Problem with spam

wila

Verified User
Joined
Dec 15, 2017
Messages
18
Hi,

I was going through the junk folder on my company main (mycompany.com) email account.
That email is not hosted by myself for reasons of having a backup plan in case my email server goes down, instead it is hosted by pcextreme.nl
What caught my eye was that some spam was sending emails to mycompany.nl account, but somehow it ended up in mycompany.com account. Those are not the same email servers! (the mycompany.nl account is hosted via directadmin)
The DNS settings for the mx server are different.
When I checked the headers of the spam, it seemed like the spam got send via my directadmin server. Huh?

So I go and check the exim.log file and it did indeed have an entry for that same email.

Code:
2019-05-23 16:50:07 1hTp2l-0005hm-OH <= annalies12Westrik-info=mycompany.nl@mediadm.xyz H=hungrest.xyz [209.141.52.187] P=esmtp S=5028 DKIM=hungrest.xyz id=456d9a58-4a8f-6386-406e-423efc8e2bc5@mediadm.xyz T="Maak het leven nu makkelijker" from <annalies12Westrik-info=mycompany.nl@mediadm.xyz> for info@mycompany.nl
2019-05-23 16:50:08 1hTp2l-0005hm-OH [185.87.184.60] SSL verify error: certificate name mismatch: DN="/CN=*.route25.eu" H="primary.mail.pcextreme.nl"
2019-05-23 16:50:09 1hTp2l-0005hm-OH ** info@mycompany.com <info@mycompany.nl> F=<annalies12Westrik-info=mycompany.nl@mediadm.xyz> R=lookuphost T=remote_smtp H=primary.mail.pcextreme.nl [185.87.184.60] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no: SMTP error from remote mail server after end of data: 550 A URL in this email (acter4multi . xyz) is listed on https://spamrl.com/. Please resolve and retry
2019-05-23 16:50:09 1hTp2n-0005hs-Er <= <> R=1hTp2l-0005hm-OH U=mail P=local S=6711 T="Mail delivery failed: returning message to sender" from <> for annalies12Westrik-info=mycompany.nl@mediadm.xyz
2019-05-23 16:50:09 1hTp2l-0005hm-OH Completed
As you see they merge "mycompany.nl" and "mycompany.com" into the email addresses in order to bypass some of the filtering.

Those same emails are also in the admin queue.
Code:
1hTp2n-0005hs-Er-H
mail 8 12
<>
1558623009 0
-received_time_usec .460854
-ident mail
-received_protocol local
-body_linecount 136
-max_received_linelength 125
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
annalies12Westrik-info=mycompany.nl@mediadm.xyz

167P Received: from mail by mail.mycompany.nl with local (Exim 4.92)
	id 1hTp2n-0005hs-Er
	for annalies12Westrik-info=mycompany.nl@mediadm.xyz; Thu, 23 May 2019 16:50:09 +0200
038  X-Failed-Recipients: info@mycompany.com
029  Auto-Submitted: auto-replied
059F From: Mail Delivery System <Mailer-Daemon@mail.mycompany.nl>
050T To: annalies12Westrik-info=mycompany.nl@mediadm.xyz
100  Content-Type: multipart/report; report-type=delivery-status; boundary=1558623009-eximdsn-1736375805
018  MIME-Version: 1.0
059  Subject: Mail delivery failed: returning message to sender
048I Message-Id: <E1hTp2n-0005hs-Er@mail.mycompany.nl>
038  Date: Thu, 23 May 2019 16:50:09 +0200
I'm trying to understand what happened here and I admit that I'm not quite getting it.

Somebody else here as an idea?
Is it backscatter somehow?

Sorry I anonymized my company name with a search & replace and changed them into "mycompany.nl" and "mycompany.com"

Can't reproduce the email headers anymore as I pressed delete on the junk folder and it did end up getting removed. But I'm sure this kind of spam will happen again.

Thanks!
--
Wil
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,089
Location
GMT +7.00
Hello Wil,

Check /etc/aliases for root's forwarder. Bounced emails might be delivered to the specified address. Is it an email address at @
mycompany.com ?
 

wila

Verified User
Joined
Dec 15, 2017
Messages
18
Hi Alex,

Thanks for your answer.

I'm afraid not.
The root's forwarder is set to admin.
Admin's email address is admin @mail.mycompany.nl

FWIW, I'm not sure it is a bounced email as the email looked normal to me.
It wasn't a typical bounce notification.

What makes it curious to me is that it does only end up in the mycompany.com box and they also appear to know other .nl accounts I'm hosting and use email addresses from those accounts as well.
--
Wil
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,089
Location
GMT +7.00
Logs and email headers you provided are from a bounce email with the Subject: Mail delivery failed: returning message to sender.
 

wila

Verified User
Joined
Dec 15, 2017
Messages
18
Thanks Alex,

That makes sense.
As mentioned, I'm not completely grokking this and am easily getting confused when trying to analyze what happened.

