|
|
|
|
|
View previous topic :: View next topic |
Author |
Message |
kal Forum Administrator
Joined: 12 Dec 2010 Posts: 11122 Location: Ottawa, Canada
Drinking: Pub Ale, Electric Creamsicle, Mild, Pliny the Younger, Belgian Dark Strong, Weizen, Russian Imperial Stout, Black Butte Porter
|
Link Posted: Fri Aug 17, 2012 2:22 pm Post subject: Any way to see internet headers of attached messages? |
|
|
Recently spammers have been sending email pretending to be one of my websites.
Here's an example of one pretending to be sent from my CurtPalme.com home theater website:
Code: | -----Original Message-----
From: Get Vigara-Today [mailto:195A569A7@curtpalme.com]
Sent: August-17-12 5:04 AM
To: dyeite5505@9ravens.com
Subject: SALE!
New sale prices:
----------------
Levtira ... 1.25$
Cilais ... 1.14$
Vigara ... 0.21$
Female Pack ... 1.20$
Family Pack ... 2.12$
Professional Pack ... 3.29$
-----------------
Follow special link:
http://fmHM.doctortach.ru/ |
I know of this because many of these bounce back so I get a message like this:
Code: | -----Original Message-----
From: Mail Delivery System [mailto:MAILER-DAEMON@vds003.din.or.jp]
Sent: August-17-12 5:04 AM
To: 195A569A7@curtpalme.com
Subject: Undelivered Mail Returned to Sender
This is the mail system at host vds003.din.or.jp.
I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can delete your own text from the attached returned message.
The mail system
<dyeite5505@www.9ravens.com> (expanded from <dyeite5505@9ravens.com>): User unknown in virtual alias table |
Attached to this bounced message are usually two files:
1. details.txt which in this case contains:
Code: | Reporting-MTA: dns; vds003.din.or.jp
X-Postfix-Queue-ID: 2139E79DD5
X-Postfix-Sender: rfc822; 195A569A7@curtpalme.com
Arrival-Date: Fri, 17 Aug 2012 18:03:43 +0900 (JST)
Final-Recipient: rfc822; dyeite5505@www.9ravens.com
Original-Recipient: rfc822;dyeite5505@9ravens.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; User unknown in virtual alias table |
2. The original message that I posted above.
I'd like to confirm (just to be sure) that my server is not actually sending out this message but I can't seem to figure out how I can see the internet headers of an attached email. I'm not sure it's even possible? I'm using Microsoft Outlook.
Normally to view the internet header of an email message I just right click on the message and choose "Message Options". Doing this on this message however shows me the internet header of the email sent to me saying that message bounced. It looks like this:
Code: | Return-Path: <MAILER-DAEMON@lded1.atcihosting.com>
Received: from vds003.din.or.jp (vds003.din.or.jp [210.135.89.102])
by lded1.atcihosting.com (8.13.8/8.13.8) with ESMTP id q7H93kNR022302
for <195A569A7@curtpalme.com>; Fri, 17 Aug 2012 04:03:46 -0500
Received: by vds003.din.or.jp (Postfix)
id CDA2179DEF; Fri, 17 Aug 2012 18:03:44 +0900 (JST)
Date: Fri, 17 Aug 2012 18:03:44 +0900 (JST)
From: MAILER-DAEMON@vds003.din.or.jp (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: 195A569A7@curtpalme.com
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="2139E79DD5.1345194224/vds003.din.or.jp"
Content-Transfer-Encoding: 8bit
Message-Id: <20120817090344.CDA2179DEF@vds003.din.or.jp>
X-Antivirus: avast! (VPS 120816-1, 16/08/2012), Inbound message
X-Antivirus-Status: Clean |
What I'd want to see in the attached (original) message is if the IP used for sending the message from 195A569A7@curtpalme.com matches my server IP (206.225.20.165).
In the message above I'm only seeing that the vds003.din.or.jp domain resolves to 210.135.89.102 which is the sender in this case as a new message was generated to bounce back to 195A569A7@curtpalme.com.
