Re: Spam sent to me from my own mail server ?
Peter Ulrich Kruppa wrote: > Hello, > > for some time now I keep receiving spam mails from my own (small) mail > server, some of them with faked usernames some of them even with my own > ([EMAIL PROTECTED]). > 1) How is this possible? > 2) What can I or do I have to do against it? > I am running a quite plain sendmail setup from 7.0 -STABLE. Look to see if you are running an open relay. You shouldn't be by default. There are websites that will test this for you if you simply provide the IP of the server. That's a start. My SPAM policy is something like this. Spammers win. feh! It's not the best policy, but it requires the least effort on my part. Regards, Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Spam sent to me from my own mail server ?
Peter Ulrich Kruppa wrote: Hello, for some time now I keep receiving spam mails from my own (small) mail server, some of them with faked usernames some of them even with my own ([EMAIL PROTECTED]). How have you identified that they are actually being delivered by your server itself? It is my experience that this is likely not the case, and it is only your addresses that are being forged. The only way to tell for certain is to review the headers of the message. If you wish, send the email headers (privately if you want), and we can identify whether or not it is in fact your server delivering these messages. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Spam sent to me from my own mail server ?
On Wed, 2008-08-27 at 11:40 -0400, Steve Bertrand wrote: > Peter Ulrich Kruppa wrote: > > Hello, > > > > for some time now I keep receiving spam mails from my own (small) mail > > server, some of them with faked usernames some of them even with my own > > ([EMAIL PROTECTED]). > > How have you identified that they are actually being delivered by your > server itself? > > It is my experience that this is likely not the case, and it is only > your addresses that are being forged. > Additionally, I see sendmail add the local domain to the From field of incoming messages where the domain is missing. I've seen this on numerous spam messages and even the occasional legitimate email. It's been on my to-do list to look into this and modify it. Had me scratching my head for a while the first time I saw it. Wayne ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Spam sent to me from my own mail server ?
Steve Bertrand schrieb:
Peter Ulrich Kruppa wrote:
Hello,
for some time now I keep receiving spam mails from my own (small) mail
server, some of them with faked usernames some of them even with my
own ([EMAIL PROTECTED]).
How have you identified that they are actually being delivered by your
server itself?
It is my experience that this is likely not the case, and it is only
your addresses that are being forged.
Actually I haven't identified anything, probably the address is
forged somehow.
The only way to tell for certain is to review the headers of the message.
This should be one (I hope)
There is no user called ixd ("Yolanda") on my system:
From [EMAIL PROTECTED] Wed Aug 27 18:48:36 2008
X-Mozilla-Status: 0009
X-Mozilla-Status2:
Return-Path: <[EMAIL PROTECTED]>
Received: from 18971066005.user.veloxzone.com.br
(18971066005.user.veloxzone.com
.br [189.71.66.5] (may be forged))
by pukruppa.net (8.14.2/8.14.2) with SMTP id m7RGmXTN038419
for <[EMAIL PROTECTED]>; Wed, 27 Aug 2008 18:48:34
+0200 (CEST)
(envelope-from [EMAIL PROTECTED])
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from [189.71.66.5] (port=22480
helo=18971066005.user.veloxzone.com.br)
by mail.pukruppa.net with esmtp
id d3c5a8-e87492-d2
for [EMAIL PROTECTED]; Wed, 27 Aug 2008 13:45:59 --300
Message-ID: <[EMAIL PROTECTED]>
From: "Yolanda" <[EMAIL PROTECTED]>
To: "Jenifer" <[EMAIL PROTECTED]>
Subject: last chance for Michael
Date: Wed, 27 Aug 2008 13:45:59 --300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_001_3171_01C90864.62105880"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
--=_NextPart_001_3171_01C90864.62105880
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
hi,
From: "Yolanda" <[EMAIL PROTECTED]>
To: "Jenifer" <[EMAIL PROTECTED]>
Subject: last chance for Michael
Date: Wed, 27 Aug 2008 13:45:59 --300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_001_3171_01C90864.62105880"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
--=_NextPart_001_3171_01C90864.62105880
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
hi,
2 days ago I got present from Michael.
