Bloody Vikings
August 7, 2006 3:11 PM Subscribe
How do I find out if a small, volunteer-run freenet is allowing one or more of its email accounts to send out spam (as compared to, say, being Joe-jobbed)?
I'm volunteer webmaster for a small local not-for-profit venture hosted on a local volunteer-run freenet. As webmaster, I inherited the site's old URL and email address, which gets a lot of spam (legit email at that account is probably <5%). That's not the question, though.
Occasionally I'll get Joe-jobbed, getting spam which appears to be from me at that address. This will usually come in a batch with literally hundreds of other spam, quite a lot of them presenting themselves as from that same domain, and many of them with viruses attached.
Is there any easy way to find out if any of the accounts at this domain are actually sending any of these emails, aside from looking through the full headers of each and every one? I'd love to find the source of the problem and bring it to the freenet's attention, if anyone there will be able to do anything about it (like suspending an offending account).
I'm volunteer webmaster for a small local not-for-profit venture hosted on a local volunteer-run freenet. As webmaster, I inherited the site's old URL and email address, which gets a lot of spam (legit email at that account is probably <5%). That's not the question, though.
Occasionally I'll get Joe-jobbed, getting spam which appears to be from me at that address. This will usually come in a batch with literally hundreds of other spam, quite a lot of them presenting themselves as from that same domain, and many of them with viruses attached.
Is there any easy way to find out if any of the accounts at this domain are actually sending any of these emails, aside from looking through the full headers of each and every one? I'd love to find the source of the problem and bring it to the freenet's attention, if anyone there will be able to do anything about it (like suspending an offending account).
Are the email return addresses from legitimate addresses at your domain or crap like absklsdh341@yourdomain.com? Won't tell you for sure, but if they're correct addresses then it's a good lead.
posted by blag at 5:31 PM on August 7, 2006
posted by blag at 5:31 PM on August 7, 2006
Best answer: If you have access to an IMAP server running Maildirs (which is where each individual message is stored separately in a containing directory), you can dump your spam into a particular folder, and then grep for IP addresses of interest. You'd probably start with, say, the class C you use, and then narrow/refine your searches based on what you discovered. That'll let you filter down pretty fast, excluding most of the noise.
As a separate step, if you have the ability to require that all users send mail through a central server, you could publish an SPF record allowing only that server to send mail. This helps some on joe jobs. I was hit with a couple on my vanity domain. After the second, I put up an SPF record, and it hasn't happened since.
This also lets you save the logs off the mail server, so if there's spam happening, you can trace it to a specific ip address and, thus, user.
If the users must be able to send themselves, you can potentially restrict the SPF to just your local netblock. If your users insist on being able to send from anywhere... then you're pretty screwed.
posted by Malor at 5:40 PM on August 7, 2006
As a separate step, if you have the ability to require that all users send mail through a central server, you could publish an SPF record allowing only that server to send mail. This helps some on joe jobs. I was hit with a couple on my vanity domain. After the second, I put up an SPF record, and it hasn't happened since.
This also lets you save the logs off the mail server, so if there's spam happening, you can trace it to a specific ip address and, thus, user.
If the users must be able to send themselves, you can potentially restrict the SPF to just your local netblock. If your users insist on being able to send from anywhere... then you're pretty screwed.
posted by Malor at 5:40 PM on August 7, 2006
Response by poster: orthogonality, that's what I was hoping not to do. :-) Sometimes I'll get a couple hundred spam at once, and I didn't want to bother looking through all of the headers one by one to determine the source. I was hoping for some way to speed up the process, though I wasn't at all sure one existed.
blag, it's a bit of both, really. I haven't tracked percentages on it, but some other accounts at the domain are being joe-jobbed, and then some of the spam presents itself as from gibberish account names with no corresponding account.
Malor, the first paragraph of your post is a good suggestion, thanks. I hadn't considered moving the spam I'm most interested in into a separate spam folder and then searching the "Received" section of the headers. At first it didn't seem a possibility, but I've figured out how to customize the mail client to search that part. It's one of those palm-to-forehead suggestions; and that's what I'll do with the next batch of spam I get.
