Weird case of spam [qmail]

[AxelTerizaki]

Hello

One of the users of my mail server reported to me this strange case of spamming, apparently coming from his own address, to somewhere else. He noticed it because the message bounced back at him, since the recipient seems not to be valid.

Here is a copy of the headers of the "spam mail". I'll discuss about it right after.

Note: myuser@rafal-team.net is obviously a false address I replaced, instead of the real one.
Note 2: I also replaced the spam's subject on purpose

Code: Select all

Received: from bos-mail-rmail8.bos.lycos.com (rmail8.lycosmail.lycos.com [209.202.208.28])
	by spf7-13.us4.outblaze.com (Postfix) with SMTP id 93F923A33C
	for <fluorescentspear@mailcity.com>; Sun,  9 Jul 2006 23:01:54 +0000 (GMT)
Received: from rmail.lycosmail.lycos.com ([83.198.250.124]) by hermes of bos-mail-rmail8.bos.lycos.com (127.0.0.1) with SMTP id a6970Dr1q139164120 for <fluorescentspear@mailcity.com>; Sun, 09 Jul 2006 19:00:13 -0400 (EDT)
Received: from mail.rafal-team.net
	by --- (8.13.1/8.13.1) with ESMTP id ASQpQXpzcdMdZ
	for <fluorescentspear@mailcity.com>; Jan, 9 Jul 2006 22:58:22 -0300
Received: from [98.25.92.196]
	by mail.rafal-team.net with ESMTP (8.13.1/8.13.1) id RE6oaxpyeeYw0
	for <fluorescentspear@mailcity.com>; Jan, 9 Jul 2006 22:57:08 -0300
Reply-To: "myuser@rafal-team.net" <myuser@rafal-team.net>
From: "myuser@rafal-team.net" <myuser@rafal-team.net>
Date: Jan, 9 Jul 2006 22:46:37 -0300
Message-ID: fPpFlHxYLoX8E.oukmsu2ciXOdt@rafal-team.net
To: fluorescentspear@mailcity.com
Content-type: text/html;
 Charset=Windows-1251
Subject: *insert spammy subject here*
MIME-Version: 1.0
X-Hanmail-Peer-IP: 83.198.250.124
X-Hanmail-Class: X
X-Hanmail-Env-From: myuser@rafal-team.net
X-Hanmail-Checksum: 506-T6ps4o7FoqPsTeiGQXKuh/jxrTY=

My server uses qmail and vpopmail for SMTP-Auth, which allows my users to relay mail once they authentificate.

What I have searched for so far:

• Testing if the server is on open-relay: Nope, it isn't.
• Is my user infected by some kind of spamming trojan? Tested, and not infected
• I have not found any mention to a mail to deliver to mailcity.com in qmail logs (I searched in qmail-send logs)

So basically, my question is: how is this happened? Could it be that the headers are completely forged and false? COuld it be a process or a script spamming from my system? What verifications can I make to be sure of all that?

Thanks in advance for your help...

[GordSki]

Hi,

Have you checked to see if your server will relay mail that appears to come from one of your valid users? This wouldn't be the same as an open relay because the mail looks like its coming from your domain.

The headers you supplied suggest that the mail when through your server and started at: 98.25.92.196

This would rule out the other option, which would be that your users address has been hijacked and forged.

G.

[AxelTerizaki]

Hmmm. Well, I asked just now that my user disables his SMTP auth on Thunderbird, and he then tried to send a mail to another address not hosted on the server (he tried to relay).

But he got rejected by the server, saying the doamin wasn't in its lists of rcpthosts, so, I guess this eliminates the possibility of the server accepting mail from a known address, even without auth.

[GordSki]

I'm guessing someone has nabbed/guessed your user's password then. The original spam message (or others like it) should appear in your logs and you should be able tell if they are authenticating properly.

G.