Return to TheElectricBrewery.com
  [ Shop ]   [ Building ]   [ Using ]   [ Recipes ]   [ Testimonials ]   [ Gallery ]   [ FAQ ]   [ About Us ]   [ Contact Us ]   [ Newsletter ]

Log inLog in   RegisterRegister   User Control PanelUser Control Panel   Private MessagesPrivate Messages   MembershipClub Memberships   SearchSearch   MemberlistMemberlist   Photo AlbumsPhoto Albums   Forum FAQForum FAQ


Any way to see internet headers of attached messages?

 
Post new topic   Reply to topic   Printer-friendly view    TheElectricBrewery.com Forum Index -> Forum Feedback
View previous topic :: View next topic  
Author Message
kal
Forum Administrator



Joined: 12 Dec 2010
Posts: 11116
Location: Ottawa, Canada

Drinking: Pub Ale, Electric Creamsicle, Mild, Pliny the Younger, Belgian Dark Strong, Weizen, Russian Imperial Stout, Black Butte Porter


PostLink    Posted: Fri Aug 17, 2012 2:22 pm    Post subject: Any way to see internet headers of attached messages? Reply with quote


        Register to remove this ad. It's free!
Recently spammers have been sending email pretending to be one of my websites.

Here's an example of one pretending to be sent from my CurtPalme.com home theater website:

Code:
-----Original Message-----
From: Get Vigara-Today [mailto:195A569A7@curtpalme.com]
Sent: August-17-12 5:04 AM
To: dyeite5505@9ravens.com
Subject: SALE!

New sale prices:
----------------

Levtira ... 1.25$

Cilais ... 1.14$

Vigara ... 0.21$

Female Pack ... 1.20$

Family Pack ... 2.12$

Professional Pack ... 3.29$

-----------------

Follow special link:

http://fmHM.doctortach.ru/


I know of this because many of these bounce back so I get a message like this:

Code:
-----Original Message-----
From: Mail Delivery System [mailto:MAILER-DAEMON@vds003.din.or.jp]
Sent: August-17-12 5:04 AM
To: 195A569A7@curtpalme.com
Subject: Undelivered Mail Returned to Sender

This is the mail system at host vds003.din.or.jp.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

                   The mail system

<dyeite5505@www.9ravens.com> (expanded from <dyeite5505@9ravens.com>): User unknown in virtual alias table


Attached to this bounced message are usually two files:

1. details.txt which in this case contains:

Code:
Reporting-MTA: dns; vds003.din.or.jp
X-Postfix-Queue-ID: 2139E79DD5
X-Postfix-Sender: rfc822; 195A569A7@curtpalme.com
Arrival-Date: Fri, 17 Aug 2012 18:03:43 +0900 (JST)

Final-Recipient: rfc822; dyeite5505@www.9ravens.com
Original-Recipient: rfc822;dyeite5505@9ravens.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; User unknown in virtual alias table


2. The original message that I posted above.

I'd like to confirm (just to be sure) that my server is not actually sending out this message but I can't seem to figure out how I can see the internet headers of an attached email. I'm not sure it's even possible? I'm using Microsoft Outlook.

Normally to view the internet header of an email message I just right click on the message and choose "Message Options". Doing this on this message however shows me the internet header of the email sent to me saying that message bounced. It looks like this:

Code:
Return-Path: <MAILER-DAEMON@lded1.atcihosting.com>
Received: from vds003.din.or.jp (vds003.din.or.jp [210.135.89.102])
   by lded1.atcihosting.com (8.13.8/8.13.8) with ESMTP id q7H93kNR022302
   for <195A569A7@curtpalme.com>; Fri, 17 Aug 2012 04:03:46 -0500
Received: by vds003.din.or.jp (Postfix)
   id CDA2179DEF; Fri, 17 Aug 2012 18:03:44 +0900 (JST)
Date: Fri, 17 Aug 2012 18:03:44 +0900 (JST)
From: MAILER-DAEMON@vds003.din.or.jp (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: 195A569A7@curtpalme.com
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
   boundary="2139E79DD5.1345194224/vds003.din.or.jp"
Content-Transfer-Encoding: 8bit
Message-Id: <20120817090344.CDA2179DEF@vds003.din.or.jp>
X-Antivirus: avast! (VPS 120816-1, 16/08/2012), Inbound message
X-Antivirus-Status: Clean


What I'd want to see in the attached (original) message is if the IP used for sending the message from 195A569A7@curtpalme.com matches my server IP (206.225.20.165).

