Problem with spam

wila

Verified User
Joined
Dec 15, 2017
Messages
81
Hi,

I was going through the junk folder on my company main (mycompany.com) email account.
That email is not hosted by myself for reasons of having a backup plan in case my email server goes down, instead it is hosted by pcextreme.nl
What caught my eye was that some spam was sending emails to mycompany.nl account, but somehow it ended up in mycompany.com account. Those are not the same email servers! (the mycompany.nl account is hosted via directadmin)
The DNS settings for the mx server are different.
When I checked the headers of the spam, it seemed like the spam got send via my directadmin server. Huh?

So I go and check the exim.log file and it did indeed have an entry for that same email.

Code:
2019-05-23 16:50:07 1hTp2l-0005hm-OH <= [email protected] H=hungrest.xyz [209.141.52.187] P=esmtp S=5028 DKIM=hungrest.xyz [email protected] T="Maak het leven nu makkelijker" from <[email protected]> for [email protected]
2019-05-23 16:50:08 1hTp2l-0005hm-OH [185.87.184.60] SSL verify error: certificate name mismatch: DN="/CN=*.route25.eu" H="primary.mail.pcextreme.nl"
2019-05-23 16:50:09 1hTp2l-0005hm-OH ** [email protected] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp H=primary.mail.pcextreme.nl [185.87.184.60] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no: SMTP error from remote mail server after end of data: 550 A URL in this email (acter4multi . xyz) is listed on https://spamrl.com/. Please resolve and retry
2019-05-23 16:50:09 1hTp2n-0005hs-Er <= <> R=1hTp2l-0005hm-OH U=mail P=local S=6711 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2019-05-23 16:50:09 1hTp2l-0005hm-OH Completed

As you see they merge "mycompany.nl" and "mycompany.com" into the email addresses in order to bypass some of the filtering.

Those same emails are also in the admin queue.
Code:
1hTp2n-0005hs-Er-H
mail 8 12
<>
1558623009 0
-received_time_usec .460854
-ident mail
-received_protocol local
-body_linecount 136
-max_received_linelength 125
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
[email protected]

167P Received: from mail by mail.mycompany.nl with local (Exim 4.92)
	id 1hTp2n-0005hs-Er
	for [email protected]; Thu, 23 May 2019 16:50:09 +0200
038  X-Failed-Recipients: [email protected]
029  Auto-Submitted: auto-replied
059F From: Mail Delivery System <[email protected]>
050T To: [email protected]
100  Content-Type: multipart/report; report-type=delivery-status; boundary=1558623009-eximdsn-1736375805
018  MIME-Version: 1.0
059  Subject: Mail delivery failed: returning message to sender
048I Message-Id: <[email protected]>
038  Date: Thu, 23 May 2019 16:50:09 +0200

I'm trying to understand what happened here and I admit that I'm not quite getting it.

Somebody else here as an idea?
Is it backscatter somehow?

Sorry I anonymized my company name with a search & replace and changed them into "mycompany.nl" and "mycompany.com"

Can't reproduce the email headers anymore as I pressed delete on the junk folder and it did end up getting removed. But I'm sure this kind of spam will happen again.

Thanks!
--
Wil
 
Hello Wil,

Check /etc/aliases for root's forwarder. Bounced emails might be delivered to the specified address. Is it an email address at @
mycompany.com ?
 
Hi Alex,

Thanks for your answer.

I'm afraid not.
The root's forwarder is set to admin.
Admin's email address is admin @mail.mycompany.nl

FWIW, I'm not sure it is a bounced email as the email looked normal to me.
It wasn't a typical bounce notification.

What makes it curious to me is that it does only end up in the mycompany.com box and they also appear to know other .nl accounts I'm hosting and use email addresses from those accounts as well.
--
Wil
 
Logs and email headers you provided are from a bounce email with the Subject: Mail delivery failed: returning message to sender.
 
Thanks Alex,

That makes sense.
As mentioned, I'm not completely grokking this and am easily getting confused when trying to analyze what happened.

The main part I am having trouble with understanding is this:

How did the spammer manage to use the directadmin server that hosts mycompany.nl to get an email send to mycompany.com?

The email header of the -sadly- deleted email had a DKIM signature for mediadm.xyz.
As my server does not add that, they must have somehow bounced through it?
But that would suggest that my smtp server is an open relay.
However when I run mxtoolbox.com against my server it confirms that it is not an open relay (phew)

Did they forge the return address to be mycompany.com?
Am I looking at backscatter?

