| View previous topic :: View next topic |
| Author |
Message |
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
 Posted: Fri Sep 23, 2005 7:54 am Post subject: Fake and annoying e-mails |
 |
|
I keep getting emails sent from various addresses of my own, e.g something@abyssunderground.co.uk. The most recent one was:
I seem to be getting at least one a day at the moment. My SMTP and POP server both require authentication so I take it this is coming from someone elses server acting as my e-mail or they are wasting time using my contact me form.
What do you think?
P.S I may put image varification on if this continues.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
   |
 |
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Fri Sep 23, 2005 10:08 am Post subject: |
|
|
The from field is no useful indication at all of where the mail came from. You need to look at the headers.
Apart from this, there are so many viruses/worms at the moment that spew out email using the from: field as some random address at the domain it's sending to, it's not worth bothering with. I very much doubt any of it is coming from your contact form.
See my link in a reply to TRUSTpunk for an example :
http://www.aprelium.com/forum/viewtopic.php?t=7166
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Fri Sep 23, 2005 4:53 pm Post subject: |
|
|
OK, Thanks. I might put image varification on anyway to be on the safe side.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Sat Sep 24, 2005 10:53 pm Post subject: |
|
|
OK, this is the header info.
| Quote: | Return-Path: <ugf@abyssunderground.co.uk>
X-Original-To: webmaster@abyssunderground.co.uk
Delivered-To: abyss@m3ezw.co.uk
Received: from mspool2.st2.lyceu.net (mspool2.st2.lyceu.net [212.78.206.47])
by mdeliver1.st2.lyceu.net (Postfix) with ESMTP id CC9FB2FF6BE
for <webmaster@abyssunderground.co.uk>; Fri, 23 Sep 2005 03:21:35 +0200 (CEST)
Received: from mta07-winn.ispmail.ntl.com (mta07-winn.ispmail.ntl.com [81.103.221.47])
by mspool2.st2.lyceu.net (Postfix) with ESMTP id A4B5D93D410
for <webmaster@abyssunderground.co.uk>; Fri, 23 Sep 2005 03:21:35 +0200 (CEST)
Received: from aamta10-winn.ispmail.ntl.com ([81.103.221.35])
by mta07-winn.ispmail.ntl.com with ESMTP
id <20050923012128.VTDH21883.mta07-winn.ispmail.ntl.com@aamta10-winn.ispmail.ntl.com>
for <webmaster@abyssunderground.co.uk>;
Fri, 23 Sep 2005 02:21:28 +0100
Received: from webserver ([82.9.140.38]) by aamta10-winn.ispmail.ntl.com
with SMTP
id <20050923012128.EINJ6183.aamta10-winn.ispmail.ntl.com@webserver>
for <webmaster@abyssunderground.co.uk>;
Fri, 23 Sep 2005 02:21:28 +0100
Date: Fri, 23 Sep 2005 02:23:41 +0000
From: ugf@abyssunderground.co.uk
Subject: AbyssUnderground.co.uk Feedback Message
To: webmaster@abyssunderground.co.uk
Message-Id: <20050923012128.EINJ6183.aamta10-winn.ispmail.ntl.com@webserver> |
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Sat Sep 24, 2005 11:52 pm Post subject: |
|
|
Those are some damn strange headers!
Are you running your own mail server? Is it set up to forward mail in any way?
Could you post the headers (or PM them) from a genuine message received in the same way?
Reason - you read the Received: section of email headers in reverse order. The last Received is actually the first 'hop' of message delivery.
| Quote: |
Received: from webserver ([82.9.140.38]) by aamta10-winn.ispmail.ntl.com
with SMTP
id <20050923012128.EINJ6183.aamta10-winn.ispmail.ntl.com@webserver>
for <webmaster@abyssunderground.co.uk>;
|
This is worrying if you do not have some wierd mail forwarding system set up, as the IP used in this header resolves to Abyssunderground.co.uk...
If you are running your own mail server, is it definitely set up to prevent relaying?
If you're not running your own mail server, I'd suggest that you check your Abyss logs for abuse of your contact form at this time ( Fri, 23 Sep 2005 02:21:28 +0100 ) - I assume your contact form is using PHP/blat/whatever to send mail out to you?
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Sun Sep 25, 2005 12:00 am Post subject: |
|
|
Thanks for the reply. I use my ISP's mailserver (pop.ntlworld.com) to send the e-mails. I dont have any mail server set up because I would hate my server to be down when I reveive e-mails (I use my pro hosting SMTP and POP with AUTH enabled).
