how does this spam abuse of Received: header work?

Here are the header of a spam mail we got. ( see end if mail ) The
moment our mailserver gets the message It add this "Received" header
Received: from abc@nol.be by linuxnol2004 by uid 64011 with
qmail-scanner-1.21
(clamscan: 0.87 Clear:RC:0(86.199.245.214):.
But what is wrong is the from "abc@nol.be" because that is my email
address. But i
have not send it so that is wrong.

And then it gets past this procmail recipe?
:0fw
* ! ^From.*@nol.be
| /usr/bin/spamassassin -P

Is this being missed because of the Received: from abc@nol.be by
linuxnol2004 ...
part?
I though that ^From means "line must start with From"

Any ideas what is going on?

Return-Path:
Delivered-To: abc@nol.be
>From abc@nol.be Wed Aug 02 11:44:49 2006
Return-Path:
Delivered-To: nol.be-abc@nol.be
Received: (qmail 10275 invoked by uid 1002); 2 Aug 2006 11:44:49 -0000
Received: from abc@nol.be by linuxnol2004 by uid 64011 with
qmail-scanner-1.21
(clamscan: 0.87 Clear:RC:0(86.199.245.214):.
Processed in 4.373077 secs); 02 Aug 2006 11:44:49 -0000
Received: from unknown (HELO
ARouen-251-1-94-214.w86-199.abo.wanadoo.fr) (86.199.245.214)
by 198.9.200.225 with SMTP; Wed, 02 Aug 2006 11:44:44 +0000
Return-path:
Received: from pop.mailprotect.be (pop.mailprotect.be [194.150.224.25])
by ARouen-251-1-94-214.w86-199.abo.wanadoo.fr (Qmailv1) with
ESMTP id M46N0PFRR
for ; Wed, 02 Aug 2006 13:50:15 +0100
Received: from 216.40.201.25 ([artesumisura.com]:15661 "EHLO
[artesumisura.com]"
smtp-auth: "qcspqflul" TLS-CIPHER: TLS-PEER-CN1: )
by pop.mailprotect.be with ESMTP id R0f-2l168mu-4G (ORCPT
); Wed, 02 Aug 2006 11:26:14
-0400
Date: Wed, 02 Aug 2006 11:26:14 -0400
From: "tartavull"
X-Mailer: The Bat! (v2.12.10) Pro
X-Priority: 3
Message-ID: <127675778106.2006080211261417307101@artesumisura.com>
To: abc@nol.be
Subject: Absolute sex? It is promising!
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Re: how does this spam abuse of Received: header work?

On Wed, 2 Aug 2006, progressdll wrote:

p> But what is wrong is the from "abc@nol.be" because that is my email
p> address. But i
p> have not send it so that is wrong.

Looks like it has passed through you mailserver to clamscan and that
utility has put in the received header.

p>
p> And then it gets past this procmail recipe?
p> :0fw
p> * ! ^From.*@nol.be
p> | /usr/bin/spamassassin -P
p>
p> Is this being missed because of the Received: from abc@nol.be by
p> linuxnol2004 ...
p> part?
p> I though that ^From means "line must start with From"

It will pick up the from line

p> From abc@nol.be Wed Aug 02 11:44:49 2006



--
Alan

( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but, unless this a very
old message, a "tuna" will swim right through. )

Re: how does this spam abuse of Received: header work?

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-24783-1154558910-0004
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

progressdll writes:

> Here are the header of a spam mail we got. ( see end if mail ) The
> moment our mailserver gets the message It add this "Received" header
> Received: from abc@nol.be by linuxnol2004 by uid 64011 with
> qmail-scanner-1.21
> (clamscan: 0.87 Clear:RC:0(86.199.245.214):.
> But what is wrong is the from "abc@nol.be" because that is my email
> address. But i
> have not send it so that is wrong.

If this is a web server, your server has been hacked.

