Planetfurry BBS Forum Index Planetfurry BBS
Forums for Planetfurry Site Members and more
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   DonateDonate   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Email server may have been compromised!

 
Post new topic   Reply to topic    Planetfurry BBS Forum Index -> Site Problems
View previous topic :: View next topic  
Author Message
KieferSkunk
Site Owner
Site Owner


Joined: 09 May 2001
Posts: 455
Location: Covington, WA

PostPosted: Thu Apr 10, 2008 2:30 pm    Post subject: Email server may have been compromised! Reply with quote

It seems someone's found a way to send messages as me, because all of a sudden I received a veritable flood of "Undeliverable Message" emails in my inbox. They were all attempts to send spam, and the message headers seemed to indicate that they were either sent from my account or were forged to make it look like they came from me.

Please check to make sure the email server hasn't been compromised. Thank you.

_________________
> KieferSkunk
Back to top
View user's profile Send private message Send e-mail Visit poster's website
KieferSkunk
Site Owner
Site Owner


Joined: 09 May 2001
Posts: 455
Location: Covington, WA

PostPosted: Thu Apr 10, 2008 2:36 pm    Post subject: Reply with quote

Okay, a little more info: It looks like the spam messages are going out with my email address on them, but they're coming from all sorts of other servers. I don't see any evidence that they're being sent from PlanetFurry.

Still, I'm receiving something like 2-3 "spam rejected" messages a minute. Is there any way we can stop this other than disabling the address these messages are being sent to? (I can do that, but it's going to mean a very painful several days of changing the email address on virtually every website I do business with.)

_________________
> KieferSkunk
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Asalis
Registered User


Joined: 08 Oct 2004
Posts: 2020
Location: Fort Worth, Tx

PostPosted: Thu Apr 10, 2008 3:04 pm    Post subject: Reply with quote

Something similar along those lines are happening to me. though instead of sending I'm receiving spam, from myself. Shocked
_________________
Asalis: (uh*sah*lis)

We, dig, giant robots!

http://www.youtube.com/watch?v=x7PjQnw_E0U

I hate the DMV
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Skype Name
Kelvin
Registered User


Joined: 08 Apr 2008
Posts: 1022
Location: That is not important. Just don't turn around.

PostPosted: Thu Apr 10, 2008 3:34 pm    Post subject: Reply with quote

Wait, are you guys talking about, like, a PF-hosted email? I didn't know this place did that.
_________________
Telegram: kelvinshadewing
Back to top
View user's profile Send private message Visit poster's website Skype Name
KieferSkunk
Site Owner
Site Owner


Joined: 09 May 2001
Posts: 455
Location: Covington, WA

PostPosted: Thu Apr 10, 2008 4:00 pm    Post subject: Reply with quote

You'd have to talk to the admins about that.
_________________
> KieferSkunk
Back to top
View user's profile Send private message Send e-mail Visit poster's website
KieferSkunk
Site Owner
Site Owner


Joined: 09 May 2001
Posts: 455
Location: Covington, WA

PostPosted: Thu Apr 10, 2008 4:37 pm    Post subject: Reply with quote

(nods) I know how it works - I'm just dismayed that all of a sudden, I'm getting tons of "Your message was not delivered" bounce-backs for emails I didn't send. I had 120 of them show up in about half an hour. It seems to have slowed down now, but now that it's happening, I don't doubt it'll keep on happening unless something is being done to cut it down.
_________________
> KieferSkunk
Back to top
View user's profile Send private message Send e-mail Visit poster's website
mwalimu
Registered User


Joined: 08 Nov 2002
Posts: 782
Location: Normal, IL

PostPosted: Thu Apr 10, 2008 6:27 pm    Post subject: Reply with quote

At a guess, what may be happening is that spam filtering programs have gotten too good at detecting and discarding spam that has fabricated, non-existent From: and Reply-to: addresses, so the spammers have responded by farming for more real addresses to stuff into these fields, even though many of them are outdated or seldom-used addresses that still work. Measures and countermeasures.
_________________
mwalimu
My webpage -*-*- My LiveJournal
Badgers and mushrooms and snakes, oh my!
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address
ScottyDM
Registered User


Joined: 12 Feb 2005
Posts: 1137
Location: Colorado Springs, Colorado, USA

PostPosted: Thu Apr 10, 2008 6:45 pm    Post subject: Reply with quote

Sounds like e-mail backscatter, which is similar to a Joe Job except backscatter is not the result of a malicious attack against PF. The problem exists because it's too easy to forge e-mail headers. Spammers do it all the time.

One possible solution to the problem is Sender Policy Framework (SPF), which works on the e-mail servers (the MTAs or mail transfer agents). It's normally invisible to users.

