Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Email/SMTP Related Forum
  Print view Previous topic | Next topic 
Author Message
mabrams
PostPosted: Fri Jun 16, 2006 3:44 am 
Offline
Senior Newbie

Joined: Tue Feb 22, 2005 12:31 pm
Posts: 9
-------------Full text of email------------
Return-Path: <DPmkV@mailserver.com>
X-Original-To: realuser@mailserver.com
Delivered-To: realuser@mailserver.com
Received: from billgates (unknown [59.44.75.105])
by mail.mailserver.com (Postfix) with SMTP id 842104C55
for <realuser@mailserver.com>; Fri, 16 Jun 2006 03:12:31 -0400 (EDT)
Message-Id: <20060616071231.842104C55@mail.mailserver.com>
Date: Fri, 16 Jun 2006 03:12:31 -0400 (EDT)
From: DPmkV@mailserver.com
To: undisclosed-recipients:;
Status:
---------------End email ------------------

mail.log:
Jun 16 03:12:27 www postfix/smtpd[17493]: connect from unknown[59.44.75.105]
Jun 16 03:12:32 www postfix/smtpd[17493]: 842104C55: client=unknown[59.44.75.105]
Jun 16 03:12:34 www postfix/cleanup[17496]: 842104C55: message-id=<20060616071231.842104C55@mail.mailserver.com>
Jun 16 03:12:34 www postfix/qmgr[24375]: 842104C55: from=<DPmkV@mailserver.com>, size=340, nrcpt=1 (queue active)
Jun 16 03:12:34 www postfix/local[17497]: 842104C55: to=<realuser@mailserver.com>, relay=local, delay=3, status=sent (delivered to command: procmail -a "$EXTENSION")
Jun 16 03:12:34 www postfix/qmgr[24375]: 842104C55: removed
Jun 16 03:12:35 www postfix/smtpd[17493]: disconnect from unknown[59.44.75.105]


We use postfix and pop-before-smtp.

user DPmkV is not a valid user on mailserver.com. User DPmkV should, therefore, not be able to send from mailserver.com. User realuser is a valid user on mailserver.com. If this went through some other mailserver, realuser would necessarily receive it.

I cannot tell if there is a threat at hand or if the From: and Return-Path: are simply spoofed. Any ideas? Obviously if we've got a hole, I want to close it.

TIA
Top
   
Reply with quote  
mkincaid
 Post subject:
PostPosted: Fri Jun 16, 2006 7:42 am 
Offline
Newbie

Joined: Fri Jun 16, 2006 7:23 am
Posts: 2
This looks to me like SPAM. This person took advantage of the fact you must deliver mail to local users or they would never receive any mail. By connecting to your server directly and addressing the user they didn't have to worry about finding a server open to relaying.

So I don't think it's a hole. IMO it wouldn't be worth the overhead to do additional checking such cross checking valid From: to real users. It would solve the problem until the spammer started sending mail with From: and To: as the same address.

It's also possible that this is the realuser who wanted to send an email to themself, had no relay server available to them, was too lazy to type their name in the From: box.
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Email/SMTP Related Forum


Who is online

Users browsing this forum: No registered users and 4 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group