He was happy!
Today I found the same and much cheaper!
htp://fangem.com
Take a look
-
BTW.: I sometimes try some relay tester, their machines never
found anything.
Greetings,
Uli.
Steve
--
Peter Ulrich Kruppa
Wuppertal
Germany
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Spam sent to me from my own mail server ?
On Aug 27, 2008, at 7:38 AM, Peter Ulrich Kruppa wrote: for some time now I keep receiving spam mails from my own (small) mail server, some of them with faked usernames some of them even with my own ([EMAIL PROTECTED]). 1) How is this possible? Forging email headers is trivial. You can do it with telnet by hand, although spammers tend to use malware which blasts lots of messages 2) What can I or do I have to do against it? I am running a quite plain sendmail setup from 7.0 -STABLE. Configuring anti-spam measures is something that would occupy a book. For starters, look into greylisting, RBLs, and anti-spam tools which hook into the milter interface. There's also some config-level changes documented here: http://www.sendmail.org/m4/anti_spam.html Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Spam sent to me from my own mail server ?
Peter Ulrich Kruppa wrote: Steve Bertrand schrieb: Peter Ulrich Kruppa wrote: for some time now I keep receiving spam mails from my own (small) mail server, some of them with faked usernames some of them even with my own ([EMAIL PROTECTED]). The only way to tell for certain is to review the headers of the message. Received: from 18971066005.user.veloxzone.com.br (18971066005.user.veloxzone.com .br [189.71.66.5] (may be forged)) by pukruppa.net (8.14.2/8.14.2) with SMTP id m7RGmXTN038419 for <[EMAIL PROTECTED]>; Wed, 27 Aug 2008 18:48:34 +0200 (CEST) (envelope-from [EMAIL PROTECTED]) It's a simple forgery by the spammer. They just claim to be sending from your domain because there are apparently people that run internet connected mail systems where doing that makes it easier to inject spam... Either that, or the spammers figure they'll get you with the bounce-o-gramme even if the first delivery doesn't work. There are a number of measures you can take against such things. One thing that is pretty easy to implement is to set up SPF records in the DNS. This won't stop the spammers attacking you this way, but it does mean that spamassassin will award them lots of spam points and probably reject the mail. If you're using sendmail as your MTA, then look at implementing the following features in your $(hostname).mc: FEATURE(greet_pause, `5000')dnl ## 5 seconds FEATURE(block_bad_helo)dnl FEATURE(badmx)dnl FEATURE(require_rdns)dnl These are pretty cheap resource wise and block many of the most egregious spammers. There's a lot more you can do than that in setting up sendmail to be spam-resistent -- much more than I can describe in an e-mail like this. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Spam sent to me from my own mail server ?
Peter Ulrich Kruppa wrote: Hello, for some time now I keep receiving spam mails from my own (small) mail server, some of them with faked usernames some of them even with my own ([EMAIL PROTECTED]). Matthew's message beat me to the response but I had typed one. There are some great tools for this and many are in ports. SPF and these do work. Here is what has been sitting in my drafts, it may have some additional value. ... I don't worry much about what I receive that is forged because I'm reasonably sure that I didn't send it nor were my servers leveraged. I monitor heavily. On the other hand, I do make certain that others aren't receiving spam thinking it's from my domains. SPF helps with this, information is available on www.openspf.org. This doesn't stop forgery, but it does give a tool to the receiver to verify what email is actually from your domain and email server. It's implemented very easily in your DNS entries. SPF is you telling the world that you authorize your domain to send email only from a specific set of servers (or a specific server). After you implement SPF, after a few weeks, they will generally stop using your domain because it's too frequently rejected by receivers. It becomes less in their interest to forge your domain so they go pick on someone else. If you DO want to stop people using your domain in sending to YOU, there are several tools to use in conjunction with sendmail to do this. I use MailScanner which is available within ports. If there are no relays involved in how you receive mail, this works because SpamAssassin (automatically installed with MailScanner) will see if the email you are receiving matched SPF. Yours and everyone elses. There are good docs on the net for using FreeBSD, sendmail, and MailScanner and it's dependencies. If you can't find them, try this: http://bio.fsu.edu/~sysalex/freebsd-mail-server.htm If you are going to run a mail server, it's good to have spam and virus defenses installed. There are more direct methods of actually rejecting forged emails within sendmail. You will find a list of these on the SPF site under "implementations". These tools may or may not be in ports. You will have to check on that. They make use of the milter interface within sendmail. The spf mail list is extremely helpful and professional if you have questions on this. You can join this list on their site. I'm not pushing their site or this draft standard, it's that SPF has worked pretty well for what it does and it's open method of dealing with the problems. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Spam sent to me from my own mail server ?
