|
| |
|
|
Hammhocks
Posts: 12
Joined: 1/22/2006
Status: offline
 |
e-mail hack?? - 10/14/2006 9:58:02
Hi! I'm not sure if "hack" is the right word to use and I'm not sure if this is the correct forum but here's what I'm facing...
Over the past couple of weeks...I have been receiving a bunch of emails saying delivered mailed was returned, blocked, etc. Obviously, by my post here, I have NOT sent mail to any of these returned/blocked addresses so my question is...
Could someone be "hacking" me and somehow be using my email address(es) to send out spam? Or are these emails actually spam TO me. Many of these contain attachments.
I'm even receiving some mail FROM "postmaster@mysite.com"
I have run several virus scans since this started and am showing I'm clean. I have included a couple examples, below, hoping that will help. ;) I would be happy to provide headers for the examples below if that would help.
My domain is "oldduckracing.com". I do have a "catch-all" assigned to my mail forwarder on my server and I also have 3 assigned email addresses, on my server, with direct forwarders.
If I am being "hacked" what do I do?
Thanks, in advance, for any and all help! Here come the examples...
**************************************************
FROM: MAILER-DAEMON
TO: kxjdd@oldduckracing.com
DATE: 10/11/2006 11:57:44 PM
SUBJECT: **Message you sent blocked by our bulk email filter**
Your message to: mikeg@avenuea.com
was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:
Subject: estuary
**************************************************
FROM: MAILER-DAEMON@mail.goo.ne.jp
TO: yuom@oldduckracing.com
DATE: 10/8/2006 8:51:23 PM
SUBJECT: failure notice
Hi. This is the qmail-send program at mail.goo.ne.jp.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<leeward190@mail.goo.ne.jp>:
Sorry, no mailbox here by that name. (#5.1.1)
--- Below this line is a copy of the message.
Return-Path: <yuom@oldduckracing.com>
Received: (qmail 98255 invoked from network); 9 Oct 2006 09:51:11 +0900
Received: from unknown (HELO mail.goo.ne.jp) ([210.165.9.51]) (envelope-sender <yuom@oldduckracing.com>)
by localhost.mail.goo.ne.jp (qmail-1.03) with SMTP
for <leeward190@mail.goo.ne.jp>; 9 Oct 2006 09:51:11 +0900
**************************************************
Thanks again!!!!
Hammhocks
Hammhocks@oldduckracing.com
www.oldduckracing.com
|
|
|
|
coreybryant
Posts: 2422
Joined: 3/17/2002
From: Castle Rock CO USA
Status: offline
|
RE: e-mail hack?? - 10/14/2006 10:46:48
No, you are not being hacked, your domain name / email address is being spoofed. I get probably 500 of these a day in my deleted folder for one account that has been around for about 10 years. You can create any reply to email address that you want and via server side, you can also make it look like it came from your domain name / email address
_____________________________
Corey R. Bryant
Merchant Accounts | Toll Free Numbers | My Blog | Expression Web Blog
| |
|
|
|
BobbyDouglas
Posts: 5432
Joined: 5/15/2003
From: Arizona
Status: offline
|
RE: e-mail hack?? - 10/14/2006 11:20:13
You might be able to get something done about receiving so many of these if you contact your host.
Tell them you are being spammed with those types of e-mails, and ask them if they can do anything to help.
_____________________________
Arizona Web Design - Mr Bobs Web Design in Arizona
The Arizona Web Hosting Challenge
| |
|
|
|
Kitka
Posts: 2507
Joined: 1/31/2002
From: Australia
Status: offline
|
RE: e-mail hack?? - 10/14/2006 18:32:20
quote:
ask them if they can do anything to help
One of our clients is suffering badly from this problem currently, despite the fact that I had set up a SPF record for his domain a few months ago. I did contact the host, but they said nothing could be done.
Bobby, are you aware of something specific that I could ask for that works nicely with cPanel?
_____________________________
Kitka
**It is impossible to make anything foolproof because fools are so ingenious.**
| |
|
|
|
Kitka
Posts: 2507
Joined: 1/31/2002
From: Australia
Status: offline
|
RE: e-mail hack?? - 10/14/2006 19:24:45
There is one form on his site, and it certainly seems secure - I keep a close eye on it.
If there was any strange activity, it would clearly show in the logs.
_____________________________
Kitka
**It is impossible to make anything foolproof because fools are so ingenious.**
| |
|
|
|
BobbyDouglas
Posts: 5432
Joined: 5/15/2003
From: Arizona
Status: offline
|
RE: e-mail hack?? - 10/14/2006 22:33:04
quote:
Bobby, are you aware of something specific that I could ask for that works nicely with cPanel?