I can't take the rest of your suggestions, though--I have an account at the freenet, the same as anyone else, but no control over the servers (I wish I did; I'd update the help pages, for one, and then look into SPF records as you suggest).
Thanks for the suggestions, everyone.
posted by Tuwa at 6:55 PM on August 7, 2006
blag, it's a bit of both, really. I haven't tracked percentages on it, but some other accounts at the domain are being joe-jobbed, and then some of the spam presents itself as from gibberish account names with no corresponding account.
Malor, the first paragraph of your post is a good suggestion, thanks. I hadn't considered moving the spam I'm most interested in into a separate spam folder and then searching the "Received" section of the headers. At first it didn't seem a possibility, but I've figured out how to customize the mail client to search that part. It's one of those palm-to-forehead suggestions; and that's what I'll do with the next batch of spam I get.
I can't take the rest of your suggestions, though--I have an account at the freenet, the same as anyone else, but no control over the servers (I wish I did; I'd update the help pages, for one, and then look into SPF records as you suggest).
Thanks for the suggestions, everyone.
posted by Tuwa at 6:55 PM on August 7, 2006
Best answer: Tuwa writes "Sometimes I'll get a couple hundred spam at once, and I didn't want to bother looking through all of the headers one by one to determine the source. I was hoping for some way to speed up the process, though I wasn't at all sure one existed."
cat the email (including headers) grep for "Received:", then span for your IP like Malor said.
posted by orthogonality at 9:08 PM on August 7, 2006
cat the email (including headers) grep for "Received:", then span for your IP like Malor said.
posted by orthogonality at 9:08 PM on August 7, 2006
Some other thoughts, briefly:
1) Ensure that you're using some form of SMTP authentication. Sounds stupid but you never know.
2) Change everyone's email passwords to something non-dictionary and strong.
3) Remove all unneeded ftp/shell accounts. Change the passwords on those you need to keep.
4) Check the contact forms on your website; make sure they're not using older versions of formmail or anything you wrote yourself. Swap them for NMS or similar.
These steps should solve 90% of spamming problems. Sure, a spammer could find other ways to abuse your box but most will give up at this point and move on to a less well-secured server. So, if you're still receiving spam after these steps it's likely to be a joe-jobbing (or one of your users) rather than a hack.
posted by blag at 4:00 AM on August 8, 2006
1) Ensure that you're using some form of SMTP authentication. Sounds stupid but you never know.
2) Change everyone's email passwords to something non-dictionary and strong.
3) Remove all unneeded ftp/shell accounts. Change the passwords on those you need to keep.
4) Check the contact forms on your website; make sure they're not using older versions of formmail or anything you wrote yourself. Swap them for NMS or similar.
These steps should solve 90% of spamming problems. Sure, a spammer could find other ways to abuse your box but most will give up at this point and move on to a less well-secured server. So, if you're still receiving spam after these steps it's likely to be a joe-jobbing (or one of your users) rather than a hack.
posted by blag at 4:00 AM on August 8, 2006
Response by poster: blag, I can't do that; I'm just another account on the server and I have no say over what my host does.
Re #3, though, could you elaborate on what dangers the ftp accounts pose? My freenet offers both of those; I remember enough about Unix to know why shell access on an insecure box is a Bad Idea, but what about ftp? What sorts of programs or files would be the ones to look for?
I've just remembered that the site offered a complete list of accounts the last time I was exploring at any depth. That could help me generate a list of URLs to look for suspicious things on peoples' sites, but of course it's also phenomenally helpful to spammers, since the email addresses are all in the same format.
posted by Tuwa at 5:09 AM on August 8, 2006
Re #3, though, could you elaborate on what dangers the ftp accounts pose? My freenet offers both of those; I remember enough about Unix to know why shell access on an insecure box is a Bad Idea, but what about ftp? What sorts of programs or files would be the ones to look for?
