Re: Weird message header?
Hi, Envelope-to: [EMAIL PROTECTED] Received: from [212.108.236.133] (helo=d4t2e9) by mydomain.com with smtp (Exim 3.16 #1 (Debian)) id 149C7D-vQ-00 for [EMAIL PROTECTED]; Thu, 21 Dec 2000 21:15:04 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--VE74123GD23SXEF4TEZW167 Message-Id: [EMAIL PROTECTED] From: Remote Mail Delivery System Bcc: Date: Thu, 21 Dec 2000 21:15:04 +0100 Status: X-PMFLAGS: 570949760 0 1 P29A60.CNM How do you get your mail -- direct to port 25, or from a POP or IMAP server someplace? Yes, exim is listening on port 25, and that's all. You haven't defined what your system is, it's hard to give a fix. Are you a single box, a network, an ISP, something else? How many users? What kind of fix, how secure a block? It's a single box, that is online 24/7/365, it's a debian woody, fixed IP, with exim running on port 25. It's hosting some virtual web servers, ftp, ssh, pop3, bind. # of users is around 20, from which only 3 are able to log in via ssh. As I said, the MTA is exim, so I receive mail directly. I still don't know how is it possible that the Received line is this short. Usually it consists of more Received entrys (eg. one saying the outgoing mail server of the sender's host received the mail from the sender, and one that says my box reveived it). The only reason I can think of is that I'm the outgoing mail server of the sender, though this is impossible, because exim is told not to relay outgoing mail for other hosts. Any clues? Pocok
Re: Weird message header?
on Wed, Dec 27, 2000 at 11:09:23PM +0100, Peczoli Zoltan ([EMAIL PROTECTED]) wrote: Hi, Some of my system users periodically receive an Win95.Hybris.Gen.dr infected EXE file. I tried to trace down the sender, but unfortunately i'm pretty lame interpreting the mail header. It goes like this: Envelope-to: [EMAIL PROTECTED] Received: from [212.108.236.133] (helo=d4t2e9) by mydomain.com with smtp (Exim 3.16 #1 (Debian)) id 149C7D-vQ-00 for [EMAIL PROTECTED]; Thu, 21 Dec 2000 21:15:04 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--VE74123GD23SXEF4TEZW167 Message-Id: [EMAIL PROTECTED] From: Remote Mail Delivery System Bcc: Date: Thu, 21 Dec 2000 21:15:04 +0100 Status: X-PMFLAGS: 570949760 0 1 P29A60.CNM 1. What is the 'Envelope-to' line? Bullshit. 2. What was the route of this mail? It looks that my system relayed the given host's outgoing mail. It's impossible, I've told exim not to do so (I think :) If you're 212.108.236.133, then yes, it appears you're relaying. It's the Received: lines you want to trace. I'm finding this to be near s0-mezokovesd.elender.hu. That you? There are several spam tracing FAQs, here's one: http://ddi.digital.net/~gandalf/spamfaq.html It's very annoying to get this exe file every month, so if I cannot find out who the sender is, it would be great to block these letters. How can I do this? Procmail or specific IP blocks in your MTA. Thanx: Pocok PS. Please forgive me if I'm too off-topic, I think other admins may find the replys useful if this virus occurs to them. You might want to try one of the various mail newsgroups. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ Evangelist, Zelerate, Inc. http://www.zelerate.org What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/http://www.kuro5hin.org pgpAyrLcfchBI.pgp Description: PGP signature
Re: Weird message header?
Hi, Envelope-to: [EMAIL PROTECTED] Received: from [212.108.236.133] (helo=d4t2e9) by mydomain.com with smtp (Exim 3.16 #1 (Debian)) id 149C7D-vQ-00 for [EMAIL PROTECTED]; Thu, 21 Dec 2000 21:15:04 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--VE74123GD23SXEF4TEZW167 Message-Id: [EMAIL PROTECTED] From: Remote Mail Delivery System Bcc: Date: Thu, 21 Dec 2000 21:15:04 +0100 Status: X-PMFLAGS: 570949760 0 1 P29A60.CNM If you're 212.108.236.133, then yes, it appears you're relaying. It's the Received: lines you want to trace. I'm finding this to be near s0-mezokovesd.elender.hu. That you? No, it seems like a dial-in user of an ISP. I have no idea who this could be. What is the (helo=d4t2e9) part? Anyway, my exim config says: host_accept_relay = localhost so it seems Exim does not relay for anyone except localhost (which in this case means mydomain.com) Procmail or specific IP blocks in your MTA. Specific IP blocks don't work on dial-in spam, while procmail does its job on per-user basis, but a system-wide solution would be better. Am I wrong? Bye: Pocok
Re: Weird message header?