>
> And then it gets past this procmail recipe?
> :0fw
> * ! ^From.*@nol.be
> | /usr/bin/spamassassin -P
>
> Is this being missed because of the Received: from abc@nol.be by
> linuxnol2004 ...
> part?
> I though that ^From means "line must start with From"
>
> Any ideas what is going on?
>
> Return-Path:
> Delivered-To: abc@nol.be
>>From abc@nol.be Wed Aug 02 11:44:49 2006
> Return-Path:
> Delivered-To: nol.be-abc@nol.be
> Received: (qmail 10275 invoked by uid 1002); 2 Aug 2006 11:44:49 -0000
> Received: from abc@nol.be by linuxnol2004 by uid 64011 with
> qmail-scanner-1.21
> (clamscan: 0.87 Clear:RC:0(86.199.245.214):.
> Processed in 4.373077 secs); 02 Aug 2006 11:44:49 -0000
> Received: from unknown (HELO
> ARouen-251-1-94-214.w86-199.abo.wanadoo.fr) (86.199.245.214)
> by 198.9.200.225 with SMTP; Wed, 02 Aug 2006 11:44:44 +0000
> Return-path:
> Received: from pop.mailprotect.be (pop.mailprotect.be [194.150.224.25])
> by ARouen-251-1-94-214.w86-199.abo.wanadoo.fr (Qmailv1) with
> ESMTP id M46N0PFRR
> for ; Wed, 02 Aug 2006 13:50:15 +0100
> Received: from 216.40.201.25 ([artesumisura.com]:15661 "EHLO
> [artesumisura.com]"
> smtp-auth: "qcspqflul" TLS-CIPHER: TLS-PEER-CN1: )
> by pop.mailprotect.be with ESMTP id R0f-2l168mu-4G (ORCPT
> ); Wed, 02 Aug 2006 11:26:14
> -0400
> Date: Wed, 02 Aug 2006 11:26:14 -0400
> From: "tartavull"
> X-Mailer: The Bat! (v2.12.10) Pro
> X-Priority: 3
> Message-ID: <127675778106.2006080211261417307101@artesumisura.com>
> To: abc@nol.be
> Subject: Absolute sex? It is promising!
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>

--=_mimegpg-commodore.email-scan.com-24783-1154558910-0004
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQBE0Su+x9p3GYHlUOIRAlEbAJ982FgxL1X33BiqJX/babpbhSxZzACe Lq4h
7xKSut4kDXBwPXiVOR6TNPU=
=lvHm
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-24783-1154558910-0004--

Re: how does this spam abuse of Received: header work?

On 08/02/06 07:22, progressdll wrote:
> Here are the header of a spam mail we got. ( see end if mail ) The
> moment our mailserver gets the message It add this "Received" header
> Received: from abc@nol.be by linuxnol2004 by uid 64011 with
> qmail-scanner-1.21
> (clamscan: 0.87 Clear:RC:0(86.199.245.214):.
> But what is wrong is the from "abc@nol.be" because that is my email
> address. But i have not send it so that is wrong.

I'm a Sendmail person my self so I'm not all that familiar with qmail. Can
someone tell me why qmail is saying the message is from the sending email
address rather than the sending host, as it appears to be doing.

> And then it gets past this procmail recipe?
> :0fw
> * ! ^From.*@nol.be
> | /usr/bin/spamassassin -P

Um, maybe it's just be, but I read that recipe as:

Pass any email NOT ^From.*@nol.be through the /usr/bin/spamassassin (with
"-P" option) binary.

Thus seeing as how, for some reason, there is a "From" line that does fit
the match and is inverted and thus not passed through SA.

> Is this being missed because of the Received: from abc@nol.be by
> linuxnol2004 ...
> part?

I don't think so.

> I though that ^From means "line must start with From"

*nod* It does.

> Any ideas what is going on?

If you look below, you have a line that is ">From abc@nol.be...". I took
the ">" at the start of the line to be your way of indicating the line in
question.

I'll also point out that you are looking for lines that start with "From",
so the following two lines will match.

From abc@nol.be Wed Aug 02 11:44:49 2006
From: "tartavull"

You should probably augment your recipe to look for a line that starts with
"From" followed by a ":" (colon) and one or more white space characters.
I.e. try:

:0fw
* ! ^From: .*@nol.be
| /usr/bin/spamassassin -P

> Return-Path:
> Delivered-To: abc@nol.be
>>From abc@nol.be Wed Aug 02 11:44:49 2006

This is the "^From.*@nol.be" line that you were matching.

