View previous topic :: View next topic |
Author |
Message |
KieferSkunk Site Owner
Joined: 09 May 2001 Posts: 455 Location: Covington, WA
|
Posted: Thu Apr 10, 2008 2:30 pm Post subject: Email server may have been compromised! |
|
|
It seems someone's found a way to send messages as me, because all of a sudden I received a veritable flood of "Undeliverable Message" emails in my inbox. They were all attempts to send spam, and the message headers seemed to indicate that they were either sent from my account or were forged to make it look like they came from me.
Please check to make sure the email server hasn't been compromised. Thank you. _________________ > KieferSkunk |
|
Back to top |
|
|
KieferSkunk Site Owner
Joined: 09 May 2001 Posts: 455 Location: Covington, WA
|
Posted: Thu Apr 10, 2008 2:36 pm Post subject: |
|
|
Okay, a little more info: It looks like the spam messages are going out with my email address on them, but they're coming from all sorts of other servers. I don't see any evidence that they're being sent from PlanetFurry.
Still, I'm receiving something like 2-3 "spam rejected" messages a minute. Is there any way we can stop this other than disabling the address these messages are being sent to? (I can do that, but it's going to mean a very painful several days of changing the email address on virtually every website I do business with.) _________________ > KieferSkunk |
|
Back to top |
|
|
Asalis Registered User
Joined: 08 Oct 2004 Posts: 2020 Location: Fort Worth, Tx
|
Posted: Thu Apr 10, 2008 3:04 pm Post subject: |
|
|
Something similar along those lines are happening to me. though instead of sending I'm receiving spam, from myself. _________________ Asalis: (uh*sah*lis)
We, dig, giant robots!
http://www.youtube.com/watch?v=x7PjQnw_E0U
I hate the DMV |
|
Back to top |
|
|
Kelvin Registered User
Joined: 08 Apr 2008 Posts: 1022 Location: That is not important. Just don't turn around.
|
Posted: Thu Apr 10, 2008 3:34 pm Post subject: |
|
|
Wait, are you guys talking about, like, a PF-hosted email? I didn't know this place did that. _________________ Telegram: kelvinshadewing
Discord: kelvin#0465 |
|
Back to top |
|
|
KieferSkunk Site Owner
Joined: 09 May 2001 Posts: 455 Location: Covington, WA
|
Posted: Thu Apr 10, 2008 4:00 pm Post subject: |
|
|
You'd have to talk to the admins about that. _________________ > KieferSkunk |
|
Back to top |
|
|
KieferSkunk Site Owner
Joined: 09 May 2001 Posts: 455 Location: Covington, WA
|
Posted: Thu Apr 10, 2008 4:37 pm Post subject: |
|
|
(nods) I know how it works - I'm just dismayed that all of a sudden, I'm getting tons of "Your message was not delivered" bounce-backs for emails I didn't send. I had 120 of them show up in about half an hour. It seems to have slowed down now, but now that it's happening, I don't doubt it'll keep on happening unless something is being done to cut it down. _________________ > KieferSkunk |
|
Back to top |
|
|
mwalimu Registered User
Joined: 08 Nov 2002 Posts: 782 Location: Normal, IL
|
Posted: Thu Apr 10, 2008 6:27 pm Post subject: |
|
|
At a guess, what may be happening is that spam filtering programs have gotten too good at detecting and discarding spam that has fabricated, non-existent From: and Reply-to: addresses, so the spammers have responded by farming for more real addresses to stuff into these fields, even though many of them are outdated or seldom-used addresses that still work. Measures and countermeasures. _________________ mwalimu
My webpage -*-*- My LiveJournal
Badgers and mushrooms and snakes, oh my! |
|
Back to top |
|
|
ScottyDM Registered User
Joined: 12 Feb 2005 Posts: 1142 Location: Colorado Springs, Colorado, USA
|
Posted: Thu Apr 10, 2008 6:45 pm Post subject: |
|
|
Sounds like e-mail backscatter, which is similar to a Joe Job except backscatter is not the result of a malicious attack against PF. The problem exists because it's too easy to forge e-mail headers. Spammers do it all the time.
One possible solution to the problem is Sender Policy Framework (SPF), which works on the e-mail servers (the MTAs or mail transfer agents). It's normally invisible to users.
Here's the concept:
When you want to send an e-mail to a domain, your server (your MTA) does a DNS lookup for the MX record. This tells your MTA the IP addresses of all the machines that are authorized to receive e-mail for that domain. But what happens when your MTA receives e-mail from a domain? How does your MTA know that the server (sending MTA) it's talking to is authorized to send e-mail for that domain?
