Users at my site have been getting spam with mail headers like this:
Return-Path: <sarahuhum@financier.com>
Received: from mx.mysite.com (IDENT:root@mx.mysite.com [192.168.1.212])
by pop3.mysite.com (8.11.6/8.11.6) with ESMTP id h1DAIWT09833
for <user@pop3.mysite.com>; Thu, 13 Feb 2003 03:18:32 -0700
Received: from financier.com ([218.75.181.134])
by mx.mysite.com (8.11.0/8.11.0) with SMTP id h1DAHBR07876
for <sales@mysite.com>; Thu, 13 Feb 2003 05:17:13 -0500
Message-ID: <000301e8aa71$aed76358$70201162@vcigsmq.ndm>
From: "sarah" <sarahuhum@financier.com>
To: actaeon@mx.mysite.com
Subject: S.a.f.e, Natural, Significant W.e.i.g.h.t L.o.s.s 3988nntj2-191FSNG7753haL-23
Date: Thu, 13 Feb 2003 15:50:04 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
Status:
"sales@mysite.com" is a valid alias on mx.mysite.com, and "user@pop3.mysite.com" is on that alias, but "actaeon@mx.mysite.com" doesn't exist anywhere on any of our systems. I tried dumping a message from that address into port 25 on mx.mysite.com, but got a 550 User Unknown error.
/var/log/maillog on mx.mysite.com reports recieving this message and then delivering it to "user", but nothing looks suspicious there:
Feb 13 05:17:17 gate sendmail[7876]: h1DAHBR07876: from=<sarahuhum@financier.com
>, size=1395, class=0, nrcpts=1, msgid=<000301e8aa71$aed76358$70201162@vcigsmq.n
dm>, proto=SMTP, daemon=MTA, relay=[218.75.181.134]
Feb 13 05:17:18 gate sendmail[7877]: h1DAHBR07876: to=user@pop3.mysite.com, dela
y=00:00:05, xdelay=00:00:01, mailer=esmtp, pri=60896, relay=pop3.mysite.com. [19
2.168.3.37], dsn=2.0.0, stat=Sent (h1DAIWT09833 Message acce
pted for delivery)
How did this message end up in "user"'s mailbox? Is it possible for spammers to fake "to" addresses?
BTW, 218.75.181.134 appears to be an open relay. |
