Skip to main content

Spam and SMTP Relay question

More
17 years 8 months ago #20264 by psiclonius
Hi Everyone,

I'm getting random e-mails from address that appear to be coming from my domain. None of the addresses are real, but I would like to know what's going on and how to prevent it. Here is the internet header for one of the messages:


Received: from host253-36.pool8291.interbusiness.it [82.91.36.253] by AmSher.com
(SMTPD-8.22) id A670169604; Thu, 15 Mar 2007 16:11:12 -0500
Return-path: <dgbwjp@amsher.com> (...Fake address)
X-Original-To: rrutdge@amsher.com
Delivered-To: rrutdge@amsher.com
Received: from [82.91.36.253] (port=4431 helo=host253-36.pool8291.interbusiness.it)
by mail.amsher.com with esmtp
id 278563-278563-05
for rrutdge@amsher.com; Thu, 15 Mar 2007 22:11:06 +0100 (EET)
Message-ID: <063201c7674e$01c7674e$fd245b52@amsher.com>
From: "Marcelino" <dgbwjp@amsher.com> (...Fake address)
To: "Clay" rrutdge@amsher.com
Subject: registrant than enumerate
Date: Thu, 15 Mar 2007 22:11:06 +0100 (EET)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0630_01C76746.72370AD0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RCPT-TO:
Status: U
X-UIDL: 460676837
X-IMail-ThreadID:
More
17 years 8 months ago #20268 by FiercePowahs
This is generally called Email Forging/Spoofing.

Do a search on email spoofing. Here are some resources:

www.cert.org/tech_tips/email_spoofing.html

en.wikipedia.org/wiki/Email_spoofing
More
17 years 8 months ago #20270 by Smurf
It is very easy to spoof the sender/from address due to difincies within the SMTP/ESMPT protocol. Some Malware will do this to make it look like its come from your own domain to try and trick people into opening the e-mail thinking that its legitimate e-mails from the company.

It is however very difficult to spoof the address of where it has come from in the first place. As you can see from your output

[code:1]Received: from host253-36.pool8291.interbusiness.it [82.91.36.253] [/code:1]

Is the address of where the e-mail originated. If you do some digging though its probably some sort of ISP so it would probably be a waste of time trying to track it through the company who owns that address space. You will see its coming from Italy.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.122 seconds