Re: Receiving spam from my own server

[Chris Largret <largret () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 1 Dec 2006 16:38:14 -0600
"Dave Moore" <dave.j.moore () gmail com> wrote:

> Hello all-
>
> I run a webserver, let's call it foobar.net
>
> I am receiving spam e-mails from addresses such as info () foobar net,
> admin () foobar net, etc. I ran the open relay tests at ordb.org, and
> they report that my server is not an open relay.
>
> I'd appreciate any suggestions as to where I should go next.
>
> Here are some headers that i've attempted to sanitize (i.e. remove my
> hostname and ip)
>
> Delivered-To: dave.j.moore () gmail com
> Received: by 10.82.163.14 with SMTP id l14cs33696bue;
>         Fri, 1 Dec 2006 13:26:41 -0800 (PST)
> Received: by 10.90.103.2 with SMTP id a2mr5744854agc.1165008401102;
>         Fri, 01 Dec 2006 13:26:41 -0800 (PST)
> Return-Path: <info () avitas net>
> Received: from www.foobar.net (www.foobar.net [66.xx.xx.xx])
>         by mx.google.com with ESMTP id 12si654066wrl.2006.12.01.13.26.40;
>         Fri, 01 Dec 2006 13:26:41 -0800 (PST)
> Received-SPF: pass (google.com: best guess record for domain of
> info () foobar net designates 66.xx.xx.xx as permitted sender)
> Received: from e180234232.adsl.alicedsl.de
> (e180234232.adsl.alicedsl.de [85.180.234.232])
>       by www.foobar.net (8.13.1/8.13.1) with SMTP id kB1LQbEt016235
>       for <info () foobar net>; Fri, 1 Dec 2006 15:26:39 -0600
> Date: Fri, 1 Dec 2006 15:26:37 -0600
> From: info () foobar net
> Message-Id: <200612012126.kB1LQbEt016235 () www foobar net>
> To: info () foobar net

The bottom "Received" header is normally the first (except in the case
of a few mailers that try to hide the originating IP by making bogus
entries), so look to that one. I'm thinking your mail is coming from
Germany (.de).

So why does it say it is coming from your server? Well, that's what
spammers do. They spoof the "From:" (and often "To:") field(s). I see
this on my mail server too, where mail will often say it is from my
address and to my address. I'd bet the same thing is going on here.

Oh, I get about 2000 spam messages a week on one account (eventually,
I'd like to make use of this by submitting them to one of the anti-spam
projects...). Just doing a search before deleting most of them reveals
that most don't contain my address in the "To:" field. They're variants
of my username on that server (ie: ones that don't exist), but the
"for" part of the Received header indicates my address.

Hth

- -- 
Chris Largret <http://www.largret.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFdxGpyBrDZUqad5ERAoPJAJ0ZWJFgxaodqgqQjztm+oDSXSKLIACePDPi
LDUBqkmeCTzaxfL71Depw9Q=
=zqrN
-----END PGP SIGNATURE-----