Results 1 to 8 of 8

Thread: Problem with spam

  1. #1
    Join Date
    Dec 2017
    Posts
    16

    Problem with spam

    Hi,

    I was going through the junk folder on my company main (mycompany.com) email account.
    That email is not hosted by myself for reasons of having a backup plan in case my email server goes down, instead it is hosted by pcextreme.nl
    What caught my eye was that some spam was sending emails to mycompany.nl account, but somehow it ended up in mycompany.com account. Those are not the same email servers! (the mycompany.nl account is hosted via directadmin)
    The DNS settings for the mx server are different.
    When I checked the headers of the spam, it seemed like the spam got send via my directadmin server. Huh?

    So I go and check the exim.log file and it did indeed have an entry for that same email.

    Code:
    2019-05-23 16:50:07 1hTp2l-0005hm-OH <= annalies12Westrik-info=mycompany.nl@mediadm.xyz H=hungrest.xyz [209.141.52.187] P=esmtp S=5028 DKIM=hungrest.xyz id=456d9a58-4a8f-6386-406e-423efc8e2bc5@mediadm.xyz T="Maak het leven nu makkelijker" from <annalies12Westrik-info=mycompany.nl@mediadm.xyz> for info@mycompany.nl
    2019-05-23 16:50:08 1hTp2l-0005hm-OH [185.87.184.60] SSL verify error: certificate name mismatch: DN="/CN=*.route25.eu" H="primary.mail.pcextreme.nl"
    2019-05-23 16:50:09 1hTp2l-0005hm-OH ** info@mycompany.com <info@mycompany.nl> F=<annalies12Westrik-info=mycompany.nl@mediadm.xyz> R=lookuphost T=remote_smtp H=primary.mail.pcextreme.nl [185.87.184.60] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no: SMTP error from remote mail server after end of data: 550 A URL in this email (acter4multi . xyz) is listed on https://spamrl.com/. Please resolve and retry
    2019-05-23 16:50:09 1hTp2n-0005hs-Er <= <> R=1hTp2l-0005hm-OH U=mail P=local S=6711 T="Mail delivery failed: returning message to sender" from <> for annalies12Westrik-info=mycompany.nl@mediadm.xyz
    2019-05-23 16:50:09 1hTp2l-0005hm-OH Completed
    As you see they merge "mycompany.nl" and "mycompany.com" into the email addresses in order to bypass some of the filtering.

    Those same emails are also in the admin queue.
    Code:
    1hTp2n-0005hs-Er-H
    mail 8 12
    <>
    1558623009 0
    -received_time_usec .460854
    -ident mail
    -received_protocol local
    -body_linecount 136
    -max_received_linelength 125
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -localerror
    XX
    1
    annalies12Westrik-info=mycompany.nl@mediadm.xyz
    
    167P Received: from mail by mail.mycompany.nl with local (Exim 4.92)
    	id 1hTp2n-0005hs-Er
    	for annalies12Westrik-info=mycompany.nl@mediadm.xyz; Thu, 23 May 2019 16:50:09 +0200
    038  X-Failed-Recipients: info@mycompany.com
    029  Auto-Submitted: auto-replied
    059F From: Mail Delivery System <Mailer-Daemon@mail.mycompany.nl>
    050T To: annalies12Westrik-info=mycompany.nl@mediadm.xyz
    100  Content-Type: multipart/report; report-type=delivery-status; boundary=1558623009-eximdsn-1736375805
    018  MIME-Version: 1.0
    059  Subject: Mail delivery failed: returning message to sender
    048I Message-Id: <E1hTp2n-0005hs-Er@mail.mycompany.nl>
    038  Date: Thu, 23 May 2019 16:50:09 +0200
    I'm trying to understand what happened here and I admit that I'm not quite getting it.

    Somebody else here as an idea?
    Is it backscatter somehow?

    Sorry I anonymized my company name with a search & replace and changed them into "mycompany.nl" and "mycompany.com"

    Can't reproduce the email headers anymore as I pressed delete on the junk folder and it did end up getting removed. But I'm sure this kind of spam will happen again.

    Thanks!
    --
    Wil

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,100
    Hello Wil,

    Check /etc/aliases for root's forwarder. Bounced emails might be delivered to the specified address. Is it an email address at @
    mycompany.com ?
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  3. #3
    Join Date
    Dec 2017
    Posts
    16
    Hi Alex,

    Thanks for your answer.

    I'm afraid not.
    The root's forwarder is set to admin.
    Admin's email address is admin @mail.mycompany.nl

    FWIW, I'm not sure it is a bounced email as the email looked normal to me.
    It wasn't a typical bounce notification.

    What makes it curious to me is that it does only end up in the mycompany.com box and they also appear to know other .nl accounts I'm hosting and use email addresses from those accounts as well.
    --
    Wil

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,100
    Logs and email headers you provided are from a bounce email with the Subject: Mail delivery failed: returning message to sender.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  5. #5
    Join Date
    Dec 2017
    Posts
    16
    Thanks Alex,

    That makes sense.
    As mentioned, I'm not completely grokking this and am easily getting confused when trying to analyze what happened.