on Wed, Dec 27, 2000 at 11:57:54PM +0100, Peczoli Zoltan ([EMAIL PROTECTED]) wrote: Hi, Envelope-to: [EMAIL PROTECTED] Received: from [212.108.236.133] (helo=d4t2e9) by mydomain.com with smtp (Exim 3.16 #1 (Debian)) id 149C7D-vQ-00 for [EMAIL PROTECTED]; Thu, 21 Dec 2000 21:15:04 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--VE74123GD23SXEF4TEZW167 Message-Id: [EMAIL PROTECTED] From: Remote Mail Delivery System Bcc: Date: Thu, 21 Dec 2000 21:15:04 +0100 Status: X-PMFLAGS: 570949760 0 1 P29A60.CNM If you're 212.108.236.133, then yes, it appears you're relaying. It's the Received: lines you want to trace. I'm finding this to be near s0-mezokovesd.elender.hu. That you? No, it seems like a dial-in user of an ISP. I have no idea who this could be. What is the (helo=d4t2e9) part? That's part of the MTA acknowledgement, I think. I don't know mail transfer protocols very well. Anyway, my exim config says: host_accept_relay = localhost so it seems Exim does not relay for anyone except localhost (which in this case means mydomain.com) How do you get your mail -- direct to port 25, or from a POP or IMAP server someplace? Procmail or specific IP blocks in your MTA. Specific IP blocks don't work on dial-in spam, while procmail does its job on per-user basis, but a system-wide solution would be better. Am I wrong? See DUL blocking at RBL. You haven't defined what your system is, it's hard to give a fix. Are you a single box, a network, an ISP, something else? How many users? What kind of fix, how secure a block? -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ Evangelist, Zelerate, Inc. http://www.zelerate.org What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/http://www.kuro5hin.org pgpsbHXuvkfOS.pgp Description: PGP signature
Re: Weird message header?
On Wed, Dec 27, 2000 at 11:09:23PM +0100, Peczoli Zoltan wrote: Envelope-to: [EMAIL PROTECTED] Received: from [212.108.236.133] (helo=d4t2e9) by mydomain.com with smtp (Exim 3.16 #1 (Debian)) id 149C7D-vQ-00 for [EMAIL PROTECTED]; Thu, 21 Dec 2000 21:15:04 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--VE74123GD23SXEF4TEZW167 Message-Id: [EMAIL PROTECTED] From: Remote Mail Delivery System Bcc: Date: Thu, 21 Dec 2000 21:15:04 +0100 Status: X-PMFLAGS: 570949760 0 1 P29A60.CNM You are being targetted from a probably spoofed ip with this junk. That ip doesn't resolve, although it is close to that .hu domain that Karsten mentioned. For my money that doesn't make it any more likely that that is where it originated. 2. What was the route of this mail? It looks that my system relayed the given host's outgoing mail. No. Receiving mail is not relaying mail. It's impossible, I've told exim not to do so What you've told Exim is not to act as an SMTP host for anyone but your local users. This mail was addressed to your system. So why shouldn't you receive it? How can I do this? Just for the heck of it drop the _entire_ message, with ALL headers, into Spamcop and see what it comes up with. http://spamcop.net Then ask Karsten for help with a procmail recipe! g -- Bob Bernstein at Esmond, Rhode Island, USA
Re: Weird message header?
Take a look at http://www.spamcop.net Matth Am Mittwoch, 27. Dezember 2000 16:09 schrieb Peczoli Zoltan: Hi, Some of my system users periodically receive an Win95.Hybris.Gen.dr infected EXE file. I tried to trace down the sender, but unfortunately i'm pretty lame interpreting the mail header. It goes like this: Envelope-to: [EMAIL PROTECTED] Received: from [212.108.236.133] (helo=d4t2e9) by mydomain.com with smtp (Exim 3.16 #1 (Debian)) id 149C7D-vQ-00 for [EMAIL PROTECTED]; Thu, 21 Dec 2000 21:15:04 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--VE74123GD23SXEF4TEZW167 Message-Id: [EMAIL PROTECTED] From: Remote Mail Delivery System Bcc: Date: Thu, 21 Dec 2000 21:15:04 +0100 Status: X-PMFLAGS: 570949760 0 1 P29A60.CNM 1. What is the 'Envelope-to' line? 2. What was the route of this mail? It looks that my system relayed the given host's outgoing mail. It's impossible, I've told exim not to do so (I think :) It's very annoying to get this exe file every month, so if I cannot find out who the sender is, it would be great to block these letters. How can I do this? Thanx: Pocok PS. Please forgive me if I'm too off-topic, I think other admins may find the replys useful if this virus occurs to them.