- Inquire about a "custom Spam Assassian setup". Most of the cheap hosts won't help you with SA, nor will they tell you what to do.
quote:
There is one form on his site, and it certainly seems secure - I keep a close eye on it.
- What makes you believe it is secure? Most likely you won't even know if someone is actually using that form to send spam. The only way to know is view a server log of the files being sent from the mailserver.
If you don't want any e-mails to be received that contain a subject of: quote:
**Message you sent blocked by our bulk email filter**
Then enable Spam Assassian in your cPanel under the Mail link, and then have all messages sent with that subject automatically deleted or sent to a spam box.
_____________________________
Arizona Web Design - Mr Bobs Web Design in Arizona
The Arizona Web Hosting Challenge
| |
|
|
|
Kitka
Posts: 2507
Joined: 1/31/2002
From: Australia
Status: offline
|
RE: e-mail hack?? - 10/14/2006 22:45:13
quote:
Then enable Spam Assassian in your cPanel under the Mail link, and then have all messages sent with that subject automatically deleted or sent to a spam box.
Thanks for the suggestion - I already have Spam Assassin enabled and various mail filters in place.
My concern was more along the lines of preventing remote servers from sending the Spam to his domain, rather than dealing with the "Returned mail" once it arrived.
I asked our host about Domain Keys, but they said it doesn't play nicely with cPanel. So it looks like I have to be content with the measures we already are using.
_____________________________
Kitka
**It is impossible to make anything foolproof because fools are so ingenious.**
| |
|
|
|
Kitka
Posts: 2507
Joined: 1/31/2002
From: Australia
Status: offline
|
RE: e-mail hack?? - 10/14/2006 22:55:17
Sorry - forgot to answer this:
quote:
- What makes you believe it is secure? Most likely you won't even know if someone is actually using that form to send spam. The only way to know is view a server log of the files being sent from the mailserver.
I assumed that the form handler (a PHP file in this case) would have to be requested - and that those requests would show in the normal raw logs. I don't see how they could use the form, without accessing the form handler script - am I wrong?
Also, I'm pretty sure that our Host would know quite quickly and shut it down. They aren't an el cheapo host, their support is good and security very tight.
_____________________________
Kitka
**It is impossible to make anything foolproof because fools are so ingenious.**
| |
|
|
|
BobbyDouglas
Posts: 5432
Joined: 5/15/2003
From: Arizona
Status: offline
|
RE: e-mail hack?? - 10/15/2006 4:11:34
quote:
preventing remote servers from sending the Spam to his domain
- You cannot prevent a remote server from sending any type of e-mail at all. You also cannot prevent anyone from displaying your e-mail address as the from address in an e-mail message. I can even log into Outlook Express and make it so whenever I send an e-mail, it looks like it is coming from you instead of me.
quote:
I assumed that the form handler (a PHP file in this case) would have to be requested - and that those requests would show in the normal raw logs. I don't see how they could use the form, without accessing the form handler script - am I wrong?
- You are 100% correct. That's actually a very good way to see if it is being abused.
quote:
Also, I'm pretty sure that our Host would know quite quickly and shut it down. They aren't an el cheapo host, their support is good and security very tight.
- That's always good to have :) If you have WHM then you can have everything setup to send off an e-mail everytime someone uploads a script that can send mail (excluding FP forms). You will have to ask your host to enable the alert for "Recently Uploaded Cgi Script Mail". It is actually a pretty sweet script, here's the output I got for today:
quote:
Note: If this is the first time you recieved this mail, it contains the history for the entire month so far.
Below are the recently upload scripts that contain code to send email. You may wish to inspect them to ensure they are not sending out SPAM.
/home/username/public_html/new-site/temp/scripts/error-pages/functions.inc.php:62: // send the email
/home/username/public_html/new-site/temp/scripts/error-pages/functions.inc.php:63: mail( $to, $subject, $message, $headers );
/home/username/public_html/new-site/temp/scripts/error-pages/functions.inc.php:64: }
_____________________________
Arizona Web Design - Mr Bobs Web Design in Arizona
The Arizona Web Hosting Challenge
| |
|
|
|
coreybryant
Posts: 2422
Joined: 3/17/2002
From: Castle Rock CO USA
Status: offline
|
RE: e-mail hack?? - 10/15/2006 8:02:48
If you want, I can set up a small script on our site with your email and have it sent to you. The way to see that you actually did not send it is to look at the original headers.