    The main part I am having trouble with understanding is this:

    How did the spammer manage to use the directadmin server that hosts mycompany.nl to get an email send to mycompany.com?

    The email header of the -sadly- deleted email had a DKIM signature for mediadm.xyz.
    As my server does not add that, they must have somehow bounced through it?
    But that would suggest that my smtp server is an open relay.
    However when I run mxtoolbox.com against my server it confirms that it is not an open relay (phew)

    Did they forge the return address to be mycompany.com?
    Am I looking at backscatter?

    If so would this article help?
    https://help.directadmin.com/item.php?id=357 (How to prevent bounce emails from leaving your server)
    Is there a good reason for not applying that patch?

    edit: forgot to mention that I worked through https://help.directadmin.com/item.php?id=455 (My server is sending spam, what do I do?) yesterday and everything was fine there. Also note that it is just a few emails that use this spam delivery mechanism. Haven't seen one today yet.

    thanks!
    --
    Wil
    Last edited by wila; 05-24-2019 at 09:36 AM.

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,100
    Wil,

    It's only my guess, and still might it be your case. They might send emails forging sender address using a hosted on your server domains to the same domains. I mean if you host
    mycompany.com and mycompany.nl, then can send emails from anything@mycompany.com to anything@mycompany.nl, or anything@mycompany.nl to anything@mycompany.nl directly connected to your server's 25 port. And Exim on the server will accept them.

    It was discussed here many times already.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  7. #7
    Join Date
    Dec 2017
    Posts
    16
    Thanks Alex,

    I'm not hosting the email server for mycompany.com though.
    Also checked the customer's accounts (it should have been in the exim.log then no, or in a php mail log?) and not seeing anything there either.

    At the current rate of abuse it is not something major, more spiking my curiosity as anything else.
    Just got a new email that uses this technique and a slightly understanding of what is happening.

    The other day I noticed that I did not have spamassassin enabled on mycompany.nl emails (not using that email account much) so I enabled it.
    The email that just arrived in the info @mycompany.com account which is send to info @mycompany.nl now has the "*** SPAM ***" prefix.

    Code:
    Received: from mail.mycompany.nl ([1.2.3.4]) by se03.route25.eu with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <appi0443-info=mycompany.nl@maicrosp.xyz>) id 1hUT0A-0005ML-Qx for info@mycompany.com; Sat, 25 May 2019 11:30:06 +0200
    Received: from mail by mail.mycompany.nl with spam-scanned (Exim 4.92) (envelope-from <appi0443-info=mycompany.nl@maicrosp.xyz>) id 1hUT07-0006Q6-DF for info@mycompany.nl; Sat, 25 May 2019 11:30:05 +0200
    Received: from localhost by heracles.mycompany.net with SpamAssassin (version 3.4.2); Sat, 25 May 2019 11:30:05 +0200
    From: Martje Riesthuis <appi0443@maicrosp.xyz>
    To: info@mycompany.nl
    Subject: *****SPAM***** Heb jij al een afspraak
    Date: Sat, 25 May 2019 09:14:04 +0000
    Message-Id: <44942205-dc8c-5543-afbc-6388d26b4cc6@maicrosp.xyz>
    X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on heracles.mycompany.net
    X-Spam-Flag: YES
    X-Spam-Level: *******
    X-Spam-Status: Yes, score=7.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FROM_SUSPICIOUS_NTLD,HTML_IMAGE_ONLY_16, HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,T_DKIMWL_BL,T_FROM_FMBLA_NEWDOM28, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.2
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="----------=_5CE90B1D.B3D6EAF4"
    Authentication-Results: se03.route25.eu; dmarc=none header.from=maicrosp.xyz
    X-Filter-Fingerprint: CY7c4T+o94Cmn+SwAHdAN/6+lPXBrmcFlk/EdjN/Ui82O+ZLD9ryKk1G+8fm0mZ2/4Qq5fQJWt0B YaSPBfLiNrPL7+dBP0YBn8B7uK/PxT5MdG/JpmcqkK4jf504YcqEEYMnm813Kseu8LXdu3i1iQKj t2Pmmj8Frx+T9jbinRh7R+t+OJtRiPZ3Ynukqd0S04/wdE0eEgnsv92HO1/oxTAH6VrVWIHEYE4s LbA4w2/gFO5B6y1Nk74zHuOtaeYwEkXKTCB9mgAH2nNvM1GFDRvpUxCZYm8OheQjcyMzoEH1q3kn fURkWo+Q9/HbVlHZ
    X-SpamExperts-Class: spam
    X-SpamExperts-Evidence: urlbl/url-02.rbl.spamrl.com untilte4w . top
    X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0fHWENUdqj+4JDN3TQDP3eCpSDasLI4SayDByyq9LIhVBFghj+h9lZo5 GJSd6R1+5fG46Y+vmWr7BrTPxsCBz92BSPjwFyIjooacdHZD9rWAV2mCa/NkoxueImzuCyjTjY5x 1NOxbiOzN2vs2RIH0hhkpVnS1sCuiZacXpIN3RzgXhskteHpsVtJkoQ+hDALyz7wCADLz8wyCorX adDInq8ViA6J/jleeTtBggwlEzlQlcj3cEORYfwVJaal3mzOeHmS7Qi4DDvwnPe/m0ZwJgtkYiCu slWuwPDQLB/C1wFx6cTrAfIBtLJVe62uoyOAUiXPtZab+nXo49wtg90cAru+qtq5idCWBO2XTztG uNfRllUKQcyy5bzaN91ObwcmUTpZJFYntpl2klN/3WSItYEhvtMwSPZa3ly5N/uH+yYIRmWFRsm7 FYRdMU8pLcUp9jVB9JRJWsonkf8RvyVpyvoDEz7g6c9tWupctT84nFW7zQEqz8qmd2C/e+diur9a UNhDlN3ZFexZfYgAG9qTPTrzvgwP9cMw+lye/qXkeuruXNsYo4+X2yRg03TG3qdikGs11zxWvY9m 0yO1wnAVWCQamUdylUIKhf3z2GAHxH7I/fHGpU/7I6nHtDY7mlRm/LKtMr9L0c9k6tqvYOV8BfBh +K+yOdeVyNXxqSIwCmaoqwPiG77RlB1oqlzsN7KI5Nd5qjeiMP0U85C9gvV4H1oLgw5G+XZkz9jm lq3XkaKQuYHYiiyBKJNDouqaliFY8hbFXPDolPGUQFwXTAcE7rcj/GcBRQqU6K4JxUztkKAaG/Hq ZMSwQVY3WDz25TcDGQhcrDk8BXnQKe8ZatjlitLnbvJlZUw2LWGLgUYUOnfYjhy+22vS2YGN4if9 n96a1ZBQxtK/SBxOeifcIvVrvxy1YNrQSEqRoikb7iBX0BF4
    X-Report-Abuse-To: spam@semaster01.route25.eu
    X-Quarantine-Release-ID: 1hUT0A-0005ML-Qx-se03.route25.eu
    and the headers of the actual message:
    Code:
    ------------=_5CE90B1D.B3D6EAF4
    Content-Type: message/rfc822; x-spam-type=original
    Content-Description: original message before SpamAssassin
    Content-Disposition: attachment
    Content-Transfer-Encoding: 8bit
    
