PDA

View Full Version : Spam mail - headers here - some q's

Phanerothyme
28-06-2005, 12:34
I'm getting deluged with I-Worm/Mytob.IF - typically the header looks like this (ignore spampal stuff at the bottom).

none of the mailboxes @netheredge exist (obviously has a list of generated names for sender and recipient) but my question is

can it also spoof the helo message - or does the worm need to actually change the machine ID to do this?

Not an email expert...


X-POP3-From: webmaster@netheredge.com
Return-path: <webmaster@netheredge.com>
Envelope-to: claudia@netheredge.com
Delivery-date: Tue, 28 Jun 2005 07:25:49 +0100
Received: from host81-136-203-198.in-addr.btopenworld.com ([81.136.203.198] helo=netheredge.com)
by rubidium.webfusion.co.uk with esmtp (Exim 3.36 #1)
id 1Dn9XX-0004zw-00
for claudia@netheredge.com; Tue, 28 Jun 2005 07:25:47 +0100
From: webmaster@netheredge.com
To: claudia@netheredge.com
Subject: **SPAM** **SPAM BLIST 81.136.203.198** Your password has been updated
Date: Tue, 28 Jun 2005 07:25:54 +0100
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <E1Dn9XX-0004zw-00@rubidium.webfusion.co.uk>
X-Antivirus: AVG for E-mail 7.0.323 [267.8.5]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0008_4F116EF4.3B015EA0"
X-Bayesian-Result: Clean (0)
X-Bayesian-Words: 7.0.323 13 account 15 antivirus 16 avg 14 file 5 files 4 found 12 netheredge 15 password 1
X-SpamPal: SPAM BLIST 81.136.203.198
X-Blist-Pattern: 81.136.203.198
Joelc
28-06-2005, 13:12
Yes, its easy for worms and other malicous crap to spoof most of the mail header, including the HELO message. Most decent mailservers with decent AV/spamfiltering should pickup these before even getting as far as you.

Joel
Phanerothyme
28-06-2005, 13:30
they're not getting to me, but this looks like its a compromised dial-up/adsl/home machine. I just wanted to make sure I wasn't spamming myself (although ob mail protection should spot that too).

Spampal isn't tagging it automatically as the machine is not yet on any of the DNSBL lists - so I've had to blacklist it manually - but it's the second machine to start spamming me with a btopenworld originating worm infected messages.

I'm wondering if it is someone I know....it seems likely.

Thing is my dad is away, and I bet he has left his box connected :rolleyes:
Phanerothyme
28-06-2005, 13:31
Originally posted by Joelc
Most decent mailservers with decent AV/spamfiltering should pickup these before even getting as far as you.


Yes, you'd think Pipex would have that one sorted doncha...
Joelc
28-06-2005, 13:36
It could well be, if it has you@netheredge.com in the addressbook, and your getting lots of $name@netheredge.com, chances are its generating its own usernames, or using usernames from elsewhere on the infected machine to spread itself to as many mailboxes as possible.

I very rarely get problems like that, spamassassin and clamAV pick it up before it gets to me, and if it does, i just feed the message back through the system marked as spam and it adds it to its Bayesian filters, and its sorted, and very effective, 9000 spams blocked today on my server \o/

Joel
sccsux
28-06-2005, 13:38
Are you using a catch all email address on the domain?

If you are, try turning it off/disabling it;).