SPF attempts to address the issue.
SPF comes in two parts: The first is a record in your DNS zone that lists all the machines (the outgoing MTAs) that are authorized to send e-mail for your domain. The second part is in the receiving MTA, special code that checks the domains of all incoming e-mail for SPF records and then applies the information it finds to determine if the e-mail is a forgery--which is an excellent indicator that it's spam. Or to put it another way: if you knew for a fact that the e-mail you just received had forged headers, what would you do with it? MTAs which check SPF records usually do this check first, and if the incoming e-mail fails they immediately drop it on the floor. In fact some will drop the connection with the sending MTA before they even see the body of the e-mail.
The first part of SPF costs nothing to implement. Simply put a TXT record in your DNS zone. I've done this with all my zones. The record I use is:What that means is: I'm using SPF version 1, that any machines authorized to accept mail for my domain are also authorized to send it (check the MX records), and all other machines are specifically forbidden to send mail for the domain (- means forbidden).
If your MTA software is fairly new it may have SPF checking, so all you'd need to do is turn it on to eliminate some spam.
Besides reducing spam at the initial server connection, the real purpose of SPF is to eliminate the Joe Job. It does this by proving that you could not possibly be the originator of all those nasty e-mails. This can keep your MTA off the RBL blacklists and gives you leverage when dealing with irate admins: "We have an SPF record. If you had properly configured your e-mail server we wouldn't even be having this conversation, and you'd have a lot less spam to deal with." And it can also be leverage when dealing with your connection provider who might be investigating why they are suddenly getting a bunch of complaints about spam from your domain.
The one massive weak spot with SPF is that real, authorized users cannot send out e-mail using your domain unless they send it through one of the MTAs named by your SPF record. The simplest solution is for PF members with e-mail use the PF e-mail box only for receiving e-mail. Another solution is for them to setup a "reply to" in their e-mail client as well as the "from" ("from" is the e-mail address their ISP gave them and "reply to" will be their PF e-mail). The third solution is to allow users to remotely login to the PF e-mail server and use it for sending e-mail--a solution fraught with several possible security problems.
Anyway, look into SPF.
Scotty _________________
Kantaro wrote: | Almost real enough to be considered non-fiction, if it weren't made up. |
|
|
Back to top |
|
|
anthony Site Owner
Joined: 12 Nov 2001 Posts: 1304 Location: Norway
|
Posted: Fri Apr 11, 2008 6:23 am Post subject: |
|
|
Doesn't all messages sent through the webmail solution(Squirrelmail) here on PF go through the correct server? _________________ "My name's Lion, Anthony Lion"
A fur with a license to purr...
---
Like my Avatar?
Why not surf over to www.micecomics.com and tell Mary what a stellar job she did... |
|
Back to top |
|
|
KieferSkunk Site Owner
Joined: 09 May 2001 Posts: 455 Location: Covington, WA
|
Posted: Fri Apr 11, 2008 11:34 am Post subject: |
|
|
Yes, as do messages sent through properly-configured POP mail clients, such as Outlook and Eudora. It's a matter of specifying the correct SMTP server and any configuration settings needed to authenticate.
The bounce-back spam seems to have stopped now. Perhaps this was just an email bomb that I happened to get hit with. Or maybe the servers in question have just started ignoring me. I'll keep an eye on it.
Speaking of Squirrelmail, though: Is there any chance we can get a more advanced web mail reader on our servers? Squirrelmail makes it nearly impossible to read any messages that weren't sent in straight text, and it doesn't forward messages properly either. _________________ > KieferSkunk |
|
Back to top |
|
|
ScottyDM Registered User
Joined: 12 Feb 2005 Posts: 1142 Location: Colorado Springs, Colorado, USA
|
Posted: Fri Apr 11, 2008 11:44 pm Post subject: |
|
|
Forgive me. My fingers got ahead of my brain....
DIG planetfurry.com wrote: | v=spf1 a mx include:gmail.com -all |
Under the circumstances, that's about all you can do.
The "a" says "planetfurry.com" (209.153.126.3) may send mail, the "mx" says "mail.planetfurry.com" (209.153.126.3) may send mail, and the "include:gmail.com" says that "gmail.com" (72.14.253.83; 64.233.171.83; and 64.233.161.83) may send mail.
Scotty _________________
Kantaro wrote: | Almost real enough to be considered non-fiction, if it weren't made up. |
|
|
Back to top |
|
|
|