If you're fairly certain about your box (and it is possible that it is relaying mail on some odd port or even generating mail to send out, via some worm or other nasty), then I'd say to remember that the IP address is easily claimed on any machine anywhere... maybe close to the next hop, in Russia?? I'm guessing the IP in question belongs to you or your client... so I guess you'd call that spoofing; there might be a machine on a LAN generating this elsewhere, with the same IP. That part is hard to find out about though! Do you have a log of traffic upstream from the box, like a firewall interface which could summarize connections (ie, turn on some level of logging)? Sorry I was out watching the fabulous movie "Whale Rider", catch it before it leave the Bijou if you haven't already -- and also, please catch me up with this thread... what is the current state of this issue, Bob? What an enticing offer, anyway; I hope I'm not too late! ( =
regards, Ben B PS - If you want a portscan of the IP in question, say so -- I will hold off until I hear back... On Tue, 22 Jul 2003 01:18:20 +0000 "Bob Crandell" <[EMAIL PROTECTED]> wrote: | Ok, Ben and Cory, first one to respond gets a paycheck. | | Cory Petkovsek ([EMAIL PROTECTED]) wrote: | > | >On Mon, Jul 21, 2003 at 11:10:50PM +0000, Bob Crandell wrote: | >> Hi, | >> | >> The computer they are complaining about [216.239.175.40] is not | >> running sendmail or qmail, yet spamers are using it somehow. | >Please> tell me there is enough information here to determine that | >they are> spoofing. This computer is not supposed to be handling | >email at all.> | >> I'm trying to help this guy but I don't know enough to be very good | >at> it. | >> | >> Thanks. | > | > | >> > Received: from mail by f21.mail.ru with local | >> > id 19MDlt-000PpF-00 | >> > for [EMAIL PROTECTED]; Sun, 01 Jun 2003 01:20:13 +0400 | >> > Received: from [216.239.175.40] by koi.mail.ru with HTTP; | >> > Sun, 01 Jun 2003 01:20:13 +0400 | >> > From: "ipxsn_ln19umzu3 ipxsn_ln19umzu3" <[EMAIL PROTECTED]> | >> > To: [EMAIL PROTECTED] | >> > Subject: | >> > | > | >These are interesting lines. Assuming we can trust what koi.mail.ru | >is saying, recieved with HTTP. Looking at other mail headers I see | >these: local, smtp or esmtp. Local would be something like what kbob | >talked about: | >$ cat spamfile | sendmail [EMAIL PROTECTED] | >smtp/esmtp would be if one mta connects to another. Notice that | >f21.mail.ru gets mail locally from "mail" right after koi.mail.ru | >receives it. It is not an smtp/esmtp transfer. I suspect then that | >they may be the same machine and the mail is being passed around | >outside of an mta (ie procmail or some script or webmail). Looking | >up the ip addresses, they are different machines. HTTP would | >probably be for webmail. | > | >> > X-Mailer: mPOP Web-Mail 2.19 | >> > X-Originating-IP: 127.0.0.1 via proxy [216.239.175.40] | > | >These are more interesting lines found in the mail header. If | >koi.mail.ru is running webmail, specifically mPOP web-mail, then the | >originating ip makes sense. I don't get the via proxy though, unless | >they add that to systems that connect to them and send mail. This | >should be the originating ip though. | > | >Looking at koi.mail.ru, one sees it is a search engine, with maybe | >some other features such as mailing out. I can't tell because it is | >all in russian. | > | >I think kbob's suggestion is right on. I would look for zombies and | >worms on the box found at 216.239.175.40. | > | >Cory | > | >EuG-LUG mailing list | >[EMAIL PROTECTED] | >http://mailman.efn.org/cgi-bin/listinfo/eug-lug | > | | -- | Bob Crandell | Assured Computing | When you need to be sure. | [EMAIL PROTECTED] | www.assuredcomp.com | Voice - 541-689-9159 | FAX - 541-463-1627 | Eugene, Oregon | | | _______________________________________________ | EuG-LUG mailing list | [EMAIL PROTECTED] | http://mailman.efn.org/cgi-bin/listinfo/eug-lug _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
