Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> required linum email help on spam mail
vaishalichitale
post Jun 19 2006, 12:19 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 3
Joined: 19-June 06
Member No.: 6,570



Please find below a header of mail which I have received from a fake user. The Email id used is Hoy@ Kbl.co.in.

How anybody can use our domain to create an Email ID without our notice ? As this mail comes from a trusted source ie KBL.co.in. it dose not get restricted by any spam rule.

I am using linux email ie. sendmail, washington imap/pop3 , Mailscanner software for spam control.

can anybody suggest me solution for this problem.


headers are:

Received: from dawid-ooj33vq5w (X34216X26.jaskom.pl [195.34.216.26])

by lux.kbl.co.in (8.12.9/8.12.9) with SMTP id k53EkI5O017209

for <avinashpurandare@kbl.co.in>; Sat, 3 Jun 2006 20:16:27 +0530

Received: from [148.113.39.167] (port=4666 helo=[148.113.39.167])

by kbl.co.in with esmtp

id Zvfya8-A9U118-15

for avinashpurandare@kbl.co.in; Sat, 03 Jun 2006 09:57:00 +1100

Reply-To: Patti <HOy@kbl.co.in>

Message-ID: <32265457.20060603095700@kbl.co.in>

From: Patti <HOy@kbl.co.in>

To: <avinashpurandare@kbl.co.in>

Subject: L00king health?

Date: Sat, 03 Jun 2006 09:57:00 +1100

MIME-Version: 1.0

Content-Type: text/html

X-Priority: 1

X-Mailer: The Bat! (v3.71.03) Professional

X-Spam: Not detected

X-KBL-MailScanner-Information: Please contact the ISP for more information

X-KBL-MailScanner: Found to be clean

X-KBL-MailScanner-From: hoy@kbl.co.in

X-Spam-Status: No

Status:
Go to the top of the page
 
+Quote Post
g33k
post Jun 19 2006, 01:51 AM
Post #2


./configure
***

Group: Support Specialist
Posts: 84
Joined: 18-June 06
Member No.: 6,568



QUOTE
Received: from dawid-ooj33vq5w (X34216X26.jaskom.pl [195.34.216.26])

I think that mail was sent from jaskom.pl thats a different server and the user doesnt belong to your server..

However one can easily fake an email id (I've tried once)..it just needs root access in your machine and sendmail or any client..
just google for more information smile.gif

Here is the header of a faked mail..
QUOTE
Delivered-To: <address removed>
Return-Path: <root@xxx.yyy> # This is the machine from which i sent the mail smile.gif
Received: from xxx.yyy ([218.226.34.161]) # Here is the IP Address of the machine i sent my mail from !!
by <server details removed>

From: anything@testing.com
To: SomeOne@SomeThing.com
Subject: test subject
Message-Id: <removed>
Date: <removed>

this is me testing


--------------------
-- a *certified* n00b

"The best is Yet to come !"

My Desktop : OpenSuSE 10.1 | FVWM-Crystal | MPD | Gaim | Opera | Mrxvt
Go to the top of the page
 
+Quote Post
vaishalichitale
post Jun 19 2006, 02:01 AM
Post #3


Whats this Lie-nix Thing?
*

Group: Members
Posts: 3
Joined: 19-June 06
Member No.: 6,570



QUOTE (g33k @ Jun 19 2006, 12:21 PM) *
I think that mail was sent from jaskom.pl thats a different server and the user doesnt belong to your server..

However one can easily fake an email id (I've tried once)..it just needs root access in your machine and sendmail or any client..
just google for more information smile.gif

Here is the header of a faked mail..


can you suggest any solution for this problem
Go to the top of the page
 
+Quote Post
markjr
post Jun 19 2006, 08:39 AM
Post #4


./configure
***

Group: Admin
Posts: 62
Joined: 9-February 06
Member No.: 6,054



This is a very common weakness in the SMTP protocol and you don't need root on any machine to do it, you can simply telnet to a machine's port 25:

CODE
markjr@stuntpope:~$ telnet smtp.easydns.com 25
Trying 205.210.42.52...
Connected to smtp.easydns.com.
Escape character is '^]'.
220 spawn.easydns.com ESMTP spoken here.
helo laptop.stuntpope.com
250 spawn.easydns.com
mail from: president@whitehouse.gov
250 Ok
rcpt to: markjr@shmooze.net
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: an email from the president

yada yada yada
.
250 Ok: queued as B5B885A18A


Sender Policy Framework (SPF) is an attempt to fix this: http://www.openspf.org

Think of it as a "reverse mx record" (in fact an earlier parallel process to SPF was called "RMX") in which you define in your DNS where legit email can come from for a given domain. Because there is no additional DNS RR to define this, TXT records are used.