    Received: from maicrosp.xyz ([209.141.35.96])
     by mail.mycompany.nl with esmtp (Exim 4.92)
     (envelope-from <appi0443-info=mycompany.nl@maicrosp.xyz>)
     id 1hUT07-0006Q1-5C
     for info@mycompany.nl; Sat, 25 May 2019 11:30:03 +0200
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=maicrosp.xyz;
     h=Content-Type:List-ID:From:To:Reply-To:Subject:Message-ID:List-Unsubscribe:Date:MIME-Version;
     bh=cMWsOThNHfde/W4b6IVdYfetiaU=;
     b=GifOGoQgUKL8zgtDOttNzCiDjcdulWDClK709evwNT7FvTy/bvQuMZSqmfY2/9hX9l64uYjRqC4n
     NWuuRToWTAxg4iadF+w+FWDm+VsB+f48o5Xkk4JLY+uChe5/KUYVnlQ8Tj4KyvB2i1rzAadzALTv
     S7H7ZdAC7bFHPRo7nxw=
    DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=maicrosp.xyz;
     b=DEU7cRwGNb1InwdkmJ+u83mjfwghcISibzU8qVwjpNHFoDCxeJ8x0X6oBMAJd4h2GrKsO+Y42gr/
     CdOT577bZeWUsK72JQ+CFWdaP95jRkcBPlLqC2bwEFHLBxvFPoIsyfXdPRzMu3uMRJkdhGh1WDS4
     V7KSg/PFipQfi0lIUwE=;
    Content-Type: multipart/alternative; boundary="--_NmP-efabd8096d759eba-Part_1"
    X-FBL: emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3
    X-Msys-Api: {"campaign_id":"emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3"}
    X-SMTPAPI: {"unique_args":{"campaign_id":"emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3"}}
    X-Mailgun-Variables: {"campaign_id":"emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3"}
    List-ID: o1l1dpmta1to5and11to20 <eDiiHG58gu.this-works.xyz>
    From: Martje Riesthuis <appi0443@maicrosp.xyz>
    To: info@mycompany.nl
    Reply-To: appi0443@maicrosp.xyz
    Subject: Heb jij al een afspraak
    Message-ID: <44942205-dc8c-5543-afbc-6388d26b4cc6@maicrosp.xyz>
    X-Mailer: Mailer (+http://this-works.xyz)
    List-Unsubscribe: <http://this-works.xyz/subscription/eDiiHG58gu/unsubscribe/cjmKDo5yv3>
    Date: Sat, 25 May 2019 09:14:04 +0000
    MIME-Version: 1.0
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    note: replaced my company name with "mycompany" and my mail servers IP address with 1.2.3.4

    --
    Wil

  8. #8
    Join Date
    Dec 2017
    Posts
    16
    [strike-throughI answered with more details, but it apparently has to be approved by a moderator.[/strike-through]

    See above, it has been approved.
    Last edited by wila; 05-25-2019 at 09:40 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •