OF EMail spoofs - undeliverable / returned now genuine messages being bounced

Hi all,

Sorry if this is OT but i have 3 customers who are all having
15-20messages a day starting off "Undeliverable Mail returned to
Sender" or "Delivery status failure" etc and these are messages that
APPEAR to have been sent from these PC's but in fact wern't. If for
example the users domain is 'anything'@abcdef.com then the returned
messgae will be from (E-Mail Removed) for something equally odd.

This at first was an inconvenience and messages just put in the bin -
but now they cannot send a lot of genuine messages as they are being
rejected by other servers as spam - which is obviously a problem!

What can I do? Is there something I can do to block un-known
prefix's to the domain, are the machines infected with a worm etc.

Help! TIA

> Sorry if this is OT but i have 3 customers who are all having
> 15-20messages a day starting off "Undeliverable Mail returned to
> Sender" or "Delivery status failure"

That's a pretty common spam tactic and nothing to worry about as long as
their other security arrangements are in place and up to date - scan
with another anti-virus product and/or rootkit detector just to add a
little confidence to the assertion that their machines are not the
source.

Sysclean from Trend isn't bad, and you have a choice of two rootkit
detectors I can name at present - Blacklight Beta from F-Secure, and
RootkitRevealer (Sysinternals) which is a little harder to interpret.

I link to Sysclean from the second link down from my site at
http://www.coreutilities.co.uk and I think I added a link to Blacklight
there as well a few days ago...

Ahh sod it, the links are here:

Rootkits:
http://www.f-secure.com/blacklight
http://www.sysinternals.com/Utilitie...tRevealer.html

Sysclean:
http://www.trendmicro.com/download/dcs.asp (download "Sysclean.com")
http://www.trendmicro.com/download/viruspattern.asp (the top one)

Make a directory (desktop will do nicely) and unzip the LPTxxx.ZIP file
to it and put the sysclean.com file in there too. Run by clicking
Sysclean and telling it to do a scan. Several windows will pop open as
it does its stuff (DOS style windows) - this is normal.

You may need to disable any existing AV software prior to using Sysclean
as it may cause a false positive.

> What can I do? Is there something I can do to block un-known
> prefix's to the domain, are the machines infected with a worm etc.

Not sure how you can go about getting removed from blacklists, but the
first step will be to make sure the machines are definitely clean.

Do you know which lists they've been added to ? (i.e. ORDB / SORBS)

Try checking their IP / hostname on the SORBS site here:

http://www.de.sorbs.net/

On Mon, 9 Oct 2006 22:58:40 +0100, Colin Wilson <(E-Mail Removed)>
wrote:

>Not sure how you can go about getting removed from blacklists, but the
>first step will be to make sure the machines are definitely clean.
>
>Do you know which lists they've been added to ? (i.e. ORDB / SORBS)
>
>Try checking their IP / hostname on the SORBS site here:
>
>http://www.de.sorbs.net/

Doesn't sound like they've been added to any lists to me. What it does
sound like is a joe-job and there is bugger all you can practically do
about it (surprisingly SPF does actually help a bit).

Basically for those who don't understand what a joe-job is :

A spammer is using your email address/domain as the FROM address.
Clueless fuckwits that shouldn't be running mailservers then
erroneously bounce the emails back rather than rejecting at the smtp
envelope stage. This means that the domain being joe-jobbed gets all
the rejected mail rather than the machine that actually sent it.
It results in MASSIVE increases in pointless traffic and any
postmaster doing this should be INSTANTLY sacked and escorted from the
premises.

Hope that helps.
--
John Naismith

> Doesn't sound like they've been added to any lists to me. What it does
> sound like is a joe-job and there is bugger all you can practically do
> about it

Oh, and if its of any use, i`ve been joe-jobbed in the past - I was
getting 2-3 emails every 2 seconds for 2 weeks solid, then tapering off
over the next month (just so you know what you're up against)

Mailwasher helped a *lot*

> What it does sound like is a joe-job

That didn't occur to me due to the low volume of mail being received

On Tue, 10 Oct 2006 08:59:13 +0100, Colin Wilson <(E-Mail Removed)>
wrote:

>> What it does sound like is a joe-job
>
>That didn't occur to me due to the low volume of mail being received

What we tend to find is that the spammers cycle through our domains
much quicker than they used to - we're currently getting a couple of
hundred bounces a day on one domain but by the weekend it'll be
another domain being joe-jobbed.

Jorgen Mash's drbcheck should be everyone's first port of call when
they are assigned a new IP address/block :

http://www.moensted.dk/spam/

It is slow due to the number of DNSBLs it checks so be patient.
--
John Naismith

On Tue, 10 Oct 2006 09:30:36 +0100, John Naismith
<(E-Mail Removed)> wrote:

>On Tue, 10 Oct 2006 08:59:13 +0100, Colin Wilson <(E-Mail Removed)>
>wrote:
>
>>> What it does sound like is a joe-job
>>
>>That didn't occur to me due to the low volume of mail being received
>
>What we tend to find is that the spammers cycle through our domains
>much quicker than they used to - we're currently getting a couple of
>hundred bounces a day on one domain but by the weekend it'll be
>another domain being joe-jobbed.
>
>Jorgen Mash's drbcheck should be everyone's first port of call when
>they are assigned a new IP address/block :
>
>http://www.moensted.dk/spam/
>
>It is slow due to the number of DNSBLs it checks so be patient.

Thanks all - I have been re-assessing this and there is certainly
mentions of SORBS in some of these mails. I certainly believe it is
unlikely that the machines themselves are infected with anything and
am therefore equally sure that it isnt the machines themselves sending
the mails. However what is causing the BIGGER problem is the fact that
some genuine mails are being bounced now due to the fact that the
domain is listed on SORBS. Am I right in presuming then that when this
drops off - and I'm sure that it will then the lists will get updated
and back to normal we go?

Who are the fuckwits in this case - is the guys we've registered the
domains with, is it the person who's arranged the mail-forwarding, the
ISP for not needing secure SMTP?

I (we) are just concerned that it doesnt happen again.

TIA, and if any of these questions have obvious answers then I'm SIA
as well

On Tue, 10 Oct 2006 09:34:44 GMT, Matthew Millichap
<(E-Mail Removed)> wrote:

>Thanks all - I have been re-assessing this and there is certainly
>mentions of SORBS in some of these mails. I certainly believe it is
>unlikely that the machines themselves are infected with anything and
>am therefore equally sure that it isnt the machines themselves sending
>the mails. However what is causing the BIGGER problem is the fact that
>some genuine mails are being bounced now due to the fact that the
>domain is listed on SORBS. Am I right in presuming then that when this
>drops off - and I'm sure that it will then the lists will get updated
>and back to normal we go?

It depends why you are on SORBS and in particular which SORBS list. Eg
- your client may be using address space that WAS used by a spammer in
which case then yes it should come off the list. Alternatively your
clients could be blacklisted because of the practices of their hosting
supplier/ISP in which case you are right out of luck.

>Who are the fuckwits in this case - is the guys we've registered the
>domains with, is it the person who's arranged the mail-forwarding, the
>ISP for not needing secure SMTP?
>
>I (we) are just concerned that it doesnt happen again.
>
>TIA, and if any of these questions have obvious answers then I'm SIA
>as well

It would be helpful if you gave an example of the SORBS listing and/or
an IP address in question. Until then nobody can answer you with any
degree of accuracy.
--
John Naismith

On Tue, 10 Oct 2006 12:17:42 +0100, John Naismith
<(E-Mail Removed)> wrote:

>On Tue, 10 Oct 2006 09:34:44 GMT, Matthew Millichap
><(E-Mail Removed)> wrote:
>
>>Thanks all - I have been re-assessing this and there is certainly
>>mentions of SORBS in some of these mails. I certainly believe it is
>>unlikely that the machines themselves are infected with anything and
>>am therefore equally sure that it isnt the machines themselves sending
>>the mails. However what is causing the BIGGER problem is the fact that
>>some genuine mails are being bounced now due to the fact that the
>>domain is listed on SORBS. Am I right in presuming then that when this
>>drops off - and I'm sure that it will then the lists will get updated
>>and back to normal we go?
>
>It depends why you are on SORBS and in particular which SORBS list. Eg
>- your client may be using address space that WAS used by a spammer in
>which case then yes it should come off the list. Alternatively your
>clients could be blacklisted because of the practices of their hosting
>supplier/ISP in which case you are right out of luck.
>
>>Who are the fuckwits in this case - is the guys we've registered the
>>domains with, is it the person who's arranged the mail-forwarding, the
>>ISP for not needing secure SMTP?
>>
>>I (we) are just concerned that it doesnt happen again.
>>
>>TIA, and if any of these questions have obvious answers then I'm SIA
>>as well
>
>It would be helpful if you gave an example of the SORBS listing and/or
>an IP address in question. Until then nobody can answer you with any
>degree of accuracy.

Does this help.....just one of many. I'm really grateful BTW for the
assistance!

The SMTP Server program

<(E-Mail Removed)>: host mx1.ukservers.net[217.10.138.227]
said: 554
5.7.1 Service unavailable; Client host [193.252.22.157] blocked
using
dnsbl.sorbs.net; Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.252.22.157 / Spam Received
Recently
See: http://www.sorbs.net/lookup.shtml?193.252.22.157 / Spam
Received
withing last 12 months See:
http://www.sorbs.net/lookup.shtml?193.252.22.157 (in reply to RCPT
TO
command)

Reporting-MTA: dns; me.freeserve.com
X-SMTP-Server-Queue-ID: AAE9F2400088
X-SMTP-Server-Sender: rfc822; (E-Mail Removed)
Arrival-Date: Thu, 5 Oct 2006 00:47:39 +0200 (CEST)

Final-Recipient: rfc822; (E-Mail Removed)
Action: failed
Status: 5.0.0
Diagnostic-Code: X-SMTP-Server; host mx1.ukservers.net[217.10.138.227]
said:
554 5.7.1 Service unavailable; Client host [193.252.22.157]
blocked using
dnsbl.sorbs.net; Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?193.252.22.157 / Spam Received
Recently
See: http://www.sorbs.net/lookup.shtml?193.252.22.157 / Spam
Received
withing last 12 months See:
http://www.sorbs.net/lookup.shtml?193.252.22.157 (in reply to RCPT
TO
command)

On Tue, 10 Oct 2006 12:17:42 +0100, John Naismith
<(E-Mail Removed)> wrote:

>On Tue, 10 Oct 2006 09:34:44 GMT, Matthew Millichap
><(E-Mail Removed)> wrote:
>
>>Thanks all - I have been re-assessing this and there is certainly
>>mentions of SORBS in some of these mails. I certainly believe it is
>>unlikely that the machines themselves are infected with anything and
>>am therefore equally sure that it isnt the machines themselves sending
>>the mails. However what is causing the BIGGER problem is the fact that
>>some genuine mails are being bounced now due to the fact that the
>>domain is listed on SORBS. Am I right in presuming then that when this
>>drops off - and I'm sure that it will then the lists will get updated
>>and back to normal we go?
>
>It depends why you are on SORBS and in particular which SORBS list. Eg
>- your client may be using address space that WAS used by a spammer in
>which case then yes it should come off the list.

Replying to myself but meh

When I say "should come off the list" then that is only going to
happen if SORBS have been given proof/assurances by the hosting
company/ISP concerned. Frequently (assuming a US hosting company/ISP
here) they simply don't give a damn if their address space is listed
or not (UUNet spring to mind here) and in that case the listing will
probably remain forever.
--
John Naismith