Here's the concept:

When you want to send an e-mail to a domain, your server (your MTA) does a DNS lookup for the MX record. This tells your MTA the IP addresses of all the machines that are authorized to receive e-mail for that domain. But what happens when your MTA receives e-mail from a domain? How does your MTA know that the server (sending MTA) it's talking to is authorized to send e-mail for that domain?

SPF attempts to address the issue.

SPF comes in two parts: The first is a record in your DNS zone that lists all the machines (the outgoing MTAs) that are authorized to send e-mail for your domain. The second part is in the receiving MTA, special code that checks the domains of all incoming e-mail for SPF records and then applies the information it finds to determine if the e-mail is a forgery--which is an excellent indicator that it's spam. Or to put it another way: if you knew for a fact that the e-mail you just received had forged headers, what would you do with it? MTAs which check SPF records usually do this check first, and if the incoming e-mail fails they immediately drop it on the floor. In fact some will drop the connection with the sending MTA before they even see the body of the e-mail.

The first part of SPF costs nothing to implement. Simply put a TXT record in your DNS zone. I've done this with all my zones. The record I use is:
Code:
TXT    v=spf1 mx -all
What that means is: I'm using SPF version 1, that any machines authorized to accept mail for my domain are also authorized to send it (check the MX records), and all other machines are specifically forbidden to send mail for the domain (- means forbidden).

If your MTA software is fairly new it may have SPF checking, so all you'd need to do is turn it on to eliminate some spam.

Besides reducing spam at the initial server connection, the real purpose of SPF is to eliminate the Joe Job. It does this by proving that you could not possibly be the originator of all those nasty e-mails. This can keep your MTA off the RBL blacklists and gives you leverage when dealing with irate admins: "We have an SPF record. If you had properly configured your e-mail server we wouldn't even be having this conversation, and you'd have a lot less spam to deal with." And it can also be leverage when dealing with your connection provider who might be investigating why they are suddenly getting a bunch of complaints about spam from your domain.


The one massive weak spot with SPF is that real, authorized users cannot send out e-mail using your domain unless they send it through one of the MTAs named by your SPF record. The simplest solution is for PF members with e-mail use the PF e-mail box only for receiving e-mail. Another solution is for them to setup a "reply to" in their e-mail client as well as the "from" ("from" is the e-mail address their ISP gave them and "reply to" will be their PF e-mail). The third solution is to allow users to remotely login to the PF e-mail server and use it for sending e-mail--a solution fraught with several possible security problems.

Anyway, look into SPF.

Scotty

_________________
Kantaro wrote:
Almost real enough to be considered non-fiction, if it weren't made up.
Back to top
View user's profile Send private message Visit poster's website
anthony
Site Owner
Site Owner


Joined: 12 Nov 2001
Posts: 1304
Location: Norway

PostPosted: Fri Apr 11, 2008 6:23 am    Post subject: Reply with quote

Doesn't all messages sent through the webmail solution(Squirrelmail) here on PF go through the correct server?
_________________
"My name's Lion, Anthony Lion"
A fur with a license to purr...
---
Like my Avatar?
Why not surf over to www.micecomics.com and tell Mary what a stellar job she did...
Back to top
View user's profile Send private message Visit poster's website
KieferSkunk
Site Owner
Site Owner


Joined: 09 May 2001
Posts: 455
Location: Covington, WA

PostPosted: Fri Apr 11, 2008 11:34 am    Post subject: Reply with quote

Yes, as do messages sent through properly-configured POP mail clients, such as Outlook and Eudora. It's a matter of specifying the correct SMTP server and any configuration settings needed to authenticate.

The bounce-back spam seems to have stopped now. Perhaps this was just an email bomb that I happened to get hit with. Or maybe the servers in question have just started ignoring me. Smile I'll keep an eye on it.

Speaking of Squirrelmail, though: Is there any chance we can get a more advanced web mail reader on our servers? Squirrelmail makes it nearly impossible to read any messages that weren't sent in straight text, and it doesn't forward messages properly either.

_________________
> KieferSkunk
Back to top
View user's profile Send private message Send e-mail Visit poster's website
ScottyDM
Registered User


Joined: 12 Feb 2005
Posts: 1137
Location: Colorado Springs, Colorado, USA

PostPosted: Fri Apr 11, 2008 11:44 pm    Post subject: Reply with quote

Forgive me. My fingers got ahead of my brain....
DIG planetfurry.com wrote:
v=spf1 a mx include:gmail.com -all

Under the circumstances, that's about all you can do.

The "a" says "planetfurry.com" (209.153.126.3) may send mail, the "mx" says "mail.planetfurry.com" (209.153.126.3) may send mail, and the "include:gmail.com" says that "gmail.com" (72.14.253.83; 64.233.171.83; and 64.233.161.83) may send mail.

Scotty

_________________
Kantaro wrote:
Almost real enough to be considered non-fiction, if it weren't made up.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Planetfurry BBS Forum Index -> Site Problems All times are GMT - 4 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group