the "answer adress" is gentleab91@google.com

Is this so?

I know it is not very difficult to tailor an email, but is it SOOO easy that you can fake any domain name you want? Or has my server been seriously hacked into?

How can I stop this?

Thanks a lot!

Dån
 
Old 04-15-2013, 05:46 AM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 777
Blog Entries: 2

Rep: Reputation: 199Reputation: 199
Quote:
Received: from pc-82-137-44-190.cm.vtr.net (pc-82-137-44-190.cm.vtr.net [190.44.137.82])
by server.vhost.interdominios.com (Postfix) with ESMTP
for <group@server.es>; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
Received: from [221.197.51.196] (account expostulationx8@google.com HELO kwyqzwvysh.pnvqsitm.tv)
by pc-82-137-44-190.cm.vtr.net (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 853941885 for pablo@server.es; Sun, 14 Apr 2013 19:05:24 -0300
Traffic that claims to come from you but actually arrives from elsewhere is a good candidate for deleting.

Also if they are guessing multiple names that don't exist at your server that suggests spam.
Quote:
From: <pablo@server.es>
Cc: <proair@server.es>,
<admin@server.es>,
<abernardos@server.es>,
<arancha@server.es>,
<jose@server.es>,
<jairo@server.es>,
 
Old 04-15-2013, 11:29 AM   #3
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,318
Blog Entries: 5

Rep: Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783
221.197.51.196 / www196.asd.tj.cn.
 
Old 04-15-2013, 12:53 PM   #4
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,377

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
I get messages from "god@heaven.com" all the time ... (Ahh, good ol' Ray Stevens ... "Phone Call From God.")
 
Old 04-15-2013, 06:46 PM   #5
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,150

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
If you're really concerned about this, ask the moderators to move your thread to the security sub-forum, or just go there and read the various threads about "how to secure ..."
 
1 members found this post helpful.
Old 04-15-2013, 07:33 PM   #6
Mikro
Member
 
Registered: Oct 2007
Distribution: Slackware
Posts: 40

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by PTrenholme View Post
If you're really concerned about this, ask the moderators to move your thread to the security sub-forum, or just go there and read the various threads about "how to secure ..."
Thanks. Will do that.

Dån
 
Old 04-21-2013, 05:01 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,278
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
Quote:
Originally Posted by Mikro View Post
I know it is not very difficult to tailor an email, but is it SOOO easy that you can fake any domain name you want?
As you have experienced, yes.


Quote:
Originally Posted by Mikro View Post
Or has my server been seriously hacked into?
If you think your vserver has been compromised you can investigate. Even if it isn't it should be a good exercise should you ever need it for real.


Quote:
Originally Posted by Mikro View Post
How can I stop this?
If you run one, decide if you need to run a (publicly accessible?) MTA, review the standard Postfix documentation, RBL configuration and add greylisting.
 
1 members found this post helpful.
Old 04-21-2013, 05:18 PM   #8
Mikro
Member
 
Registered: Oct 2007
Distribution: Slackware
Posts: 40

Original Poster
Rep: Reputation: 17
Thank you, unSpawn. The spamming storm has passed.

Quote:
Originally Posted by unSpawn View Post
If you think your vserver has been compromised you can investigate. Even if it isn't it should be a good exercise should you ever need it for real.
I will run some more security checks on the server to sharpen my skills, but looks like everything is in order.

Thanks for your time


Dån
 
Old 04-21-2013, 05:45 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,278
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
Quote:
Originally Posted by Mikro View Post
The spamming storm has passed.
As in famous last words? ;-p


Quote:
Originally Posted by Mikro View Post
I will run some more security checks on the server to sharpen my skills, but looks like everything is in order.
Sharpening skills definitely is cool but I'd rather see you review your Postfix, RBL and greylisting configuration first.
 
1 members found this post helpful.
Old 04-22-2013, 08:14 AM   #10
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Look at the email headers. In particular notice this one:
Quote:
Received: from pc-82-137-44-190.cm.vtr.net (pc-82-137-44-190.cm.vtr.net [190.44.137.82])
by server.vhost.interdominios.com (Postfix) with ESMTP
for <group@server.es>; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
Your machine, server.vhost.interdominios.com, received the message from 190.44.137.82. This IP address is a known spam source. It is currently listed by Sorbs, CASA-CBL, and others. You can have Postifx automatically check these lists and reject the message if they banned, which this message should have been.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
phishing attack on myserver dinakumar12 Linux - Security 3 01-28-2012 07:31 AM
Anti Phishing priyadarshan Linux - Security 10 05-08-2009 01:18 PM
PayPal phishing site! aldimeneira General 6 08-29-2006 08:03 AM
OT: Paypal phishing alert dejavu_01 General 3 09-04-2005 05:17 AM
Phishing davholla Linux - General 1 04-08-2004 08:04 AM


All times are GMT -5. The time now is 01:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration