Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Spam from dwDOMAINm@DOMAIN.com

Status
Not open for further replies.
holleyism

holleyism

Programmer
Mar 8, 2007
3
US
I have a qmail server running for sometime now that hasn't had any problems. I recently started seeing spam bounces, with the format of the email being dwDOMAINm@DOMAIN.com. Looking at the headers, it appears to be coming from my server. I tested for relay and there appear to be no holes. I have logging turned on for sending email but haven't seen any login attempts for smtp (I don't send that much email through here). I even turned on snort to trace all traffic for the host for days and didn't see any attempts to send email out, but yet I still seem to get the bounced spam. I also checked my trash for filtered spam and have seen other spam attempts using the format referenced above but different domain names.

Is anyone else seeing this and is there any way to stop it?
Thanks.
 
Sort by date Sort by votes
In all likelihood someone external to your server is using "From:" and "Reply to:" header information for one of your users in their spam. When the recipient receives the spam they are bouncing back to your server which is probably then squashing the message.

Happens all the time. Ignore it.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
If it was just the "From:" header I could see ignoring it, but since my IP address shows up in the Receieved header, I think there's something wrong.

Here's a sample from a bounced message:
Received: from xx.xx.xx.xx (HELO a.mx.DOMAIN.com)
by pietercil.com with esmtp (0;L)K8-.7 .,1/+>)
id )0F239-=L>5JZ-.Q
for someuser@random.domain.com; Sat, 10 Mar 2007 08:27:08 +0500

Where the xx.xx.xx.xx is my ipaddress and DOMAIN is my real domain.

The example shown was sent during a period where I had qmail-send service shutdown which I thought should still allow my system to receive mail but no mail could be sent out. What's odd is that I've seen headers that I've sent and I thought qmail uses "smtp" not "esmtp" in the Received header.

I'm still trying to see if there is some other rogue program running that's sending mail. Any suggestions?
 
Upvote 0 Downvote
Ok, I guess I didn't realize that Received: headers could be forged and inserted after the fact. After doing some more research, I noticed that the next Received: header has usually been a dynamic IP from an ISP, which doesn't seem like it would be a real mail server that I could send to. Thanks.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Menon181
  • Locked
  • Question
Upgrading Micros 3700 from 5.2 to 5.5
Replies
0
Views
5K
Menon181
Menon181
Soopa
  • Locked
  • Question
migrating from Netscape Enterprise to postfix
Replies
0
Views
207
Soopa
Soopa
nikanjyl25
  • Locked
  • Question
Spam Mail
Replies
0
Views
62
nikanjyl25
nikanjyl25
nstratton25
  • Locked
  • Question
prohibit spooling of internal mail from the public Internet
Replies
0
Views
178
nstratton25
nstratton25
Rnimb
  • Locked
  • Question
Problem receiving appointment from Outlook Clients
Replies
13
Views
209
Rnimb
Rnimb

Part and Inventory Search

Sponsor

Back
Top