Re: [exim] exim exploit or configuration problem

Page principale
Supprimer ce message
Répondre à ce message
Auteur: W B Hacker
Date:  
À: exim users
Sujet: Re: [exim] exim exploit or configuration problem
Peter Bowyer wrote:
> On 10/07/06, Bridgit Griffin (Withers) <bridgit@???> wrote:
>
>>Received: from [220.70.206.152] (port=4460 helo=67.19.170.34)
>>       by mustang.websitewelcome.com with smtp (Exim 4.52)
>>       id 1Fv3uo-0006yP-G2 for postmaster@???; Mon,
>> 26 Jun 2006 22:07:03 -0500
>>Date: Mon, 26 Jun 2006 23:07:10 -0400 (EDT)
>>Date-warning: Date header was inserted by ms-mta-04.nyroc.rr.com
>>From: postmaster@???
>>Subject: Re: hi
>>To: postmaster@???
>>Message-id: <548bgr$18nuf4m@???>
>>X-AntiAbuse: This header was added to track abuse,
>> please include it with any abuse report
>>X-AntiAbuse: Primary Hostname - mustang.websitewelcome.com
>>X-AntiAbuse: Original Domain - colonichealth.net
>>X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
>>X-AntiAbuse: Sender Address Domain - colonichealth.net

>
>
> Is 'colonichealth.net' your domain?


Apparently so, as WHOIS lists the OP as technical contact..

> If so, you're seeing very simple
> forged-header spam. Your provider could soup up their exim config to
> do extra checking before accepting incoming mail which forges its own
> domains.
>
> Note that this is spam forged as coming from you - but when the
> spammer connects to the next victim, the spam will be forged as coming
> from that victim - there's no evidence of using your provider's server
> to relay spam in your name.


None so far provided, anyway...

>
> I don't know what box of tricks injects those X-AntiAbuse: headers, it
> isn't vanilla Exim - but whatever it is, it looks like it's being
> fooled by the forged spam. Have you spoken to the owner of the server?
>
> Peter


Similar traffic we have analyzed indicate that headers of that sort are often
applied by the originating spam 'engine'.

One supposes this is an attempt to confuse amateur backtracking, and/or provide
a false sense of security / encourage opening the message & 'payload'.

IF the user's MUA is even set to display 'all headers' (rare, that...)

Bill