SPAM from my domain


#1

…but it wasn’t me… it was the one armed man…

I keep getting email from postmaster accounts saying ‘Delivery failed notification’.

It seems somebody is spamming email accounts using my domain.

The return/senders email addresses being used seem to be random, for example…

litsl@k33pin.it.fr33.co.uk
rifkl@k33pin.it.fr33.co.uk
lbuth@k33pin.it.fr33.co.uk
liked@k33pin.it.fr33.co.uk

None of these accounts actually exist, seems my domain is being used aswell as others I would presume.

Is there anything I can do to prevent this? If this keeps up i can see my domain being blocked and/or even Dreamhost domains as that is where it is hosted.


#2

I’m betting it’s just someone forging return addresses. I get such bounces on occasion from some of my domains.

As long as they’re not actually coming from your account (i.e. here at DreamHost), you’re fine. It’s the IP addresses in the messages that will likely get blocked. Since they most likely aren’t coming through DreamHost servers, your/our IP addresses and mail won’t get blocked.

-Scott


#3

What Scott said… and, “No”, there really isn’t anything you can do to stop them from forging a “from” or a “reply to” address that contains your domain name.

You can avoid receiving all the bopunce messages, however: disable your catch-all!

–rlparker


#4

i just got hit by this as well. i got some 370+ bounced spam emails saying they were sent from one of my email addresses (just one, one that i’ve never used but it’s active). first time it’s happened to me and i’ve had domains for nearly 10 years. there’s absolutely nothing you can do about this?

seems weird that people can send email with your domain as the sender and there’s no protection against it.

also, i found this in some of the bounced emails:

“Received: from 208.97.132.58 (HELO mx2.balanced.swarthy.mail.dreamhost.com)”

does this mean the spammer was sending the emails through Dreamhost’s mailserver(s) or what?


#5

Grizzley,

You may have a different problem. The quantity is distressing and, coupled with the fact that the email address that was “forged” is an active address, would give me cause for concern that maybe a script on one of my domains had been compromised and is being used by the spammers.

Not necessarily, but it could be, depending upon where in the headers (and whether in the header of the bounce message or the header of the “bounced” message!)

A careful review of the full headers (especially the headers of the actual messages that bounced) is needed to know more.

If these mails hit in groups, and were sent during identifiable periods of time, I’d dig into my logs to see if there is corresponding activity on one of my domains. If so, you may have a security issue with on of your applications and/or forms.

–rlparker


#6

i don’t know much about checking logs and such, where’d i do that? in the Dreamhost panel?

here’s the full header from one of the bounced emails that seemed to have the most information in it:

------ This is a copy of the message, including all the headers. ------

Return-path: *removedname*@fuelfonts.com
Received: from Debian-exim by igate.dittgen.de with spamscanner (Exim 4.34)
id 1GVtYD-0000Z7-KT
for nassherakle@dittgen.de; Fri, 06 Oct 2006 19:32:04 +0200
Received: from localhost ([127.0.0.1])
by igate.dittgen.de with esmtp (Exim 4.34)
id 1GVtWk-0008Ed-1n; Fri, 06 Oct 2006 19:30:26 +0200
Received: from mx2.saarnet.de ([212.89.129.159])
by igate.dittgen.de with esmtp (Exim 4.34)
id 1GVtWf-0007xe-8o; Fri, 06 Oct 2006 19:30:22 +0200
Received: from aanr153.neoplus.adsl.tpnet.pl ([83.5.99.153] helo=net)
by mx2.saarnet.de with esmtp (Exim 4.34)
id 1GVtW0-0000wB-QW; Fri, 06 Oct 2006 19:29:41 +0200
Received: from 208.97.132.58 (HELO mx2.balanced.swarthy.mail.dreamhost.com)
by dittgen.de with esmtp (YK4QOA9BAGV K3A70)
id PB9B0J-FJ5ZH6-TX
for nilson@dittgen.de; Fri, 6 Nov 2006 17:29:38 -0060
Date: Fri, 6 Nov 2006 17:29:38 -0060
From: “Emil Hickey” *removedname*@fuelfonts.com
X-Mailer: The Bat! (v3.0.1.33) UNREG / CD5BF9353B3B7091
X-Priority: 3 (Normal)
Message-ID: 540819574.13453364943196@thebat.net
To: nilson@dittgen.de
Subject: Achieve picture perfect weight and enjoy life
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------A213DA0CC513DA21"
X-Spam: Not detected
X-Virus-Scanned: by f-secure at mx1.saarnet.de
X-Virus-Scanned: by amavisd-new at igate.dittgen.de
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on igate.dittgen.de
X-Spam-DCC: :
X-Spam-Report:

  • 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
  •  [score: 1.0000]
    
  • 1.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100
  •  [cf: 100]
    
  • 0.1 HTML_MESSAGE BODY: HTML included in message
  • 0.3 HTML_FONT_BIG BODY: HTML has a big font
  • 3.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
  • 2.6 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date
    X-Spam-Status: Yes, hits=12.6 required=4.0 tests=BAYES_99,
    DATE_IN_FUTURE_96_XX,HTML_FONT_BIG,HTML_MESSAGE,
    RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=no version=2.63
    X-Spam-Level: ************

------------A213DA0CC513DA21
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit

the only real constant in all spams bounces that contain header info is the swarthy.mail.dreamhost.com address…

any help would be appreciated.


#7

You can find your logs in you “home” user directory in the “logs” directory. Note that this is not within you “mydomain.tld” directory, but one level above that - which is where you should be when you log in via ftp/ssh.

Within that “logs” directory, youwill find a directory for each domain your user hosts, and you logfs will be in that directory for the respective domain. They are just text files, so they can be read with any shell tool file listing tool, or downloaded to your computer for viewing/searching/etc.

Reading headers can be as much “art” as science at times. I think this is a good guide to how to read email headers(there are many out there - this is just one that I think is particularly good).

That said, it looks to me as though this mail may have actually originated from a(your?) Dreamhost domain, given the “first” identifiable IP address to have forwarded the message being 208.97.132.58, which is a Dreamhost IP address for a mail server. Granted, it could be forged, but in my experience forgers dont often match the “name” of the identified server with the “correct” IP address.

If you did not send it, it is possible that a compromised script on your server allowed this to be sent, and if that is what happened you should deal with it immediately.

It certainly warrants inspecting more of the emails for patterns, and times to see if there is a pattern here. I’d also check my logs for suspicious activity, and/or contact support for additional help. I could be wrong about this, but at this point it is starting to look to me like a possible compromise.

–rlparker


#8

not sure if i’m doing this right. when i log into the ftp there are four subdirectories: logs, mail, Maildir and public_html.

under logs i do find my domain, and under it there’s a http subdirectory with access.log files… but these seem to be just for website access, not mail or anything like that… so i must be looking the wrong place…?

what kind of compromised script would do this? i haven’t installed anything… i have a counter, a form for sending in mail. look at fuelfonts.com and you can see for yourself.

well, i guess i should get in touch with support since i’m not able to do this myself.

thanks for all the help, much appreciated!


#9

Actually, it is those website access logs you want to inspect, as they will show you activity of visitors who are using your website. If a spammer has compromised the form on your website. there should be a track there :wink:

I did look at your site (nice, btw!) and noticed the form, counter , etc. As you are using the Dreamhost supplied formmail.cgi, I kinda doubt that ws exploited. Remember though, that you are not the only one on your server; another site on your server could have been compromised, and you ocan’t see logs for those not under your control.

It is possible that the spammer just harvested your email info from your form, and used that to forge the headers before exploiting another site. ALso, did you check the headers of many of the other messages?

Understand, as I said before, this may be a “false alarm”, but the first IP address makes me suspicious enough that I would contact support. Good Luck!

–rlparker