The main part I am having trouble with understanding is this:

How did the spammer manage to use the directadmin server that hosts mycompany.nl to get an email send to mycompany.com?

The email header of the -sadly- deleted email had a DKIM signature for mediadm.xyz.
As my server does not add that, they must have somehow bounced through it?
But that would suggest that my smtp server is an open relay.
However when I run mxtoolbox.com against my server it confirms that it is not an open relay (phew)

Did they forge the return address to be mycompany.com?
Am I looking at backscatter?

If so would this article help?
https://help.directadmin.com/item.php?id=357 (How to prevent bounce emails from leaving your server)
Is there a good reason for not applying that patch?

edit: forgot to mention that I worked through https://help.directadmin.com/item.php?id=455 (My server is sending spam, what do I do?) yesterday and everything was fine there. Also note that it is just a few emails that use this spam delivery mechanism. Haven't seen one today yet.

thanks!
--
Wil
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,089
Location
GMT +7.00
Wil,

It's only my guess, and still might it be your case. They might send emails forging sender address using a hosted on your server domains to the same domains. I mean if you host
mycompany.com and mycompany.nl, then can send emails from anything@[/COLOR][COLOR=#333333]mycompany.com to anything@[/COLOR][COLOR=#333333]mycompany.nl, or anything@mycompany.nl to anything@[/COLOR][COLOR=#333333]mycompany.nl directly connected to your server's 25 port. And Exim on the server will accept them.

It was discussed here many times already.
 

wila

Verified User
Joined
Dec 15, 2017
Messages
18
Thanks Alex,

I'm not hosting the email server for mycompany.com though.
Also checked the customer's accounts (it should have been in the exim.log then no, or in a php mail log?) and not seeing anything there either.

At the current rate of abuse it is not something major, more spiking my curiosity as anything else.
Just got a new email that uses this technique and a slightly understanding of what is happening.

The other day I noticed that I did not have spamassassin enabled on mycompany.nl emails (not using that email account much) so I enabled it.
The email that just arrived in the info @mycompany.com account which is send to info @mycompany.nl now has the "*** SPAM ***" prefix.

