[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] spoofed spam slipping through pop before relay?
- Subject: Re: [cobalt-security] spoofed spam slipping through pop before relay?
- From: "Rashid Abdullah" <webmaster@xxxxxxxxxxx>
- Date: Tue, 25 Feb 2003 14:52:42 -1000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
David,
Read this page (http://www.solarspeed.net/kb/659.php) and pay attention to
the mention of Formmail.pl. I think this may solve your problem, it did it
for me.
-Rashid
----- Original Message -----
From: "David Black" <DavidBlack@xxxxxxxxxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, February 25, 2003 2:38 PM
Subject: [cobalt-security] spoofed spam slipping through pop before relay?
> I think someone is relaying spam through our servers, by spoofing
> their originating IP, so the spam appears to come from one of my
> legitimate hosting customers' home IP addresses.
>
> I've noticed a repeating pattern of short bursts, similar to the events
> listed below... which seem to last from 2 - 5 minutes each. Since my
> up-to-date RaQ4 includes pop-before-relay (with a 5 minute window),
> I'm wondering if the spoofer is randomly catching my customer's
> relay window, then exploiting it, by spoofing my customer's IP. (?)
>
> I'd be very grateful if anyone with relevant expertise or experience
> would share some information with me (and the rest of the list).
> Thank you all very much, for your valuable time and knowledge.
> I'd be lost without you :·)
>
> Sincerely,
> --
> David Black
> Houston, TX
>
> suspicious maillog events follow...
>
> Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401:
> from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
>
>
> ('size=0' repeats 77 times between 14:03:11 and 14:04:09)
>
>
> Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874:
> from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
>
> Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876:
> from=<>, size=2649, class=0, nrcpts=1,
> msgid=<200302251503.HTW7030@xxxxxxxxxxx>,
> proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
[xx.xx.xxx.xxx]
>
> Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879:
> from=<>, size=2571, class=0, nrcpts=1,
> msgid=<200302251503.XQZ4704@xxxxxxxxxxx>,
> proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
[xx.xx.xxx.xxx]
>
> Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882:
> from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
> relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]
>
> Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883:
> from=<>, size=2901, class=0, nrcpts=1,
> msgid=<200302251503.VWE11193@xxxxxxxxxxx>,
> proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
[xx.xx.xxx.xxx]
>
>
> (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2
> successful relays)
>
>
> Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525:
> from=<>, size=2842, class=0, nrcpts=1,
> msgid=<200302251503.QRH781@xxxxxxxxxxx>,
> proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
[xx.xx.xxx.xxx]
>
>
> (108 more successful relays - snipped - )
>
>
> Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347:
> from=<>, size=2790, class=0, nrcpts=1,
> msgid=<200302251503.RVA7016@xxxxxxxxxxxx>,
> proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net
[xx.xx.xxx.xxx]
>
> (this (above) was the last related event, for several hours)
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>