- Posts: 34
- Thank you received: 0
Spam and SMTP Relay question
- psiclonius
- Topic Author
- Offline
- Junior Member
Less
More
17 years 9 months ago #20264
by psiclonius
Spam and SMTP Relay question was created by psiclonius
Hi Everyone,
I'm getting random e-mails from address that appear to be coming from my domain. None of the addresses are real, but I would like to know what's going on and how to prevent it. Here is the internet header for one of the messages:
Received: from host253-36.pool8291.interbusiness.it [82.91.36.253] by AmSher.com
(SMTPD-8.22) id A670169604; Thu, 15 Mar 2007 16:11:12 -0500
Return-path: <dgbwjp@amsher.com> (...Fake address)
X-Original-To: rrutdge@amsher.com
Delivered-To: rrutdge@amsher.com
Received: from [82.91.36.253] (port=4431 helo=host253-36.pool8291.interbusiness.it)
by mail.amsher.com with esmtp
id 278563-278563-05
for rrutdge@amsher.com; Thu, 15 Mar 2007 22:11:06 +0100 (EET)
Message-ID: <063201c7674e$01c7674e$fd245b52@amsher.com>
From: "Marcelino" <dgbwjp@amsher.com> (...Fake address)
To: "Clay" rrutdge@amsher.com
Subject: registrant than enumerate
Date: Thu, 15 Mar 2007 22:11:06 +0100 (EET)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0630_01C76746.72370AD0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RCPT-TO:
Status: U
X-UIDL: 460676837
X-IMail-ThreadID:
I'm getting random e-mails from address that appear to be coming from my domain. None of the addresses are real, but I would like to know what's going on and how to prevent it. Here is the internet header for one of the messages:
Received: from host253-36.pool8291.interbusiness.it [82.91.36.253] by AmSher.com
(SMTPD-8.22) id A670169604; Thu, 15 Mar 2007 16:11:12 -0500
Return-path: <dgbwjp@amsher.com> (...Fake address)
X-Original-To: rrutdge@amsher.com
Delivered-To: rrutdge@amsher.com
Received: from [82.91.36.253] (port=4431 helo=host253-36.pool8291.interbusiness.it)
by mail.amsher.com with esmtp
id 278563-278563-05
for rrutdge@amsher.com; Thu, 15 Mar 2007 22:11:06 +0100 (EET)
Message-ID: <063201c7674e$01c7674e$fd245b52@amsher.com>
From: "Marcelino" <dgbwjp@amsher.com> (...Fake address)
To: "Clay" rrutdge@amsher.com
Subject: registrant than enumerate
Date: Thu, 15 Mar 2007 22:11:06 +0100 (EET)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0630_01C76746.72370AD0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RCPT-TO:
Status: U
X-UIDL: 460676837
X-IMail-ThreadID:
- FiercePowahs
- Offline
- Junior Member
Less
More
- Posts: 37
- Thank you received: 0
17 years 9 months ago #20268
by FiercePowahs
Replied by FiercePowahs on topic Re: Spam and SMTP Relay question
This is generally called Email Forging/Spoofing.
Do a search on email spoofing. Here are some resources:
www.cert.org/tech_tips/email_spoofing.html
en.wikipedia.org/wiki/Email_spoofing
Do a search on email spoofing. Here are some resources:
www.cert.org/tech_tips/email_spoofing.html
en.wikipedia.org/wiki/Email_spoofing
17 years 9 months ago #20270
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Spam and SMTP Relay question
It is very easy to spoof the sender/from address due to difincies within the SMTP/ESMPT protocol. Some Malware will do this to make it look like its come from your own domain to try and trick people into opening the e-mail thinking that its legitimate e-mails from the company.
It is however very difficult to spoof the address of where it has come from in the first place. As you can see from your output
[code:1]Received: from host253-36.pool8291.interbusiness.it [82.91.36.253] [/code:1]
Is the address of where the e-mail originated. If you do some digging though its probably some sort of ISP so it would probably be a waste of time trying to track it through the company who owns that address space. You will see its coming from Italy.
It is however very difficult to spoof the address of where it has come from in the first place. As you can see from your output
[code:1]Received: from host253-36.pool8291.interbusiness.it [82.91.36.253] [/code:1]
Is the address of where the e-mail originated. If you do some digging though its probably some sort of ISP so it would probably be a waste of time trying to track it through the company who owns that address space. You will see its coming from Italy.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.134 seconds