Being Spammed by myself?

[Excelerate2004]

Hello to all,

I'm just wondering if anyone has heard anything like this:

Last week I received an email with my exact email address sent to myself with a subject line like RE: Your website
which is very regularly used as a spam subject line. I obviously didn't send it to myself!

What is happening here? Am I being attacked and my email system being used to send SPAM?

What can I do to prevent this?

I'm running Netware 5.1, Groupwise 5.5, BorderManager 3.5

Thanks a bunch for any help I can get! This really has me worried...

 

[LawnBoy]

The first question you have to ask is: Did this email originate on my server? If so, you are being used as a relay.

Generally, the "From" address is simply grabbed from somebody's address book by a virus.

 

[Provogeek]

it is a typical spam ploy to get around spam filters. Most filters only look at the source address info, not always the source server. So the spam filter will allow you to relay mail through it or get mail from you to you because it thinks you are safe.

Nothing real big to worry about, just requires some reconfig on the SMTP gateway to prevent such a thing.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case
Senior Network Engineer

http://www.kiscc.com

http://www.bluegunk.com

 

[Excelerate2004]

I checked the header file and got the following:

Received: from zaca01ac.eccozac01.local
by SERVERNAME; Tue, 30 Aug 2005 15:48:01 -0230
Received: from localhost.localdomain (HELO localhost.localdomain
[127.0.0.1])
by veldt.keromail.com (Mostfix) with ESMTP id BAD8953BFF
for ; Tue, 30 Aug 2005
14:12:41 -0500
Message-Id: <200309010816.06350.exoskeleton@keromail.com>
Date: Tue, 30 Aug 2005 18:16:41 -0100
From: "firstname.lastname@mydomain.com"
To: firstname.lastname@mydomain.com
Subject: Re: ..you run this web site right?
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.0.13
X-Mailer: Ximian Evolution 1.4.3

REGARDING YOUR DOMAIN NAME SHOWN ABOVE:

we email your web site to 3,500,000 opt-in emails for free

http://www.optinemailtoday.biz

What can be learned from this?

How can I prevent this in the future?

Thanks!

 

[LawnBoy]

What can be learned from this?

Is this your server? zaca01ac.eccozac01.local
That is where it apparently originated from. Remember that almost every field in the header can be forged.

How can I prevent this in the future?

Man, if you can come up with an answer to that, you are rich. It's just typical spammer crap; unless it's flooding your server just delete it and get on with your life.

 

[Excelerate2004]

Thanks for the info, its just scary to get email from "myself" especially when I didn't type it.

I guess I'll have to live with it.

Cheers!

 

[muleboy9t9]

One of the "solutions" is the MS backed Sender-ID initiative (patent owned by MS).

Not clear on all the specifics but SPF requires that you add SFP records to your DNS so that validation of your e-mail server can be done. It is supposed to prevent folks from using your hostname without being tagged as invalid.

Some links to look at:

http://en.wikipedia.org/wiki/Sender_id

http://www.microsoft.com/mscorp/safety/technologies/senderid/resources.mspx

http://news.com.com/Sender+IDs+fading+message/2100-7355_3-5824234.html

I may be totally off but wanted to throw that in the mix. Reading through the links (and doing more searches on Sender-ID won't give you much confidence though). Doesn't stop Spammers