We had one person actually the other day from Sweden threaten to sue us. He said he did it before my my business partner basiclaly freaked. I told him that if he sued and won as he claimed, he knows he would need to produce the orginal IP headers which would show at that time it did not come from us or from our servers.
And usually the return email address (especially on the one that I have add) is my personal account but always has email addresses like david@example.com, fjreoi@example.com, connie@example.com etc - when there is basically only one email account set up for this one
_____________________________
Corey R. Bryant
Merchant Accounts | Toll Free Numbers | My Blog | Expression Web Blog
| |
|
|
|
Hammhocks
Posts: 12
Joined: 1/22/2006
Status: offline
|
RE: e-mail hack?? - 10/15/2006 8:45:38
Until I learn how to make my forms more secure...
Can I stop the spoofing simply by removing all forms from my site? That's IF that is where the spoofing is originating.
TIA,
Hammhocks
| |
|
|
|
coreybryant
Posts: 2422
Joined: 3/17/2002
From: Castle Rock CO USA
Status: offline
|
RE: e-mail hack?? - 10/15/2006 10:51:39
You really cannot stop them from using your email address. I proved this to my business partner by creating a small form on our site and sent it to his business account from his Adelphia account. They are going to spoof your email / domain name and unfortunately there is nothing that can be done.
A lot of times they go thru proxy server after proxy server so even tracking them down would be difficult.
_____________________________
Corey R. Bryant
Merchant Accounts | Toll Free Numbers | My Blog | Expression Web Blog
| |
|
|
|
BobbyDouglas
Posts: 5432
Joined: 5/15/2003
From: Arizona
Status: offline
|
RE: e-mail hack?? - 10/15/2006 13:54:49
quote:
Can I stop the spoofing simply by removing all forms from my site? That's IF that is where the spoofing is originating.
- E-mail address spoofing isn't really caused by insecure online forms. Ever setup an e-mail account in MS Outlook? Or Outlook Express? Remember when you entered your e-mail address? Try entering someone else's address, and then send yourself an e-mail.
The way e-mail is setup, allows ANYONE to use any e-mail address when they send an e-mail. It sucks, and there isn't a fix for it.
The only way I could see a fix (not a full solution tho) for this, is if the mailserver you were connecting to actually generated the e-mail from address in the header during the send process. Then, the standard way of e-mailing would be disabled, and all e-mails would need to have their server generate the correct from address before the e-mail gets sent. Since you have a user/pass for e-mails, is is possible for the mailserver to generate this.
This isn't going to happen though. E-mail should have been setup like this a long time ago.
The solution for spam is going to be anti-spam programs such as Spam Assassin. These programs keep getting better and better.
_____________________________
Arizona Web Design - Mr Bobs Web Design in Arizona
The Arizona Web Hosting Challenge
| |
|
|
|
Hammhocks
Posts: 12
Joined: 1/22/2006
Status: offline
|
RE: e-mail hack?? - 10/16/2006 19:16:31
My server seems to think that the reason I'm being spoofed is because I had my "catch-all" account enabled in my cPanel. I disabled it, at their recommendation, but...it seems to me that doing that will only prevent me from seeing the bounces. Am I misunderstanding the whole "catch-all" theory?
I realize that spoofing is going to happen...as a matter of fact, I got a spoofed email from "paypal" today....but being one of the "little guys" and being spoofed is depressing.
Thanks again for all your feedback!
Hammhocks
| |
|
|
|
PBailey
Posts: 907
From: San Antonio, Texas USA
Status: offline
|
RE: e-mail hack?? - 11/29/2006 18:39:35
Hammhocks,
quote:
it seems to me that doing that will only prevent me from seeing the bounces
I'm in here REALLY LATE but, yes, you are correct. The bounces keep coming...you just don't see them. I elected to bounce them into a folder I could see so I would know when they slowed down as well as keep an eye on what was happening.
My domain was spoofed about the same time as yours. What a nightmare...but other then getting to know one of the sys admins from my host (he did a great job for what he could do) and having fun tracking the things there is really nothing you can do.
Quite frankly it is theft. Based on some of the other heated conversations on OF over the years on Spam.....I can go along with "just delete the spam" but spoofed e-mail addresses cause a lot more problems then just bounces. If the spammer wants to send spam...fine..but don't steal my domain address to do it! $8.95 at Godaddy about a hundred times should do the job..
_____________________________
Paula
Thought for the day: Never be afraid to try something new. Remember that a lone amateur built the Ark. A large group of professionals built the Titanic.
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
