Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Spam from dwDOMAINm@DOMAIN.com

Status
Not open for further replies.

holleyism

Programmer
Mar 8, 2007
3
US
I have a qmail server running for sometime now that hasn't had any problems. I recently started seeing spam bounces, with the format of the email being dwDOMAINm@DOMAIN.com. Looking at the headers, it appears to be coming from my server. I tested for relay and there appear to be no holes. I have logging turned on for sending email but haven't seen any login attempts for smtp (I don't send that much email through here). I even turned on snort to trace all traffic for the host for days and didn't see any attempts to send email out, but yet I still seem to get the bounced spam. I also checked my trash for filtered spam and have seen other spam attempts using the format referenced above but different domain names.

Is anyone else seeing this and is there any way to stop it?
Thanks.
 
In all likelihood someone external to your server is using "From:" and "Reply to:" header information for one of your users in their spam. When the recipient receives the spam they are bouncing back to your server which is probably then squashing the message.

Happens all the time. Ignore it.

D.E.R. Management - IT Project Management Consulting
 
If it was just the "From:" header I could see ignoring it, but since my IP address shows up in the Receieved header, I think there's something wrong.

Here's a sample from a bounced message:
Received: from xx.xx.xx.xx (HELO a.mx.DOMAIN.com)
by pietercil.com with esmtp (0;L)K8-.7 .,1/+>)
id )0F239-=L>5JZ-.Q
for someuser@random.domain.com; Sat, 10 Mar 2007 08:27:08 +0500

Where the xx.xx.xx.xx is my ipaddress and DOMAIN is my real domain.

The example shown was sent during a period where I had qmail-send service shutdown which I thought should still allow my system to receive mail but no mail could be sent out. What's odd is that I've seen headers that I've sent and I thought qmail uses "smtp" not "esmtp" in the Received header.

I'm still trying to see if there is some other rogue program running that's sending mail. Any suggestions?
 
Ok, I guess I didn't realize that Received: headers could be forged and inserted after the fact. After doing some more research, I noticed that the next Received: header has usually been a dynamic IP from an ISP, which doesn't seem like it would be a real mail server that I could send to. Thanks.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top