Hey,
I have gotten a couple false reports of spam originating from my system over
the last few months. These reports are comming from my ISP. I contend that what
they have sent me is not proof, because email headers can be forged. I also
present a logical argument for why this mail could not have originated from out
system, as well as speculation as to what might have happened. Does this make
sense to anyone else? My ISP is acting like they don't beleive me, and saying
they will cite this as evidence if they ever want to terminate my access.
Here is the header then sent me:
Received: from vsmtp15.tin.it (192.168.70.119) by ims5b.cp.tin.it (7.0.027)
id 4200083A00DEF78F for [EMAIL PROTECTED]; Thu, 21 Apr 2005 10:18:41
+0200
Received: from cpe-68-203-199-222.satx.res.rr.com (68.203.199.222) by
vsmtp15.tin.it (7.0.027)
id 4227B8750499C924 for [EMAIL PROTECTED]; Thu, 21 Apr 2005 10:18:41
+0200
Received: from grouppowellone.com (mail1.bullhorn.com [209.202.131.100])
by cpe-68-203-199-222.satx.res.rr.com with esmtp
id 9B89474B31 for <[EMAIL PROTECTED]>; Thu, 21 Apr 2005 01:18:56 -0700
Here is my argument. We don't send mail from 209.202.131.100. That's our
incomming mail server. We have a seperate cluster for outgoing mail, that
communicates on a seperate IP to the external world (209.202.131.98). In fact,
our firewall does not ALLOW outgoing port 25 traffic from any IP except
209.202.131.98.
Here is what I think happened:
1. Some RoadRunner (rr.com) home PC has been trojaned by a virus.
2. Virus either looks in the local Outlook address book or does a search online
and finds a random contact/DNS record with the domain grouppowellone.com. We
happen to host this domain.
4. Virus does an MX lookup on the domain it wishes to forge mail from, and gets
mail1.bullhorn.com, 209.202.131.100 as the primary MX record.
5. Virus sends a spam message through the local RoadRunner open SMTP relay
server, but forges both the sender (which is a common tactic) AND the first hop
of the header (which I am seeing more and more). This has the effect of making
it look like the message came from a legit email server.
The whole in their plan, with respect to us, is that email does not originate
from that IP address in our system. We route all outgoing mail through another
IP.
Just to be sure, I tested out servers. They are not an open relay:
>telnet mail1.bullhorn.com 25
220 INBOUND4.BULLHORN.COM (IMail 8.05 139897-7) NT-ESMTP Server X1e
>ehlo
250-INBOUND4.BULLHORN.COM says hello
250-SIZE 0
250-8BITMIME
250-DSN
250-ETRN
250-AUTH LOGIN CRAM-MD5
250-AUTH=LOGIN
250 EXPN
>mail from: [email protected]
250 ok
>rcpt to: [EMAIL PROTECTED]
550 not local host virgilio.it, not a gateway
Am I in the right here? This is fairly low volume, we get about 1 report a
month. Also, we are on no blacklists except SPEWS, which we have been on for
more than a year due to some casino website sharing our IP block.
-Chase
Chase Seibert | Network and Systems Engineer | Bullhorn Inc. | 617.464.2440
x119 | www.bullhorn.com
