Misuse of my domain.

Rick Cooper rcooper at DIMENSION-FLM.COM
Sun Nov 9 12:33:42 GMT 2003 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Erik Jakobsen
> Sent: Sunday, November 09, 2003 6:58 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Misuse of my domain.
>
>
> Hi Peter. Here is the header from the culprit:
>
>  From - Sun Nov  9 10:04:43 2003
> X-UIDL: H>*#!]Bd"!:4K!!bf4!!
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> Received: from localhost [127.0.0.1] by lajka2
>         with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
>         Sun, 09 Nov 2003 10:04:06 +0100
> From: john at urbakken.dk
> To: Erik <erik at urbakken.dk>

The important thing to note here is that mail from john at yourdomain or
james at yourdomain with an accompanying photos.zip/readnow.zip file is coming
from the Mimail.C/G worm, not someone misusing your domain name. Unless you
actually have users named john/james you should be blocking mail from both
totally.

> Date: Sun,  9 Nov 2003 09:35:38 +0100 (CET)
> Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
> X-Spam-Flag: YES
> X-Spam-Status: Yes, hits=5.2 required=5.0
>         tests=AWL,BAYES_90,NO_REAL_NAME
>         version=2.55
> X-Spam-Level: *****
> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----------=_3FAE0306.3C6CC969"
> X-UIDL: H>*#!]Bd"!:4K!!bf4!!
>
> This is a multi-part message in MIME format.
>
> ------------=_3FAE0306.3C6CC969
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: 8bit
>
> This mail is probably spam.  The original message has been attached
> along with this report, so you can recognize or block similar unwanted
> mail in future.  See http://spamassassin.org/tag/ for more details.
>
> Content preview:  [...]
>
> Content analysis details:   (5.20 points, 5 required)
> NO_REAL_NAME       (1.1 points)  From: does not include a real name
> BAYES_90           (4.0 points)  BODY: Bayesian classifier says spam
> probability is 90 to 99%
>                     [score: 0.9897]
> AWL                (0.1 points)  AWL: Auto-whitelist adjustment
>
>
>
> ------------=_3FAE0306.3C6CC969
> Content-Type: message/rfc822; x-spam-type=original
> Content-Description: original message before SpamAssassin
> Content-Disposition: inline
> Content-Transfer-Encoding: 8bit
>
> Return-Path: <john at urbakken.dk>
> X-Original-To: erik at localhost
> Delivered-To: erik at localhost.lajka2.local
> Received: from localhost (localhost [127.0.0.1])
>         by lajka2.local (Postfix) with ESMTP id 34954480F5
>         for <erik at localhost>; Sun,  9 Nov 2003 10:03:47 +0100 (CET)
> Delivered-To: erik at urbakken.dk
> Received: from urbakken.dk [192.168.1.1]
>         by localhost with POP3 (fetchmail-6.2.1)
>         for erik at localhost (single-drop); Sun, 09 Nov 2003
> 10:03:47 +0100 (CET)
> Received: from fupA.post.tele.dk (fupA.post.tele.dk [195.41.53.68])
>         by gateway.urbakken.dk (Postfix) with ESMTP id 160D1AAB39
>         for <erik at urbakken.dk>; Sun,  9 Nov 2003 03:35:48 -0500 (EST)
> Received: from localhost (D40A6EA5.rev.stofanet.dk [212.10.110.165])
>         by fupA.post.tele.dk (Postfix) with SMTP id E8CEFC062
>         for <erik at urbakken.dk>; Sun,  9 Nov 2003 09:35:38 +0100 (CET)
> From: john at urbakken.dk
> To: Erik <erik at urbakken.dk>
> Reply-To: john at urbakken.dk
> Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
> Date: Sun,  9 Nov 2003 09:35:38 +0100 (CET)
> X-yoursite-MailScanner-Information: Please contact the ISP for more
> information
> X-yoursite-MailScanner: Found to be clean
>
>
>
> ------------=_3FAE0306.3C6CC969--
>
>
> Peter Bonivart wrote:
> > Erik Jakobsen wrote:
> >
> >> This is what I see, but I haven't seen the whole headers. What is the
> >> "envelope from address" ?.
> >
> >
> > Compare it to regular mail, you can write what you want on the paper
> > inside the envelope, it will still be delivered to the address on the
> > envelope. You can find the envelope information in your server logs.
> >
> > This is from a fresh spam of mine (some info edited out with x):
> >
> > Nov  9 12:17:28 kleenex sendmail[23204]: [ID 801593 mail.info]
> > hA9BHR7u023204: from=<bounce-fsd-459798 at blast1.myfree.com>, size=7298,
> > class=0, nrcpts=1,
> > msgid=<LYRIS-459798-1269238-2003.11.09-02.20.05--x at blast1.myfree.com>,
> > bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4, relay=x.x.x [x.x.x.x]
> >
> > Nov  9 12:17:29 kleenex MailScanner[15265]: Message hA9BHR7u023204 from
> > x.x.x.x (bounce-fsd-459798 at blast1.myfree.com) to x.x is spam,
> > SpamAssassin (score=10.901, required 5, BAYES_99 5.40, CLICK_BELOW 0.10,
> > HTML_60_70 0.11, HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_UNKNOWN 0.10,
> > HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.27, HTML_IMAGE_ONLY_10 0.02,
> > HTML_IMAGE_RATIO_08 0.36, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10,
> > MIME_HTML_ONLY 0.32, NO_COST 1.67, NO_REAL_NAME 0.16, SUB_FREE_OFFER
> > 1.66, SUPPLIES_LIMITED 0.33)
> >
> > Look at the first line from Sendmail, it says it's from
> > bounce... at blast1.myfree.com, that's the envelope address and the one you
> > should block, note on the second line that MS logs that address too. Now
> > look at this:
> >
> > H??From: <MyFreeStuffDaily at MyFree.com>
> >
> > It's taken from my quarantine and is the header file (qf) for the same
> > message, that's what they want me to see in my mail client. It will not
> > help to block that address since it can be anything and has nothing to
> > do with the actual delivery of the message, it's common for spammers to
> > use the same for from and to.
> >
> > I hope that helps.
> >
> > /Peter Bonivart
> >
> > --Unix lovers do it in the Sun
> >
> > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11,
> > SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829
> >
> >
>
>
> --
> Med venlig hilsen - Best regards.
> Erik Jakobsen - eja at urbakken.dk.
> Licensed radioamateur with the callsign OZ4KK.
> SuSE Linux 8.2 Proff.
> Registered as user #319488 with the Linux Counter, http://counter.li.org.
>


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list