In the message above I'm only seeing that the vds003.din.or.jp domain resolves to 210.135.89.102 which is the sender in this case as a new message was generated to bounce back to 195A569A7@curtpalme.com.

If I ping vds003.din.or.jp I see that is in fact 210.135.89.102. so I know they sent it. I want to see the same for the message *they* received (supposedly) sent from 195A569A7@curtpalme.com.

The other thing to do is to simply wait until I actually get a spam from one of these fake @curtpalme.com addresses but that might take a while.

So before someone asks... why is this even possible? SMTP email is completely insecure. You can "pretend" to be anyone out there but you can't (easily) spoof an IP address. When the receiving mail server receives mail from 195A569A7@curtpalme.com the first thing they do is contact the domain to get the IP. In the case of the spammers you'd get IP other than mine.

Spammers need a good domain for sending out spams so that when the receiving mail server gets the mail and does a lookup, that it's valid.

Kal

_________________
Our new shop with over 150 new products: shop.TheElectricBrewery.com
We ship worldwide and support our products and customers for life.
Purchasing through our affiliate links helps support our site at no extra cost to you. We thank you!
My basement/bar/brewery build 2.0
Back to top
View user's photo album (21 photos)
kellzey




Joined: 04 Aug 2011
Posts: 580
Location: Orlando, FL


PostLink    Posted: Fri Aug 17, 2012 2:43 pm    Post subject: Reply with quote

Look into SPF records. I believe you can program an SPF record in your Domain Name Server (as a TXT record) in your registrar that specifies only the domains, or IP addresses that are allowed to send mail.

If the receiving email account uses SPF verification, they will check to see if the email originated from the authorized domain or IP and if not, block it all together.

I just learned about that a month or so ago, so I'm not entirely versed in it, but I was able to clear up some Yahoo delivery issues by having a proper SPF entry in my DNS settings.

Or... I may be totally off track.

_________________
I brew using electrons!
Back to top
kal
Forum Administrator



Joined: 12 Dec 2010
Posts: 11116
Location: Ottawa, Canada

Drinking: Pub Ale, Electric Creamsicle, Mild, Pliny the Younger, Belgian Dark Strong, Weizen, Russian Imperial Stout, Black Butte Porter


PostLink    Posted: Fri Aug 17, 2012 2:56 pm    Post subject: Reply with quote

At this time I just want to confirm that someone's doing email spoofing (the sender address and other parts of the email header are altered to appear as though the email originated from a different source - me).

If I'm not mistaken, SPF is an email validation system intended to help those that are victims to email spoofing - those that receive the actual messages (not the website who's domain us being used as the fake sender).

See: http://en.wikipedia.org/wiki/Sender_Policy_Framework

Kal

_________________
Our new shop with over 150 new products: shop.TheElectricBrewery.com
We ship worldwide and support our products and customers for life.
Purchasing through our affiliate links helps support our site at no extra cost to you. We thank you!
My basement/bar/brewery build 2.0
Back to top
View user's photo album (21 photos)
kellzey




Joined: 04 Aug 2011
Posts: 580
Location: Orlando, FL


PostLink    Posted: Fri Aug 17, 2012 3:08 pm    Post subject: Reply with quote

In my case, Yahoo was blocking most of my emails send from my company's application server since this server didn't have a valid SPF entry. Yahoo was validating before delivering, and it failed and the email was totally blocked.

Adding an SPF record in my DNS server for that particular server (by IP address) allowed my emails to go through.

And you're right, it won't help with preventing spoofing, it will just help reduce delivery of spoofed emails on the recipient side.

_________________
I brew using electrons!
Back to top
kal
Forum Administrator



Joined: 12 Dec 2010
Posts: 11116
Location: Ottawa, Canada

Drinking: Pub Ale, Electric Creamsicle, Mild, Pliny the Younger, Belgian Dark Strong, Weizen, Russian Imperial Stout, Black Butte Porter


PostLink    Posted: Fri Aug 17, 2012 3:35 pm    Post subject: Reply with quote

SPF is a good point however. I (supposedly) don't have SPF records on my domains and others are saying I should add them. I'm not sure if there are any downsides (?).