If so would this article help?
https://help.directadmin.com/item.php?id=357 (How to prevent bounce emails from leaving your server)
Is there a good reason for not applying that patch?

edit: forgot to mention that I worked through https://help.directadmin.com/item.php?id=455 (My server is sending spam, what do I do?) yesterday and everything was fine there. Also note that it is just a few emails that use this spam delivery mechanism. Haven't seen one today yet.

thanks!
--
Wil
 
Last edited:
Wil,

It's only my guess, and still might it be your case. They might send emails forging sender address using a hosted on your server domains to the same domains. I mean if you host
mycompany.com and mycompany.nl, then can send emails from anything@[/COLOR][COLOR=#333333]mycompany.com to anything@[/COLOR][COLOR=#333333]mycompany.nl, or anything@mycompany.nl to anything@[/COLOR][COLOR=#333333]mycompany.nl directly connected to your server's 25 port. And Exim on the server will accept them.

It was discussed here many times already.
 
Thanks Alex,

I'm not hosting the email server for mycompany.com though.
Also checked the customer's accounts (it should have been in the exim.log then no, or in a php mail log?) and not seeing anything there either.

At the current rate of abuse it is not something major, more spiking my curiosity as anything else.
Just got a new email that uses this technique and a slightly understanding of what is happening.

The other day I noticed that I did not have spamassassin enabled on mycompany.nl emails (not using that email account much) so I enabled it.
The email that just arrived in the info @mycompany.com account which is send to info @mycompany.nl now has the "*** SPAM ***" prefix.

Code:
Received: from mail.mycompany.nl ([1.2.3.4]) by se03.route25.eu with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <[email protected]>) id 1hUT0A-0005ML-Qx for [email protected]; Sat, 25 May 2019 11:30:06 +0200
Received: from mail by mail.mycompany.nl with spam-scanned (Exim 4.92) (envelope-from <[email protected]>) id 1hUT07-0006Q6-DF for [email protected]; Sat, 25 May 2019 11:30:05 +0200
Received: from localhost by heracles.mycompany.net with SpamAssassin (version 3.4.2); Sat, 25 May 2019 11:30:05 +0200
From: Martje Riesthuis <[email protected]>
To: [email protected]
Subject: *****SPAM***** Heb jij al een afspraak
Date: Sat, 25 May 2019 09:14:04 +0000
Message-Id: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on heracles.mycompany.net
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FROM_SUSPICIOUS_NTLD,HTML_IMAGE_ONLY_16, HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,T_DKIMWL_BL,T_FROM_FMBLA_NEWDOM28, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5CE90B1D.B3D6EAF4"
Authentication-Results: se03.route25.eu; dmarc=none header.from=maicrosp.xyz
X-Filter-Fingerprint: CY7c4T+o94Cmn+SwAHdAN/6+lPXBrmcFlk/EdjN/Ui82O+ZLD9ryKk1G+8fm0mZ2/4Qq5fQJWt0B YaSPBfLiNrPL7+dBP0YBn8B7uK/PxT5MdG/JpmcqkK4jf504YcqEEYMnm813Kseu8LXdu3i1iQKj t2Pmmj8Frx+T9jbinRh7R+t+OJtRiPZ3Ynukqd0S04/wdE0eEgnsv92HO1/oxTAH6VrVWIHEYE4s LbA4w2/gFO5B6y1Nk74zHuOtaeYwEkXKTCB9mgAH2nNvM1GFDRvpUxCZYm8OheQjcyMzoEH1q3kn fURkWo+Q9/HbVlHZ
X-SpamExperts-Class: spam
X-SpamExperts-Evidence: urlbl/url-02.rbl.spamrl.com untilte4w . top
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0fHWENUdqj+4JDN3TQDP3eCpSDasLI4SayDByyq9LIhVBFghj+h9lZo5 GJSd6R1+5fG46Y+vmWr7BrTPxsCBz92BSPjwFyIjooacdHZD9rWAV2mCa/NkoxueImzuCyjTjY5x 1NOxbiOzN2vs2RIH0hhkpVnS1sCuiZacXpIN3RzgXhskteHpsVtJkoQ+hDALyz7wCADLz8wyCorX adDInq8ViA6J/jleeTtBggwlEzlQlcj3cEORYfwVJaal3mzOeHmS7Qi4DDvwnPe/m0ZwJgtkYiCu slWuwPDQLB/C1wFx6cTrAfIBtLJVe62uoyOAUiXPtZab+nXo49wtg90cAru+qtq5idCWBO2XTztG uNfRllUKQcyy5bzaN91ObwcmUTpZJFYntpl2klN/3WSItYEhvtMwSPZa3ly5N/uH+yYIRmWFRsm7 FYRdMU8pLcUp9jVB9JRJWsonkf8RvyVpyvoDEz7g6c9tWupctT84nFW7zQEqz8qmd2C/e+diur9a UNhDlN3ZFexZfYgAG9qTPTrzvgwP9cMw+lye/qXkeuruXNsYo4+X2yRg03TG3qdikGs11zxWvY9m 0yO1wnAVWCQamUdylUIKhf3z2GAHxH7I/fHGpU/7I6nHtDY7mlRm/LKtMr9L0c9k6tqvYOV8BfBh +K+yOdeVyNXxqSIwCmaoqwPiG77RlB1oqlzsN7KI5Nd5qjeiMP0U85C9gvV4H1oLgw5G+XZkz9jm lq3XkaKQuYHYiiyBKJNDouqaliFY8hbFXPDolPGUQFwXTAcE7rcj/GcBRQqU6K4JxUztkKAaG/Hq ZMSwQVY3WDz25TcDGQhcrDk8BXnQKe8ZatjlitLnbvJlZUw2LWGLgUYUOnfYjhy+22vS2YGN4if9 n96a1ZBQxtK/SBxOeifcIvVrvxy1YNrQSEqRoikb7iBX0BF4
X-Report-Abuse-To: [email protected]
X-Quarantine-Release-ID: 1hUT0A-0005ML-Qx-se03.route25.eu