Sorry, I forgot to post to the list! Matthew Seaman schrieb: > Peter Ulrich Kruppa wrote: >> Steve Bertrand schrieb: >>> Peter Ulrich Kruppa wrote: > for some time now I keep receiving spam mails from my own (small) mail server, some of them with faked usernames some of them even with my own ([EMAIL PROTECTED]). > >>> The only way to tell for certain is to review the headers >>> of the message. > >> Received: from 18971066005.user.veloxzone.com.br (18971066005.user.veloxzone.com .br [189.71.66.5] (may be >> forged)) by pukruppa.net (8.14.2/8.14.2) with SMTP id >> m7RGmXTN038419 for <[EMAIL PROTECTED]>; Wed, 27 Aug 2008 >> 18:48:34 +0200 (CEST) (envelope-from [EMAIL PROTECTED]) > > It's a simple forgery by the spammer. They just claim to be > sending from your domain because there are apparently people > that run internet connected mail systems where doing that > makes it easier to inject spam... Either that, or the spammers > figure they'll get you with the bounce-o-gramme even if the > first delivery doesn't work. > > There are a number of measures you can take against such > things. One thing that is pretty easy to implement is to set > up SPF records in the DNS. This won't stop the spammers > attacking you this way, but it does mean that spamassassin > will award them lots of spam points and probably reject the mail. > > If you're using sendmail as your MTA, then look at > implementing the following features in your $(hostname).mc: Would that mean a file called /etc/mail/pukruppa.net.mc in my case? Since I get # hostname pukruppa.net or do I leave away the .net ? Thanks, Uli. > > FEATURE(greet_pause, `5000')dnl ## 5 seconds FEATURE(block_bad_helo)dnl FEATURE(badmx)dnl FEATURE(require_rdns)dnl > > These are pretty cheap resource wise and block many of the > most egregious spammers. There's a lot more you can do than > that in setting up sendmail to be spam-resistent -- much more > than I can describe in an e-mail like this. > > Cheers, > > Matthew > -- Peter Ulrich Kruppa Wuppertal Germany -- Peter Ulrich Kruppa Wuppertal Germany ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Spam sent to me from my own mail server ?
Peter Ulrich Kruppa wrote: Matthew Seaman schrieb: > If you're using sendmail as your MTA, then look at > implementing the following features in your $(hostname).mc: Would that mean a file called /etc/mail/pukruppa.net.mc in my case? Since I get # hostname pukruppa.net or do I leave away the .net ? It's shorthand for 'whatever you call the .mc file you generate your sendmail.cf from.' By default on FreeBSD it's named according to what the hostname(1) command outputs, which should be the fully qualified domain name of your machine (ie. pukruppa.net). You can create the initial copies of the files by: # cd /etc/mail # make which will create files pukruppa.net.mc and pukruppa.net.subit.mc and then process those respectively into pukruppa.net.cf and pukruppa.net.submit.cf Edit pukruppa.net.mc to make any changes you want, then type 'make' to rebuild pukkruppa.net.cf and then 'make install restart' to copy pukruppa.net.cf to sendmail.cf (amongst other actiosn) and restart sendmail. In general, whenever you do anything to sendmail related config files including stuff like aliases and access and virtusertable, run just run make to publish it to the running sendmail process -- you only need 'make install restart' when you modify one of the .cf files. Cheers Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