So watch the same process with mail forged from a domain with SPF data published:

CODE
markjr@stuntpope:~$ telnet smtp2.easydns.com 25
Trying 205.210.42.53...
Connected to smtp2.easydns.com.
Escape character is '^]'.
220 carnage.easydns.com ESMTP spoken here.
helo laptop.stuntpope.com
250 carnage.easydns.com
mail from: root@dom.org
250 Ok
rcpt to: markjr@shmooze.net
554 <root@dom.org>: Sender address rejected: Please see http://www.openspf.org/why.html?sender=root%40dom.org&ip=216.235.8.110&receiver=carnage.easydns.vpn


dom.org has SPF data published in its zonefile:

CODE
markjr@stuntpope:~$ host -t txt dom.org
dom.org                 TXT     "v=spf1 -all"


Which basically says "no real mail originates from this domain. To see a more complex record:

CODE
markjr@stuntpope:~$ host -t txt easydns.com
easydns.com             TXT     "v=spf1 mx ptr ip4:205.210.42.0/24 ip4:216.220.40.240/29 ip4:66.207.199.35/32 include:myprivacy.ca ptr:opensrs.net ptr:registrarmail.net ptr:internetsecure.com ~all"


SPF is still an emerging protocol, so publishing SPF data for your domain will not magically solve the problem of your domain being forged in spam, but if you run your own mail server you can cut out a lot of it, because spammers typically fake mail as from the recipient's domain.
Go to the top of the page
 
+Quote Post
g33k
post Jun 19 2006, 09:33 AM
Post #5


./configure
***

Group: Support Specialist
Posts: 84
Joined: 18-June 06
Member No.: 6,568



I remember to have sent a fake email using a perl script which used sendmail in my machine to send out the mail unsure.gif
and to run that script i needed to be root..however it worked flawlessly wink.gif

unfortunately i don't remember where exactly i got that script from sad.gif Its quite useful sometimes biggrin.gif


--------------------
-- a *certified* n00b

"The best is Yet to come !"

My Desktop : OpenSuSE 10.1 | FVWM-Crystal | MPD | Gaim | Opera | Mrxvt
Go to the top of the page
 
+Quote Post
DS2K3
post Jun 19 2006, 10:37 AM
Post #6


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,284
Joined: 14-November 04
From: Southampton, Hampshire
Member No.: 4,165



It is trivial to forge email headers - Which is why a lot of organisartions are moving to SenderID to verify that the email they send is actually from the correct server.

There is very little that you can do about it apart from blocking the IP it came from, switching to a SenderID system yourself, or applying spam filters which check the4 message content itself. It's jjust one of those things im afraid.

I tihnk it is worth pointing out that faking email headers is illegal in a lot of places.

D


--------------------
Fixed your problem? Let us know!
richard@linuxhelp.net

www.Gathr.co.uk Online Event Management
Go to the top of the page
 
+Quote Post
g33k
post Jun 19 2006, 12:06 PM
Post #7


./configure
***

Group: Support Specialist
Posts: 84
Joined: 18-June 06
Member No.: 6,568



Yeah it is illegal in most of the countries..
However i think this is what the *SPAMMERS* do..
write up a script that reads email ids of people from a file and then separate out the host name and then add some random string to the beginning of email id and send the SPAM..so that it would appear as if the mail was sent from a trusted server and won't be filtered out !!


--------------------
-- a *certified* n00b

"The best is Yet to come !"

My Desktop : OpenSuSE 10.1 | FVWM-Crystal | MPD | Gaim | Opera | Mrxvt
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 17th October 2017 - 12:06 PM