Bridgit Griffin (Withers) wrote:
> Hi,
>
> Recently, since late Jun, I have been seeing spam that appears to be
> sent from an email alias I have. However, closer inspection of the spam
> headers shows that someone connected into the smtp server (Exim ver
> 4.52) then sent it out using my alias.
*snip*
>
> Please note I do not have control over the smtp server, my hosting
> provider does.
Then they will have to (help) sort the problem.
> Also there are no email accounts associated with the
> domains.
By default, there will ordinarily be *at least* 'postmaster@' and may also be
'abuse', 'webmaster', and perhaps a 'catchall' if the provider is lazy.
Your 'alias' is also an 'email account' of sorts, even if it has no local mailstore.
> This has happened on 4 different domains that I have. Please
> see a sample of the header below.
>
> Thanks!
>
> Received: from [220.70.206.152] (port=4460 helo=67.19.170.34)
> by mustang.websitewelcome.com with smtp (Exim 4.52)
> id 1Fv3uo-0006yP-G2 for postmaster@???; Mon,
> 26 Jun 2006 22:07:03 -0500
> Date: Mon, 26 Jun 2006 23:07:10 -0400 (EDT)
> Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com
> From: postmaster@???
> Subject: Re: hi
> To: postmaster@???
> Message-id: <548bgr$18nuf4m@???>
> X-AntiAbuse: This header was added to track abuse,
> please include it with any abuse report
> X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com
> X-AntiAbuse: Original Domain - colonichealth.net
> X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
> X-AntiAbuse: Sender Address Domain - colonichealth.net
>
>
> Received: from [60.179.219.85] (port=1166 helo=85.219.179.60.broad.nb.zj.dynamic.cndata.com)
> by mustang.websitewelcome.com with smtp (Exim 4.52)
> id 1FvZCG-000049-4X for postmaster@???; Wed, 28 Jun 2006 07:31:15 -0500
> Date: Wed, 28 Jun 2006 08:31:22 -0400 (EDT)
> Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com
> From: postmaster@???
> Subject: Something for your site..
> To: postmaster@???
> Message-id: <53079d$1gs0i10@???>
> X-AntiAbuse: This header was added to track abuse,
> please include it with any abuse report
> X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com
> X-AntiAbuse: Original Domain - nceweb.com
>
>
If this sort of message is reaching only your own MUA via the postmaster or
catchall alias, then a local MUA filter is a quick, albeit temporary, fix.
If it is being relayed or creating collateral-spam bounces to the world at
large, then your provider needs to clean up his config, or you need a more
'aware' provider.
Note the mismatch in the sample you submitted between the actual connection-from
IP and the alleged source IP/domain. Properly configured Exim need not permit
that to come onto the box at all.
Help here is, of necessity, largely available/of value only to those who *DO*
control an MTA, and a current Exim one at that, not one a couple of years old.
HTH,
Bill