Code:
Received: from mail.mycompany.nl ([1.2.3.4]) by se03.route25.eu with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <appi0443-info=mycompany.nl@maicrosp.xyz>) id 1hUT0A-0005ML-Qx for info@mycompany.com; Sat, 25 May 2019 11:30:06 +0200
Received: from mail by mail.mycompany.nl with spam-scanned (Exim 4.92) (envelope-from <appi0443-info=mycompany.nl@maicrosp.xyz>) id 1hUT07-0006Q6-DF for info@mycompany.nl; Sat, 25 May 2019 11:30:05 +0200
Received: from localhost by heracles.mycompany.net with SpamAssassin (version 3.4.2); Sat, 25 May 2019 11:30:05 +0200
From: Martje Riesthuis <appi0443@maicrosp.xyz>
To: info@mycompany.nl
Subject: *****SPAM***** Heb jij al een afspraak
Date: Sat, 25 May 2019 09:14:04 +0000
Message-Id: <44942205-dc8c-5543-afbc-6388d26b4cc6@maicrosp.xyz>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on heracles.mycompany.net
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FROM_SUSPICIOUS_NTLD,HTML_IMAGE_ONLY_16, HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,T_DKIMWL_BL,T_FROM_FMBLA_NEWDOM28, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5CE90B1D.B3D6EAF4"
Authentication-Results: se03.route25.eu; dmarc=none header.from=maicrosp.xyz
X-Filter-Fingerprint: CY7c4T+o94Cmn+SwAHdAN/6+lPXBrmcFlk/EdjN/Ui82O+ZLD9ryKk1G+8fm0mZ2/4Qq5fQJWt0B YaSPBfLiNrPL7+dBP0YBn8B7uK/PxT5MdG/JpmcqkK4jf504YcqEEYMnm813Kseu8LXdu3i1iQKj t2Pmmj8Frx+T9jbinRh7R+t+OJtRiPZ3Ynukqd0S04/wdE0eEgnsv92HO1/oxTAH6VrVWIHEYE4s LbA4w2/gFO5B6y1Nk74zHuOtaeYwEkXKTCB9mgAH2nNvM1GFDRvpUxCZYm8OheQjcyMzoEH1q3kn fURkWo+Q9/HbVlHZ
X-SpamExperts-Class: spam
X-SpamExperts-Evidence: urlbl/url-02.rbl.spamrl.com untilte4w . top
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0fHWENUdqj+4JDN3TQDP3eCpSDasLI4SayDByyq9LIhVBFghj+h9lZo5 GJSd6R1+5fG46Y+vmWr7BrTPxsCBz92BSPjwFyIjooacdHZD9rWAV2mCa/NkoxueImzuCyjTjY5x 1NOxbiOzN2vs2RIH0hhkpVnS1sCuiZacXpIN3RzgXhskteHpsVtJkoQ+hDALyz7wCADLz8wyCorX adDInq8ViA6J/jleeTtBggwlEzlQlcj3cEORYfwVJaal3mzOeHmS7Qi4DDvwnPe/m0ZwJgtkYiCu slWuwPDQLB/C1wFx6cTrAfIBtLJVe62uoyOAUiXPtZab+nXo49wtg90cAru+qtq5idCWBO2XTztG uNfRllUKQcyy5bzaN91ObwcmUTpZJFYntpl2klN/3WSItYEhvtMwSPZa3ly5N/uH+yYIRmWFRsm7 FYRdMU8pLcUp9jVB9JRJWsonkf8RvyVpyvoDEz7g6c9tWupctT84nFW7zQEqz8qmd2C/e+diur9a UNhDlN3ZFexZfYgAG9qTPTrzvgwP9cMw+lye/qXkeuruXNsYo4+X2yRg03TG3qdikGs11zxWvY9m 0yO1wnAVWCQamUdylUIKhf3z2GAHxH7I/fHGpU/7I6nHtDY7mlRm/LKtMr9L0c9k6tqvYOV8BfBh +K+yOdeVyNXxqSIwCmaoqwPiG77RlB1oqlzsN7KI5Nd5qjeiMP0U85C9gvV4H1oLgw5G+XZkz9jm lq3XkaKQuYHYiiyBKJNDouqaliFY8hbFXPDolPGUQFwXTAcE7rcj/GcBRQqU6K4JxUztkKAaG/Hq ZMSwQVY3WDz25TcDGQhcrDk8BXnQKe8ZatjlitLnbvJlZUw2LWGLgUYUOnfYjhy+22vS2YGN4if9 n96a1ZBQxtK/SBxOeifcIvVrvxy1YNrQSEqRoikb7iBX0BF4
X-Report-Abuse-To: spam@semaster01.route25.eu
X-Quarantine-Release-ID: 1hUT0A-0005ML-Qx-se03.route25.eu
and the headers of the actual message:
Code:
------------=_5CE90B1D.B3D6EAF4
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Received: from maicrosp.xyz ([209.141.35.96])
 by mail.mycompany.nl with esmtp (Exim 4.92)
 (envelope-from <appi0443-info=mycompany.nl@maicrosp.xyz>)
 id 1hUT07-0006Q1-5C
 for info@mycompany.nl; Sat, 25 May 2019 11:30:03 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=maicrosp.xyz;
 h=Content-Type:List-ID:From:To:Reply-To:Subject:Message-ID:List-Unsubscribe:Date:MIME-Version;
 bh=cMWsOThNHfde/W4b6IVdYfetiaU=;
 b=GifOGoQgUKL8zgtDOttNzCiDjcdulWDClK709evwNT7FvTy/bvQuMZSqmfY2/9hX9l64uYjRqC4n
 NWuuRToWTAxg4iadF+w+FWDm+VsB+f48o5Xkk4JLY+uChe5/KUYVnlQ8Tj4KyvB2i1rzAadzALTv
 S7H7ZdAC7bFHPRo7nxw=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=maicrosp.xyz;
 b=DEU7cRwGNb1InwdkmJ+u83mjfwghcISibzU8qVwjpNHFoDCxeJ8x0X6oBMAJd4h2GrKsO+Y42gr/
 CdOT577bZeWUsK72JQ+CFWdaP95jRkcBPlLqC2bwEFHLBxvFPoIsyfXdPRzMu3uMRJkdhGh1WDS4
 V7KSg/PFipQfi0lIUwE=;
Content-Type: multipart/alternative; boundary="--_NmP-efabd8096d759eba-Part_1"
X-FBL: emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3
X-Msys-Api: {"campaign_id":"emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3"}
X-SMTPAPI: {"unique_args":{"campaign_id":"emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3"}}
X-Mailgun-Variables: {"campaign_id":"emz-A_Q-s.eDiiHG58gu.cjmKDo5yv3"}
List-ID: o1l1dpmta1to5and11to20 <eDiiHG58gu.this-works.xyz>
From: Martje Riesthuis <appi0443@maicrosp.xyz>
To: info@mycompany.nl
Reply-To: appi0443@maicrosp.xyz
Subject: Heb jij al een afspraak
Message-ID: <44942205-dc8c-5543-afbc-6388d26b4cc6@maicrosp.xyz>
X-Mailer: Mailer (+http://this-works.xyz)
List-Unsubscribe: <http://this-works.xyz/subscription/eDiiHG58gu/unsubscribe/cjmKDo5yv3>
Date: Sat, 25 May 2019 09:14:04 +0000
MIME-Version: 1.0
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
note: replaced my company name with "mycompany" and my mail servers IP address with 1.2.3.4

--
Wil
 

wila

Verified User
Joined
Dec 15, 2017
Messages
18
[strike-throughI answered with more details, but it apparently has to be approved by a moderator.[/strike-through]

See above, it has been approved.
 
Last edited:
Top