and the headers of the actual message:
Code:
------------=_5CE90B1D.B3D6EAF4
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Received: from maicrosp.xyz ([209.141.35.96])
 by mail.mycompany.nl with esmtp (Exim 4.92)
 (envelope-from <[email protected]>)
 id 1hUT07-0006Q1-5C
 for [email protected]; Sat, 25 May 2019 11:30:03 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=maicrosp.xyz;
 h=Content-Type:List-ID:From:To:Reply-To:Subject:Message-ID:List-Unsubscribe:Date:MIME-Version;
 bh=cMWsOThNHfde/W4b6IVdYfetiaU=;
 b=GifOGoQgUKL8zgtDOttNzCiDjcdulWDClK709evwNT7FvTy/bvQuMZSqmfY2/9hX9l64uYjRqC4n
 NWuuRToWTAxg4iadF+w+FWDm+VsB+f48o5Xkk4JLY+uChe5/KUYVnlQ8Tj4KyvB2i1rzAadzALTv
 S7H7ZdAC7bFHPRo7nxw=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=maicrosp.xyz;
 b=DEU7cRwGNb1InwdkmJ+u83mjfwghcISibzU8qVwjpNHFoDCxeJ8x0X6oBMAJd4h2GrKsO+Y42gr/
 CdOT577bZeWUsK72JQ+CFWdaP95jRkcBPlLqC2bwEFHLBxvFPoIsyfXdPRzMu3uMRJkdhGh1WDS4
 V7KSg/PFipQfi0lIUwE=;
Content-Type: multipart/alternative; boundary="--_NmP-efabd8096d759eba-Part_1"
X-FBL: emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3
X-Msys-Api: {"campaign_id":"emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3"}
X-SMTPAPI: {"unique_args":{"campaign_id":"emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3"}}
X-Mailgun-Variables: {"campaign_id":"emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3"}
List-ID: o1l1dpmta1to5and11to20 <eDiiHG58gu.this-works.xyz>
From: Martje Riesthuis <[email protected]>
To: [email protected]
Reply-To: [email protected]
Subject: Heb jij al een afspraak
Message-ID: <[email protected]>
X-Mailer: Mailer (+http://this-works.xyz)
List-Unsubscribe: <http://this-works.xyz/subscription/eDiiHG58gu/unsubscribe/cjmKDo5yv3>
Date: Sat, 25 May 2019 09:14:04 +0000
MIME-Version: 1.0
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

note: replaced my company name with "mycompany" and my mail servers IP address with 1.2.3.4

--
Wil
 
[strike-throughI answered with more details, but it apparently has to be approved by a moderator.[/strike-through]

See above, it has been approved.
 
Last edited:
Back
Top