My webmaster catch-all email address started receiving a lot of "Delivery Status Notification (Failure)" replies from various email systems. In the order of 1 per hour.
It's obviously Spam being sent, as the content is about medications. I'm trying to figure out if
1)It is not being sent by us but the reply-to field is being set to our site, and therefore we receive the failure notification or 2) Our system has been compromised and it's being sent by us, hurting our reputation. Also - if this is the case, where do I look to fix the problem?!
Thanks!
Here is an example:
Delivery to the following recipient failed permanently:
grdchurch@mail.calvinseminary.edu
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.1.1 ... User unknown (state 13).
----- Original message -----
Received: by 10.204.152.70 with SMTP id f6mr6872450bkw.7.1341224023720;
Mon, 02 Jul 2012 03:13:43 -0700 (PDT)
Received: by 10.204.152.70 with SMTP id f6mr6872447bkw.7.1341224023673;
Mon, 02 Jul 2012 03:13:43 -0700 (PDT)
Return-Path:
Received: from 94.98.142.218 ([94.98.142.218])
by mx.google.com with ESMTP id hi9si10538192bkc.151.2012.07.02.03.13.38;
Mon, 02 Jul 2012 03:13:39 -0700 (PDT)
Received-SPF: neutral (google.com: 94.98.142.218 is neither permitted nor denied by best guess record for domain of Ester7CB4674@mysite.com) client-ip=94.98.142.218;
Authentication-Results: mx.google.com; spf=neutral (google.com: 94.98.142.218 is neither permitted nor denied by best guess record for domain of Ester7CB4674@mysite.com) smtp.mail=Ester7CB4674@mysite.com
Date: Mon, 02 Jul 2012 03:13:39 -0700 (PDT)
Message-Id: <20120702131340.6C18454BE719A3A513E9@USER-PC>
From: Leslie Browning
To: grdchurch
Reply-To: Maryanne Whitehead
Subject: For grdchurch
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
best ED meds! Be confident! Buy here http://www.akermedic.ru/
B3B0ED3F2E14A898C2C644020D7E9A8071
30DA492A4CF3EB0A0E3DE1371040BE5C81
4C9CF9C9AC2D7881DACD5D1B0A9A460
Answer
My first quick check would be whether you're from Saudi Arabia, as the "received-from" IP is from a pool of home DSL users in SA. If not, my first instinct would be that no, it's not from you.
Second you can check your system logs on the mail server, and see if it's showing any outgoing mail.
Third, check that your router is only allowing outgoing activity on port 25 from just your mail server; workstations that are compromised can otherwise send email and it would appear from your outgoing IP.
Fourth would be to run a packet sniffer on the mail server if you want to verify that it isn't sending extra email, or insert a system that can run wireshark/tcpdump between the mail server and the router for a "clean catch" of network traffic, as compromised systems can hide what they're doing if rootkitted.
No comments:
Post a Comment