Here is the header from a genuine e-mail:
| Quote: | Return-Path: <niza@filhr.com>
X-Original-To: webmaster@abyssunderground.co.uk
Delivered-To: abyss@m3ezw.co.uk
Received: from mspool1.st2.lyceu.net (mspool1.st2.lyceu.net [212.78.206.46])
by mdeliver1.st2.lyceu.net (Postfix) with ESMTP id D517B2F5523
for <webmaster@abyssunderground.co.uk>; Mon, 29 Aug 2005 03:55:59 +0200 (CEST)
Received: from mta09-winn.ispmail.ntl.com (mta09-winn.ispmail.ntl.com [81.103.221.49])
by mspool1.st2.lyceu.net (Postfix) with ESMTP id AF1063716B2
for <webmaster@abyssunderground.co.uk>; Mon, 29 Aug 2005 03:55:59 +0200 (CEST)
Received: from aamta12-winn.ispmail.ntl.com ([81.103.221.35])
by mta09-winn.ispmail.ntl.com with ESMTP
id <20050829015558.UPRN9239.mta09-winn.ispmail.ntl.com@aamta12-winn.ispmail.ntl.com>
for <webmaster@abyssunderground.co.uk>;
Mon, 29 Aug 2005 02:55:58 +0100
Received: from webserver ([82.9.140.38]) by aamta12-winn.ispmail.ntl.com
with SMTP
id <20050829015558.OYRM29701.aamta12-winn.ispmail.ntl.com@webserver>
for <webmaster@abyssunderground.co.uk>;
Mon, 29 Aug 2005 02:55:58 +0100
Date: Mon, 29 Aug 2005 02:58:31 +0000
From: niza@filhr.com
Subject: AbyssUnderground.co.uk Feedback Message
To: webmaster@abyssunderground.co.uk
Message-Id: <20050829015558.OYRM29701.aamta12-winn.ispmail.ntl.com@webserver>
|
For some reason Abyss has stopped logging requests on the 29th of august for no apparent reason... I possibly disabled it.
Because of this I have no record of people using the form except for anything logged on my php stats form which gives no real information (just the IP, time, data and referrer url).
See what you can work out from the REAL header info.
EDIT: BTW, 82.9.140.38 IS my IP.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Sun Sep 25, 2005 12:40 am Post subject: |
|
|
If you're not running a mailserver, it is definitely abuse of your contact form - if you look at the first step of the Received chain, you'll see it is your own server again. This confirms the information from the other set of headers, it is definitely mail being sent from your form to you...
| Quote: |
Received: from webserver ([82.9.140.38]) by aamta12-winn.ispmail.ntl.com
with SMTP
id <20050829015558.OYRM29701.aamta12-winn.ispmail.ntl.com@webserver>
for <webmaster@abyssunderground.co.uk>;
Mon, 29 Aug 2005 02:55:58 +0100
|
If you check a period when you were logging, and still have mails from, you should be able to match up the times given in the first Received header very closely with any log of access to the contact page for any other set of dates.
If you programmed your contact form yourself, you could try adding a small piece of code blacklisting @abyssunderground.co.uk as a from address, as an alternative to using a captcha. If it's a free form that already includes a captcha option, switching it on should deal with the problem nicely :)
http://www.uic.edu/depts/accc/newsletter/adn29/headers.html is a great introduction to reading headers, http://www.stopspam.org/email/headers.html provides a much more detailed (and interesting) explanation if you have 5 minutes to kill...
Hope this helps.
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Sun Sep 25, 2005 12:42 am Post subject: |
|
|
OK Thanks. It is probably automated so I will add image varification to be sure.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Sun Sep 25, 2005 1:01 am Post subject: |
|
|
Since it's probably polite to ask beforehand, would you mind if I test something with your contact form? Worst that can happen is you get one more junk mail...
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Sun Sep 25, 2005 1:02 am Post subject: |
|
|
Sure, no problem.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Sun Sep 25, 2005 1:08 am Post subject: |
|
|
| Quote: |
Warning: mail(): SMTP server response: 550 relaying mail to abyssunderground.co.uk is not allowed in H:\www\post.php on line 32
|
Doh!
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Sun Sep 25, 2005 1:10 am Post subject: |
|
|
What did you try to do?
(BTW this is a custom built script, no fancy stuff in it, it just sends an e-mail, thats all!)
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Sun Sep 25, 2005 1:14 am Post subject: |
|
|
There is a new form of contact form abuse involving automated scripts which attempt to overflow the From: field when certain data is not filtered correctly. It allows the attacker to insert a CC: address and additional data into the mail header and therefore send out a spam to the CC address. I attempted to manually do this to send out a test mail to myself while sending you the original mail using the form...
Looks like it doesn't work, so that's one less thing for you to worry about :)
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Sun Sep 25, 2005 1:16 am Post subject: |
|
|
OK, thanks for doing the test. I don't know any other way to prevent it except to add image varification for it. This could be the only other way to do it.
Do you have MSN? If so could you PM me the address so we dont have to use the forums? I find it a little too slow posting and repling to topics.
Thanks in advance.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Sun Sep 25, 2005 1:21 am Post subject: |
|
|
I'm living in the past - just forums and email for me on this pc... Sorry.
I can't guarantee my test was 100% accurate, but I'd hope that it's a good sign that it didn't work immediately.
You can find a technical discussion of the problem here :
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/36718
The first post summarises it pretty well, there is a post further down that explains how to test for / filter the attack, if you find it is a problem.
I would suggest hacking a simple logging system into the form that just dumps all input to a plain text file for logging purposes for a week or two and keeping an eye on what happens...
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Sun Sep 25, 2005 1:25 am Post subject: |
|
|
OK, Thanks very much for your help, greatly appriciated. I don't have time now (off to bed in a few minutes, early start tomorrow) but I will try and see if I can set up a log file for it. I know when they are fake because they are:
random letters/numbers@abyssunderground.co.uk so I just open them, look at them briefly then delete them.
Anyway, thanks again. I hope this stops soon :-(
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Sun Sep 25, 2005 10:46 am Post subject: |
|
|
The main reason for logging at the moment would just be to be 100% sure your form is not being abused in the fashion I described above, since your PC would appear to be the source of the spam to the recipients - which could obviously lead to problems for you down the line...
Good luck!
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
|
