Koozali.org: home of the SME Server

Mail spoofing

Ethan Bonick

Mail spoofing
« on: November 07, 2002, 10:28:34 PM »
Somehow someone spoofed my address and sent two of my users a virus. below is the maillog portion and then an email header. Is there any way to stop spoofing?

 SMTP HELO from UNKNOWN(211.101.140.97) as "bonick.homelinux.net"
Nov  7 03:31:51 coyote smtpd[4172]: mail from etbonick@bonick.homelinux.net
Nov  7 03:31:51 coyote smtpd[4172]: smtp connection from UNKNOWN@UNKNOWN(211.101.140.97) MAIL FROM: etbonick@bonick.homelinux.net RCPT TO: etb
onick@bonick.homelinux.net, allowed by line 30 of /etc/smtpd_check_rules
Nov  7 03:31:51 coyote smtpd[4172]: Recipient etbonick@bonick.homelinux.net
Nov  7 03:31:54 coyote smtpd[4172]: Received 156489 bytes of message body from UNKNOWN(211.101.140.97)
Nov  7 02:32:01 coyote smtpfwdd[4173]: forwarding to recipient etbonick@bonick.homelinux.net
Nov  7 02:32:01 coyote smtpfwdd[4173]: smtpdn4NEs7 forwarded to 1 recipients
Nov  7 03:36:59 coyote smtpd[4185]: No reverse mapping for address 211.101.140.97 (1)
Nov  7 03:36:59 coyote smtpd[4185]: SMTP HELO from UNKNOWN(211.101.140.97) as "bonick.homelinux.net"
Nov  7 03:37:00 coyote smtpd[4185]: mail from null@bonick.homelinux.net
Nov  7 03:37:00 coyote smtpd[4185]: smtp connection from UNKNOWN@UNKNOWN(211.101.140.97) MAIL FROM: null@bonick.homelinux.net RCPT TO: null@bo
nick.homelinux.net, allowed by line 30 of /etc/smtpd_check_rules
Nov  7 03:37:00 coyote smtpd[4185]: Recipient null@bonick.homelinux.net
Nov  7 03:37:04 coyote smtpd[4185]: Received 156481 bytes of message body from UNKNOWN(211.101.140.97)
Nov  7 02:37:11 coyote smtpfwdd[4186]: forwarding to recipient null@bonick.homelinux.net
Nov  7 02:37:11 coyote smtpfwdd[4186]: smtpd78FzdY forwarded to 1 recipients
Nov  7 03:40:08 coyote smtpd[4204]: EOF on client fd.  At least they could say goodbye!
Nov  7 03:40:08 coyote smtpd[4206]: SMTP HELO from localhost(127.0.0.1) as "localhost"
Nov  7 03:40:08 coyote smtpd[4206]: mail from
Nov  7 03:40:08 coyote smtpd[4206]: smtp connection from UNKNOWN@localhost(127.0.0.1) MAIL FROM: RCPT TO: k@localhost>, allowed by line 22 of /etc/smtpd_check_rules
Nov  7 03:40:08 coyote smtpd[4206]: Recipient
Nov  7 03:40:09 coyote smtpd[4206]: Received 157876 bytes of message body from localhost(127.0.0.1)
Nov  7 02:40:11 coyote smtpfwdd[4208]: forwarding to recipient etbonick@localhost
Nov  7 02:40:11 coyote smtpfwdd[4208]: smtpdXzbRO4 forwarded to 1 recipients
Nov  7 10:20:04 coyote smtpd[4529]: EOF on client fd.  At least they could say goodbye!

email header:
Return-Path:
Delivered-To: etbonick@localhost
Received: (qmail 4210 invoked by uid 8); 7 Nov 2002 08:40:11 -0000
Received: from localhost (127.0.0.1)
   by localhost with SMTP id smtpdXzbRO4; Thu, 07 Nov 2002 03:40:08 EST
Status:  U
Received: from mail.mindspring.com [207.69.200.246]
   by localhost with POP3 (fetchmail-5.7.4)
   for etbonick@localhost (single-drop); Thu, 07 Nov 2002 02:40:08 -0600 (CST)
Received: from smtp6.mindspring.com ([207.69.200.110])
   by strange.mail.mindspring.net (Earthlink Mail Service) with ESMTP id 189Icy6BV3Nl3oW0
   for ; Thu, 7 Nov 2002 03:39:46 -0500 (EST)
Received: from user-11218m7.dsl.mindspring.com ([66.32.162.199] helo=bonick.homelinux.net)
   by smtp6.mindspring.com with smtp (Exim 3.33 #1)
   id 189iCU-0005Ch-00
   for etbonick@mindspring.com; Thu, 07 Nov 2002 03:39:43 -0500
Received: (qmail 4199 invoked by uid 101); 7 Nov 2002 08:37:12 -0000
Delivered-To: admin@coyote.bonick.homelinux.net
Received: (qmail 4197 invoked by alias); 7 Nov 2002 08:37:12 -0000
Delivered-To: alias-localdelivery-admin@bonick.homelinux.net
Received: (qmail 4194 invoked by alias); 7 Nov 2002 08:37:12 -0000
Delivered-To: null@coyote.bonick.homelinux.net
Received: (qmail 4191 invoked by alias); 7 Nov 2002 08:37:11 -0000
Delivered-To: alias-localdelivery-null@bonick.homelinux.net
Received: (qmail 4188 invoked by uid 8); 7 Nov 2002 08:37:11 -0000
Received: from UNKNOWN (211.101.140.97, claiming to be "bonick.homelinux.net")
   by user-11218m7.dsl.mindspring.com with SMTP id smtpd78FzdY; Thu, 07 Nov 2002 03:37:01 EST

Nathan Fowler


Nathan Fowler

Re: Mail spoofing
« Reply #2 on: November 08, 2002, 12:10:16 AM »
Note, the rules I am using are located here:
http://forums.contribs.org/index.php?topic=15561.msg59837#msg59837