I've just remembered that the site offered a complete list of accounts the last time I was exploring at any depth. That could help me generate a list of URLs to look for suspicious things on peoples' sites, but of course it's also phenomenally helpful to spammers, since the email addresses are all in the same format.
posted by Tuwa at 5:09 AM on August 8, 2006
ftp accounts can be as useful as shell access from a spammer's perspective. A malicious user could easily upload a mass-mailer script to your server which would use, say, php's mail() function to send out spam. It would be executed by visiting the file's address in a web browser. Or it could interface with the server's smtp facility and use that. Could be anything, though is most likely to be a php file.
posted by blag at 8:03 AM on August 8, 2006
posted by blag at 8:03 AM on August 8, 2006
Response by poster: Ah, right. That makes sense. Thanks for the explanation.
posted by Tuwa at 2:04 PM on August 8, 2006
posted by Tuwa at 2:04 PM on August 8, 2006
Response by poster: Oddly enough, I've gotten only two more of these since I posted this.
There is only one received: header in the emails, but the email's IP doesn't match its DNS self-identification. The IP is 211.22.76.251 but the emails present that IP as my local freenet, which it's not. 211.22.76.251 resolves to CNH-49, which as an address doesn't mean a lot to me. My local freenet's IP is not 211.22.76.251; it starts with "128.227."
I've heard of header injection but, as I've said, there's only the one received: header on these last spam. If I've understood the headers right, this other box is presenting itself as my local freenet and my local freenet is just accepting it as such.
I'm wondering if the freenet is running an open relay (and wondering also why the server isn't already in the open relay database if so). I'm not really sure what all this means.
posted by Tuwa at 2:39 AM on August 10, 2006
There is only one received: header in the emails, but the email's IP doesn't match its DNS self-identification. The IP is 211.22.76.251 but the emails present that IP as my local freenet, which it's not. 211.22.76.251 resolves to CNH-49, which as an address doesn't mean a lot to me. My local freenet's IP is not 211.22.76.251; it starts with "128.227."
I've heard of header injection but, as I've said, there's only the one received: header on these last spam. If I've understood the headers right, this other box is presenting itself as my local freenet and my local freenet is just accepting it as such.
I'm wondering if the freenet is running an open relay (and wondering also why the server isn't already in the open relay database if so). I'm not really sure what all this means.
posted by Tuwa at 2:39 AM on August 10, 2006
Response by poster: Some more servers presenting themselves as the local freenet:
222.160.77.96
211.22.76.251
222.133.103.53
218.82.239.139
60.221.123.231
60.2.6.69
These are all taken from headers on spam, but not spam presenting the sender as @ the local freenet. On every one of these there is only one Received: line in the headers.
posted by Tuwa at 3:31 AM on August 10, 2006
222.160.77.96
211.22.76.251
222.133.103.53
218.82.239.139
60.221.123.231
60.2.6.69
These are all taken from headers on spam, but not spam presenting the sender as @ the local freenet. On every one of these there is only one Received: line in the headers.
posted by Tuwa at 3:31 AM on August 10, 2006
Response by poster: Ok, I think I've solved the original problem, and I've marked two best answers, but I'm still not sure what the rest of it means.
An example (with the domain obscured; I'm sure you can figure it out from my profile if you're curious):
from freenet3.domain.gTLD ([60.221.123.231]) by smtp.domain.gTLD (8.13.3/8.13.3) with SMTP id k78IpR9R027641
This is the only "received:" line in the spam header. The IP is not my freenet, and my freenet only offers dialup and only locally. Doing a lookup on this IP shows no records. The same thing happens with all the IPs in the previous comment.
Is this evidence of some sort of spam script being hosted on the site somewhere? I just ask because I'd like to know exactly what to say when I call them. ... Or maybe I can just describe the problem and they'll figure it out?
posted by Tuwa at 12:07 PM on August 11, 2006
An example (with the domain obscured; I'm sure you can figure it out from my profile if you're curious):
from freenet3.domain.gTLD ([60.221.123.231]) by smtp.domain.gTLD (8.13.3/8.13.3) with SMTP id k78IpR9R027641
This is the only "received:" line in the spam header. The IP is not my freenet, and my freenet only offers dialup and only locally. Doing a lookup on this IP shows no records. The same thing happens with all the IPs in the previous comment.
Is this evidence of some sort of spam script being hosted on the site somewhere? I just ask because I'd like to know exactly what to say when I call them. ... Or maybe I can just describe the problem and they'll figure it out?
posted by Tuwa at 12:07 PM on August 11, 2006
This thread is closed to new comments.
posted by orthogonality at 3:32 PM on August 7, 2006