If I ping vds003.din.or.jp I see that is in fact 210.135.89.102. so I know they sent it. I want to see the same for the message *they* received (supposedly) sent from 195A569A7@curtpalme.com.
The other thing to do is to simply wait until I actually get a spam from one of these fake @curtpalme.com addresses but that might take a while.
So before someone asks... why is this even possible? SMTP email is completely insecure. You can "pretend" to be anyone out there but you can't (easily) spoof an IP address. When the receiving mail server receives mail from 195A569A7@curtpalme.com the first thing they do is contact the domain to get the IP. In the case of the spammers you'd get IP other than mine.
Spammers need a good domain for sending out spams so that when the receiving mail server gets the mail and does a lookup, that it's valid.
Kal
_________________ Our new shop with over 150 new products: shop.TheElectricBrewery.com
We ship worldwide and support our products and customers for life.
Purchasing through our affiliate links helps support our site at no extra cost to you. We thank you!
My basement/bar/brewery build 2.0
|
|
Back to top |
|
|
kellzey
Joined: 04 Aug 2011 Posts: 580 Location: Orlando, FL
|
Link Posted: Fri Aug 17, 2012 2:43 pm Post subject: |
|
|
Look into SPF records. I believe you can program an SPF record in your Domain Name Server (as a TXT record) in your registrar that specifies only the domains, or IP addresses that are allowed to send mail.
If the receiving email account uses SPF verification, they will check to see if the email originated from the authorized domain or IP and if not, block it all together.
I just learned about that a month or so ago, so I'm not entirely versed in it, but I was able to clear up some Yahoo delivery issues by having a proper SPF entry in my DNS settings.
Or... I may be totally off track.
_________________ I brew using electrons!
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 12 Dec 2010 Posts: 11122 Location: Ottawa, Canada
Drinking: Pub Ale, Electric Creamsicle, Mild, Pliny the Younger, Belgian Dark Strong, Weizen, Russian Imperial Stout, Black Butte Porter
|
Link Posted: Fri Aug 17, 2012 2:56 pm Post subject: |
|
|
At this time I just want to confirm that someone's doing email spoofing (the sender address and other parts of the email header are altered to appear as though the email originated from a different source - me).
If I'm not mistaken, SPF is an email validation system intended to help those that are victims to email spoofing - those that receive the actual messages (not the website who's domain us being used as the fake sender).
See: http://en.wikipedia.org/wiki/Sender_Policy_Framework
Kal
_________________ Our new shop with over 150 new products: shop.TheElectricBrewery.com
We ship worldwide and support our products and customers for life.
Purchasing through our affiliate links helps support our site at no extra cost to you. We thank you!
My basement/bar/brewery build 2.0
|
|
Back to top |
|
|
kellzey
Joined: 04 Aug 2011 Posts: 580 Location: Orlando, FL
|
Link Posted: Fri Aug 17, 2012 3:08 pm Post subject: |
|
|
In my case, Yahoo was blocking most of my emails send from my company's application server since this server didn't have a valid SPF entry. Yahoo was validating before delivering, and it failed and the email was totally blocked.
Adding an SPF record in my DNS server for that particular server (by IP address) allowed my emails to go through.
And you're right, it won't help with preventing spoofing, it will just help reduce delivery of spoofed emails on the recipient side.
_________________ I brew using electrons!
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 12 Dec 2010 Posts: 11122 Location: Ottawa, Canada
Drinking: Pub Ale, Electric Creamsicle, Mild, Pliny the Younger, Belgian Dark Strong, Weizen, Russian Imperial Stout, Black Butte Porter
|
Link Posted: Fri Aug 17, 2012 3:35 pm Post subject: |
|
|
SPF is a good point however. I (supposedly) don't have SPF records on my domains and others are saying I should add them. I'm not sure if there are any downsides (?).
