How are they doing it? Qmail spammers, but I'm not an open relay!

[kcobean]

Hello. I have checked all of my configs and run several open relay tests against my server and all say I'm good. Yet every few days, I get a FLOOD of bounces coming from other mail servers saying that a message sent via my system couldn't be delivered. I can't tell if someone is sending messages from somewhere else with spoofed addresses using my domains so the bounces are coming to me, or if they're actually finding a way to relay through me. I've made at least one block list that I know of and am trying to get off of that.

Where do I start to look? I'm at a loss here.

Here's a standard message from my MAILER-DAEMON:

################################################
Hi. This is the qmail-send program at mail.xxxx.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<

http://www.vengeur2004@caramail.com>:

213.165.64.102 does not like recipient.
Remote host said: 550 5.1.1 <

http://www.vengeur2004@caramail.com>...

User is unknown {mx045}
Giving up on 213.165.64.102.

--- Below this line is a copy of the message.

Return-Path: <anonymous@mail.xxxx.com>
Received: (qmail 24759 invoked by uid 48); 6 May 2010 17:07:50 -0400
Date: 6 May 2010 17:07:50 -0400
Message-ID: <20100506210750.24758.qmail@mail.xxxx.com>
To:

http://www.vengeur2004@caramail.com

Subject: Ordered growth?
MIME-Version: 1.0
Content-type: text/html; charset="utf-8"
X-Mailer: eComm Php
From: Babbette@xxxxxx.org


Original Store! Great Election! ›››› <a
href="

http://humandigitalsupport.com/wpxbgf0.htm"><font

size=4 color="orange">Try
IT</font></a><style>QvLGXIcxmxxz.oH ragu[10,25] ragu[2,60]</style>

 

[Noway2]

Given that you have run tests against your system to show that it is not an open relay, there are two things to do.

1 - look VERY closely at your logs. You should have receipt of every message that leaves your system.

2 - review the FULL headers of the emails. I would even say post one here. This is a good, reputable forum with a lot of people who are very knowledgeable and helpful.

To the best of my knowledge, it is difficult to fully spoof or conceal the IP addresses in the email chain because the protocols work on bi-directional communications. What is sometimes done, is that erroneous information is pre-pended to the start of the headers to make it look like the messages originate from a fake location.

Another possibility, and this is why I say post the FULL header is that the RCPT TO and FROM fields in the SMTP, which are what show up in the email ARE easily spoofed. You may be having issues with this.

Here is an example that I sent to myself from hotmail, lets analyze it:

Return-Path: <no_spam_me2@hotmail.com>
Delivered-To: inbox@noway2.thruhere.net
Received: from localhost (localhost [127.0.0.1])
     by noway2.thruhere.net (Postfix) with ESMTP id BDE568D9
     for <inbox@noway2.thruhere.net>; Thu, 6 May 2010 18:48:17 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at noway2.thruhere.net
X-Spam-Flag: NO
X-Spam-Score: 3.548
X-Spam-Level: ***
X-Spam-Status: No, score=3.548 tagged_above=2 required=5.01
     tests=[DNS_FROM_OPENWHOIS=2.431, HTML_MESSAGE=0.001,
     RCVD_IN_SORBS_WEB=1.117, SPF_PASS=-0.001] autolearn=no
Received: from noway2.thruhere.net ([127.0.0.1])
     by localhost (noway2.thruhere.net [127.0.0.1]) (amavisd-new, port 10024)
     with ESMTP id IWu+9XIkdSfr for <inbox@noway2.thruhere.net>;
     Thu, 6 May 2010 18:48:16 -0400 (EDT)
X-Greylist: delayed 60 seconds by postgrey-1.32 at server; Thu, 06 May 2010 18:48:16 EDT
Received: from snt0-omc2-s4.snt0.hotmail.com (snt0-omc2-s4.snt0.hotmail.com [65.55.90.79])
     by noway2.thruhere.net (Postfix) with ESMTP id 7C9FB7F7
     for <inbox@noway2.thruhere.net>; Thu, 6 May 2010 18:48:16 -0400 (EDT)
Received: from SNT127-W51 ([65.55.90.71]) by snt0-omc2-s4.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
     Thu, 6 May 2010 15:47:16 -0700
Message-ID: <SNT127-W5159AD252B5C187DD70CA1FBF50@phx.gbl>
Content-Type: multipart/alternative;
     boundary="_42918b23-3c56-4baf-960f-430df794c646_"
X-Originating-IP: [208.54.94.43]
From: Matt Flyer <no_spam_me2@hotmail.com>
To: <inbox@noway2.thruhere.net>
Subject: RE: example
Date: Thu, 6 May 2010 18:47:16 -04

1) the originating IP: 208.54.94.43. We can do a lookup on this and see that it is m2b5e36d0.tmodns.net. I am not sure about this one. It is owned by markmonitor.com
2) Received: from SNT127-W51 ([65.55.90.71]) by snt0-omc2-s4.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); From this we see if we trace the first IP we don't get full resolution, but it is refered to NS4.MSFT.NET.
3) we see that it passed through snt0-omc2-s4.snt0.hotmail.com.from the IP 65.55.90.79, which was the last hop before arriving at my server.

From there we can see that it passed through a couple of scans on my server (localhost) before being greylisted and then delivered.

You should be able to use information like this to trace the path. Keep in mind, it may not have originated at the first IP.