Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Firstly, apologies if this is in the wrong thread.
I've been getting a lot of spam through as of laste and thought I'd have a look at some headers and something is bugging me with this one which I thought someone could help with.
The mail header:
Code:
From durbanyur770@google.com Mon Oct 7 10:15:05 2013
Return-Path: <durbanyur770@google.com>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on myserver.mydomain.com
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=2.8 tests=BAYES_50,RDNS_DYNAMIC
autolearn=no version=3.3.2
Received: from telemedia-smb-163.14.182.122.airtelbroadband.in (telemedia-smb-163.14.182.122.airtelbroadband.in [122.182.14.163] (may be forged))
by myserver.mydomain.com (8.13.7/8.12.10) with ESMTP id r979F33F016740
for <myemail@mydomain.co.uk>; Mon, 7 Oct 2013 10:15:04 +0100
Received: from apache by tchuldulfulgulfaecg.wonderware.com with local (Exim 4.63)
(envelope-from <<myemail@mydomain.co.uk>>)
id Q31H61-FXN4EK-7G
for <myemail@mydomain.co.uk>; Mon, 7 Oct 2013 14:40:31 +0530
To: <myemail@mydomain.co.uk>
Subject: Employment you've been searching!
Date: Mon, 7 Oct 2013 14:40:31 +0530
From: <myemail@mydomain.co.uk>
Message-ID: <76F08720F6A7A52A737C81AD3C5BDDBE@tchuldulfulgulfaecg.surewest.com>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="Windows-1252"
Status: RO
I've changed my sserver and email address.
The part that confuses me is that there are two "Received: from" lines, the first one, I get or at least assume is where the mail has hopped from or came from before hitting my box, the second one, "Received: from apache", this I dont understand.
Could someone help me understand more what these lines and entries mean?
It is only a name, probably an user login name where smtp server is running. Because mail can be transffered also on local machine between applications. Anyway nearly everything in mail header can be faked, you can only trust headers added by your trusted mail servers. For example if "myserver.mydomain.com" is your mail server then IP=122.182.14.163 is true. I don't known why "may be forged" is here, maybe it only apply domain name. Assuming that these headers are not false, then "PHPMailer" and "apache" mean that this mail was sent by some unprotected web form or by user who has web account there or by hacker who gained access to some web user account.
I don't know whether this will help, but, for what it's worth.
Wonderware.com is legit, but I have my doubts about the supposed subdomain, "tchuldulfulgulfaecg.wonderware.com."
It is difficult to spoof headers, but other kinds of shenanigans might be involved, such as botnets, relays (do they still make those?), and the like.
dig turns up nothing on tchuldulfulgulfaecg.wonderware.com.
Code:
$ whois wonderware.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: WONDERWARE.COM
Registrar: CSC CORPORATE DOMAINS, INC.
Whois Server: whois.corporatedomains.com
Referral URL: http://www.cscglobal.com
Name Server: NS1.INVS.NET
Name Server: NS2.INVS.NET
Name Server: NS3.INVS.NET
Status: clientTransferProhibited
Updated Date: 04-oct-2012
Creation Date: 18-nov-1993
Expiration Date: 17-nov-2014
>>> Last update of whois database: Wed, 09 Oct 2013 02:12:39 UTC <<<
(snip a bunch of gobbledygook about not much of anything)
Registrant:
Invensys Systems, Inc.
Domain Administrator
33 Commercial Street
Foxboro, MA 02035
US
Email: domain.registrar@invensys.com
Registrar Name....: CORPORATE DOMAINS, INC.
Registrar Whois...: whois.corporatedomains.com
Registrar Homepage: www.cscprotectsbrands.com
Domain Name: wonderware.com
Created on..............: Thu, Nov 18, 1993
Expires on..............: Mon, Nov 17, 2014
Record last updated on..: Thu, Oct 04, 2012
Administrative,Technical Contact:
Invensys Systems, Inc.
Domain Administrator
33 Commercial Street
Foxboro, MA 02035
US
Phone: +1.5085493706
Email: domain.registrar@invensys.com
DNS Servers:
ns2.invs.net
ns1.invs.net
ns3.invs.net
Register your domain name at http://www.cscglobal.com
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.