Kal
_________________ Our new shop with over 150 new products: shop.TheElectricBrewery.com
We ship worldwide and support our products and customers for life.
Purchasing through our affiliate links helps support our site at no extra cost to you. We thank you!
My basement/bar/brewery build 2.0
|
|
Back to top |
|
|
kellzey
Joined: 04 Aug 2011 Posts: 580 Location: Orlando, FL
|
Link Posted: Fri Aug 17, 2012 4:13 pm Post subject: |
|
|
I didn't find any downsides yet. I implemented them about 3 weeks ago and successful mail delivery improved. I had a problem with aol, yahoo, and hotmail accounts not receiving my email. (Not even as SPAM or JUNK)... it would just never get delivered. Everyone else OK.
The downside was that I found the literature confusing to try and figure out how to build the record, but after a couple of attempts it worked.
I'm not saying this will fix the problems, just provide some relief on a related front.
In answer to your original question, I'm not sure how you can detect the IP of the 'original' message unless, like you said, you get spammed a copy directly.
_________________ I brew using electrons!
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 12 Dec 2010 Posts: 11122 Location: Ottawa, Canada
Drinking: Pub Ale, Electric Creamsicle, Mild, Pliny the Younger, Belgian Dark Strong, Weizen, Russian Imperial Stout, Black Butte Porter
|
Link Posted: Fri Aug 17, 2012 4:27 pm Post subject: |
|
|
Thanks kellzey. I do get people from time to time saying they're not getting auto-generated messages from my site(s) so I've asked my service provider to implement SPFs for all of my domains that send out mail.
I also noticed the following and have asked them to fix:
Quote: | SMTP greeting - Checks the SMTP greeting for validity
Malformed greeting or no A records found matching banner text for following servers, and banner is not an address literal. RFC5321 requires one or the other (should not be a CNAME). If this is not set correctly, some mail platforms will reject or delay mail from you, and can cause hard to diagnose issues with deliverability. Mailserver details:
206.225.20.165 | WARNING: The hostname in the SMTP greeting does not match the reverse DNS (PTR) record for your mail server. This probably won't cause any harm, but may be a technical violation of RFC5321 |
My understanding is that this may also cause some messages to be rejected (and possibly not even bounced, just lost).
Kal
_________________ Our new shop with over 150 new products: shop.TheElectricBrewery.com
We ship worldwide and support our products and customers for life.
Purchasing through our affiliate links helps support our site at no extra cost to you. We thank you!
My basement/bar/brewery build 2.0
|
|
Back to top |
|
|
perogi
Joined: 12 Feb 2012 Posts: 850 Location: NH
Drinking: Perogi Pale, NEIPA, Nutter's Crossing Nut Brown Ale, Edmund Fitzgerald Porter Clone
Working on: Max's Maibock
|
Link Posted: Fri Aug 17, 2012 11:50 pm Post subject: |
|
|
Hotmail and Yahoo only block legitimate emails - the spam has no problem coming through.
Just hope you don't get blacklisted - that's a real PITA to get removed from.
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 12 Dec 2010 Posts: 11122 Location: Ottawa, Canada
Drinking: Pub Ale, Electric Creamsicle, Mild, Pliny the Younger, Belgian Dark Strong, Weizen, Russian Imperial Stout, Black Butte Porter
|
Link Posted: Sat Aug 18, 2012 12:55 am Post subject: |
|
|
I've been blacklisted before when I used to be a co-located server with other sites I didn't run (shared IP). 6 customers per box. One had an FTP account compromised and was being used to spam so our IP got blacklisted. Took weeks for the dust to settle. I moved to my own dedicated box with my own IP.
Kal
_________________ Our new shop with over 150 new products: shop.TheElectricBrewery.com
We ship worldwide and support our products and customers for life.
Purchasing through our affiliate links helps support our site at no extra cost to you. We thank you!
My basement/bar/brewery build 2.0
|
|
Back to top |
|
|
|
|
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
Forum powered by phpBB © phpBB Group
|
|