Kal

_________________
Our new shop with over 150 new products: shop.TheElectricBrewery.com
We ship worldwide and support our products and customers for life.
Purchasing through our affiliate links helps support our site at no extra cost to you. We thank you!
My basement/bar/brewery build 2.0
Back to top
View user's photo album (21 photos)
kellzey




Joined: 04 Aug 2011
Posts: 580
Location: Orlando, FL


PostLink    Posted: Fri Aug 17, 2012 4:13 pm    Post subject: Reply with quote

I didn't find any downsides yet. I implemented them about 3 weeks ago and successful mail delivery improved. I had a problem with aol, yahoo, and hotmail accounts not receiving my email. (Not even as SPAM or JUNK)... it would just never get delivered. Everyone else OK.

The downside was that I found the literature confusing to try and figure out how to build the record, but after a couple of attempts it worked.

I'm not saying this will fix the problems, just provide some relief on a related front.

In answer to your original question, I'm not sure how you can detect the IP of the 'original' message unless, like you said, you get spammed a copy directly.

_________________
I brew using electrons!
Back to top
kal
Forum Administrator



Joined: 12 Dec 2010
Posts: 11116
Location: Ottawa, Canada

Drinking: Pub Ale, Electric Creamsicle, Mild, Pliny the Younger, Belgian Dark Strong, Weizen, Russian Imperial Stout, Black Butte Porter


PostLink    Posted: Fri Aug 17, 2012 4:27 pm    Post subject: Reply with quote

Thanks kellzey. I do get people from time to time saying they're not getting auto-generated messages from my site(s) so I've asked my service provider to implement SPFs for all of my domains that send out mail.

I also noticed the following and have asked them to fix:

Quote:
SMTP greeting - Checks the SMTP greeting for validity

Malformed greeting or no A records found matching banner text for following servers, and banner is not an address literal. RFC5321 requires one or the other (should not be a CNAME). If this is not set correctly, some mail platforms will reject or delay mail from you, and can cause hard to diagnose issues with deliverability. Mailserver details:

206.225.20.165 | WARNING: The hostname in the SMTP greeting does not match the reverse DNS (PTR) record for your mail server. This probably won't cause any harm, but may be a technical violation of RFC5321


My understanding is that this may also cause some messages to be rejected (and possibly not even bounced, just lost).

Kal

_________________
Our new shop with over 150 new products: shop.TheElectricBrewery.com
We ship worldwide and support our products and customers for life.
Purchasing through our affiliate links helps support our site at no extra cost to you. We thank you!
My basement/bar/brewery build 2.0
Back to top
View user's photo album (21 photos)
perogi




Joined: 12 Feb 2012
Posts: 850
Location: NH

Drinking: Perogi Pale, NEIPA, Nutter's Crossing Nut Brown Ale, Edmund Fitzgerald Porter Clone

Working on: Max's Maibock


PostLink    Posted: Fri Aug 17, 2012 11:50 pm    Post subject: Reply with quote

Hotmail and Yahoo only block legitimate emails - the spam has no problem coming through. Smile

Just hope you don't get blacklisted - that's a real PITA to get removed from.
Back to top
kal
Forum Administrator



Joined: 12 Dec 2010
Posts: 11116
Location: Ottawa, Canada

Drinking: Pub Ale, Electric Creamsicle, Mild, Pliny the Younger, Belgian Dark Strong, Weizen, Russian Imperial Stout, Black Butte Porter


PostLink    Posted: Sat Aug 18, 2012 12:55 am    Post subject: Reply with quote

I've been blacklisted before when I used to be a co-located server with other sites I didn't run (shared IP). 6 customers per box. One had an FTP account compromised and was being used to spam so our IP got blacklisted. Took weeks for the dust to settle. I moved to my own dedicated box with my own IP.

Kal

_________________
Our new shop with over 150 new products: shop.TheElectricBrewery.com
We ship worldwide and support our products and customers for life.
Purchasing through our affiliate links helps support our site at no extra cost to you. We thank you!
My basement/bar/brewery build 2.0
Back to top
View user's photo album (21 photos)
Display posts from previous:   
Post new topic   Reply to topic   Printer-friendly view    TheElectricBrewery.com Forum Index -> Forum Feedback All times are GMT
Page 1 of 1
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum



Forum powered by phpBB © phpBB Group