Misuse of my domain.

Erik Jakobsen eja at URBAKKEN.DK
Sun Nov 9 14:48:49 GMT 2003 

Hi Rick. I'm sorry, but I need more information in details on what I can do.

Rick Cooper wrote:
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>Behalf Of Erik Jakobsen
>>Sent: Sunday, November 09, 2003 6:58 AM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: Misuse of my domain.
>>
>>
>>Hi Peter. Here is the header from the culprit:
>>
>> From - Sun Nov  9 10:04:43 2003
>>X-UIDL: H>*#!]Bd"!:4K!!bf4!!
>>X-Mozilla-Status: 0001
>>X-Mozilla-Status2: 00000000
>>Received: from localhost [127.0.0.1] by lajka2
>>        with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
>>        Sun, 09 Nov 2003 10:04:06 +0100
>>From: john at urbakken.dk
>>To: Erik <erik at urbakken.dk>
>
>
> The important thing to note here is that mail from john at yourdomain or
> james at yourdomain with an accompanying photos.zip/readnow.zip file is coming
> from the Mimail.C/G worm, not someone misusing your domain name. Unless you
> actually have users named john/james you should be blocking mail from both
> totally.

I do not have either of those names as users. And how to block the mails ?.

>
>>Date: Sun,  9 Nov 2003 09:35:38 +0100 (CET)
>>Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
>>X-Spam-Flag: YES
>>X-Spam-Status: Yes, hits=5.2 required=5.0
>>        tests=AWL,BAYES_90,NO_REAL_NAME
>>        version=2.55
>>X-Spam-Level: *****
>>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>>MIME-Version: 1.0
>>Content-Type: multipart/mixed; boundary="----------=_3FAE0306.3C6CC969"
>>X-UIDL: H>*#!]Bd"!:4K!!bf4!!
>>
>>This is a multi-part message in MIME format.
>>
>>------------=_3FAE0306.3C6CC969
>>Content-Type: text/plain
>>Content-Disposition: inline
>>Content-Transfer-Encoding: 8bit
>>
>>This mail is probably spam.  The original message has been attached
>>along with this report, so you can recognize or block similar unwanted
>>mail in future.  See http://spamassassin.org/tag/ for more details.
>>
>>Content preview:  [...]
>>
>>Content analysis details:   (5.20 points, 5 required)
>>NO_REAL_NAME       (1.1 points)  From: does not include a real name
>>BAYES_90           (4.0 points)  BODY: Bayesian classifier says spam
>>probability is 90 to 99%
>>                    [score: 0.9897]
>>AWL                (0.1 points)  AWL: Auto-whitelist adjustment
>>
>>
>>
>>------------=_3FAE0306.3C6CC969
>>Content-Type: message/rfc822; x-spam-type=original
>>Content-Description: original message before SpamAssassin
>>Content-Disposition: inline
>>Content-Transfer-Encoding: 8bit
>>
>>Return-Path: <john at urbakken.dk>
>>X-Original-To: erik at localhost
>>Delivered-To: erik at localhost.lajka2.local
>>Received: from localhost (localhost [127.0.0.1])
>>        by lajka2.local (Postfix) with ESMTP id 34954480F5
>>        for <erik at localhost>; Sun,  9 Nov 2003 10:03:47 +0100 (CET)
>>Delivered-To: erik at urbakken.dk
>>Received: from urbakken.dk [192.168.1.1]
>>        by localhost with POP3 (fetchmail-6.2.1)
>>        for erik at localhost (single-drop); Sun, 09 Nov 2003
>>10:03:47 +0100 (CET)
>>Received: from fupA.post.tele.dk (fupA.post.tele.dk [195.41.53.68])
>>        by gateway.urbakken.dk (Postfix) with ESMTP id 160D1AAB39
>>        for <erik at urbakken.dk>; Sun,  9 Nov 2003 03:35:48 -0500 (EST)
>>Received: from localhost (D40A6EA5.rev.stofanet.dk [212.10.110.165])
>>        by fupA.post.tele.dk (Postfix) with SMTP id E8CEFC062
>>        for <erik at urbakken.dk>; Sun,  9 Nov 2003 09:35:38 +0100 (CET)
>>From: john at urbakken.dk
>>To: Erik <erik at urbakken.dk>
>>Reply-To: john at urbakken.dk
>>Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
>>Date: Sun,  9 Nov 2003 09:35:38 +0100 (CET)
>>X-yoursite-MailScanner-Information: Please contact the ISP for more
>>information
>>X-yoursite-MailScanner: Found to be clean
>>
>>
>>
>>------------=_3FAE0306.3C6CC969--
>>
>>
>>Peter Bonivart wrote:
>>
>>>Erik Jakobsen wrote:
>>>
>>>
>>>>This is what I see, but I haven't seen the whole headers. What is the
>>>>"envelope from address" ?.
>>>
>>>
>>>Compare it to regular mail, you can write what you want on the paper
>>>inside the envelope, it will still be delivered to the address on the
>>>envelope. You can find the envelope information in your server logs.
>>>
>>>This is from a fresh spam of mine (some info edited out with x):
>>>
>>>Nov  9 12:17:28 kleenex sendmail[23204]: [ID 801593 mail.info]
>>>hA9BHR7u023204: from=<bounce-fsd-459798 at blast1.myfree.com>, size=7298,
>>>class=0, nrcpts=1,
>>>msgid=<LYRIS-459798-1269238-2003.11.09-02.20.05--x at blast1.myfree.com>,
>>>bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4, relay=x.x.x [x.x.x.x]
>>>
>>>Nov  9 12:17:29 kleenex MailScanner[15265]: Message hA9BHR7u023204 from
>>>x.x.x.x (bounce-fsd-459798 at blast1.myfree.com) to x.x is spam,
>>>SpamAssassin (score=10.901, required 5, BAYES_99 5.40, CLICK_BELOW 0.10,
>>>HTML_60_70 0.11, HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_UNKNOWN 0.10,
>>>HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.27, HTML_IMAGE_ONLY_10 0.02,
>>>HTML_IMAGE_RATIO_08 0.36, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10,
>>>MIME_HTML_ONLY 0.32, NO_COST 1.67, NO_REAL_NAME 0.16, SUB_FREE_OFFER
>>>1.66, SUPPLIES_LIMITED 0.33)
>>>
>>>Look at the first line from Sendmail, it says it's from
>>>bounce... at blast1.myfree.com, that's the envelope address and the one you
>>>should block, note on the second line that MS logs that address too. Now
>>>look at this:
>>>
>>>H??From: <MyFreeStuffDaily at MyFree.com>
>>>
>>>It's taken from my quarantine and is the header file (qf) for the same
>>>message, that's what they want me to see in my mail client. It will not
>>>help to block that address since it can be anything and has nothing to
>>>do with the actual delivery of the message, it's common for spammers to
>>>use the same for from and to.
>>>
>>>I hope that helps.
>>>
>>>/Peter Bonivart
>>>
>>>--Unix lovers do it in the Sun
>>>
>>>Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11,
>>>SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829
>>>
>>>
>>
>>
>>--
>>Med venlig hilsen - Best regards.
>>Erik Jakobsen - eja at urbakken.dk.
>>Licensed radioamateur with the callsign OZ4KK.
>>SuSE Linux 8.2 Proff.
>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>


--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja at urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

More information about the MailScanner mailing list