[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] spoofed spam slipping through pop before relay?
- Subject: [cobalt-security] spoofed spam slipping through pop before relay?
- From: "David Black" <DavidBlack@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 25 Feb 2003 18:38:38 -0600
- Organization: SiteDesignAndHosting.com
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I think someone is relaying spam through our servers, by spoofing
their originating IP, so the spam appears to come from one of my
legitimate hosting customers' home IP addresses.
I've noticed a repeating pattern of short bursts, similar to the events
listed below... which seem to last from 2 - 5 minutes each. Since my
up-to-date RaQ4 includes pop-before-relay (with a 5 minute window),
I'm wondering if the spoofer is randomly catching my customer's
relay window, then exploiting it, by spoofing my customer's IP. (?)
I'd be very grateful if anyone with relevant expertise or experience
would share some information with me (and the rest of the list).
Thank you all very much, for your valuable time and knowledge.
I'd be lost without you :·)
Sincerely,
--
David Black
Houston, TX
suspicious maillog events follow...
Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401:
from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
('size=0' repeats 77 times between 14:03:11 and 14:04:09)
Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874:
from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876:
from=<>, size=2649, class=0, nrcpts=1,
msgid=<200302251503.HTW7030@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879:
from=<>, size=2571, class=0, nrcpts=1,
msgid=<200302251503.XQZ4704@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882:
from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883:
from=<>, size=2901, class=0, nrcpts=1,
msgid=<200302251503.VWE11193@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
(119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2
successful relays)
Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525:
from=<>, size=2842, class=0, nrcpts=1,
msgid=<200302251503.QRH781@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
(108 more successful relays - snipped - )
Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347:
from=<>, size=2790, class=0, nrcpts=1,
msgid=<200302251503.RVA7016@xxxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
(this (above) was the last related event, for several hours)