> Return-Path:
> Delivered-To: nol.be-abc@nol.be
> Received: (qmail 10275 invoked by uid 1002); 2 Aug 2006 11:44:49 -0000
> Received: from abc@nol.be by linuxnol2004 by uid 64011 with
> qmail-scanner-1.21
> (clamscan: 0.87 Clear:RC:0(86.199.245.214):.
> Processed in 4.373077 secs); 02 Aug 2006 11:44:49 -0000
> Received: from unknown (HELO
> ARouen-251-1-94-214.w86-199.abo.wanadoo.fr) (86.199.245.214)
> by 198.9.200.225 with SMTP; Wed, 02 Aug 2006 11:44:44 +0000
> Return-path:
> Received: from pop.mailprotect.be (pop.mailprotect.be [194.150.224.25])
> by ARouen-251-1-94-214.w86-199.abo.wanadoo.fr (Qmailv1) with
> ESMTP id M46N0PFRR
> for ; Wed, 02 Aug 2006 13:50:15 +0100

ARouen-251-1-94-214.w86-199.abo.wanadoo.fr believes that the message is for
"abc@nol.be", your email address.

> Received: from 216.40.201.25 ([artesumisura.com]:15661 "EHLO
> [artesumisura.com]"
> smtp-auth: "qcspqflul" TLS-CIPHER: TLS-PEER-CN1: )
> by pop.mailprotect.be with ESMTP id R0f-2l168mu-4G (ORCPT
> ); Wed, 02 Aug 2006 11:26:14
> -0400

pop.mailprotect.be believes that the message is for
"qcspqflul@artesumisura.com". Do you know who that address is? Is such an
address one of yours that is forwarded to "abc@nol.be"? Or could this be a
list that someone has set up on their end that they are sending the message
to that is then re-sending the message.

> Date: Wed, 02 Aug 2006 11:26:14 -0400
> From: "tartavull"

I would consider this to be the real Unix from header.

> X-Mailer: The Bat! (v2.12.10) Pro
> X-Priority: 3
> Message-ID: <127675778106.2006080211261417307101@artesumisura.com>
> To: abc@nol.be

This "To:" header does not match what the first "Received:" header says the
message is to.

> Subject: Absolute sex? It is promising!
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit

Unless you can explain the change in recipient email addresses part way
through I'd agree with you completely that this message is spam.



Grant. . . .

Re: how does this spam abuse of Received: header work?

Taylor, Grant wrote:

> On 08/02/06 07:22, progressdll wrote:
>
>> Here are the header of a spam mail we got. ( see end if mail ) The
>> moment our mailserver gets the message It add this "Received" header
>> Received: from abc@nol.be by linuxnol2004 by uid 64011 with
>> qmail-scanner-1.21
>> (clamscan: 0.87 Clear:RC:0(86.199.245.214):.
>> But what is wrong is the from "abc@nol.be" because that is my email
>> address. But i have not send it so that is wrong.
>
>
> I'm a Sendmail person my self so I'm not all that familiar with qmail.
> Can someone tell me why qmail is saying the message is from the sending
> email address rather than the sending host, as it appears to be doing.
>
This is not a standard qmail generated/added Received line. I think
that qmail-scanner inudvertaintly sets alters the ENV variables to
affect this change. Beyond the application of the qmail-queue patch,
how was qmail altered?


>> And then it gets past this procmail recipe?
>> :0fw
>> * ! ^From.*@nol.be
>> | /usr/bin/spamassassin -P
>
>
> Um, maybe it's just be, but I read that recipe as:
>
> Pass any email NOT ^From.*@nol.be through the /usr/bin/spamassassin
> (with "-P" option) binary.
>
> Thus seeing as how, for some reason, there is a "From" line that does
> fit the match and is inverted and thus not passed through SA.
>

The recipe above is just a filter. This could be a match on multiple
line as prior poster stated.

you have the From and then four lines later the To: line with your address.

One way to know for sure is to enable logging on procmail in procmail
and then pipe the message into procmail and see what data is logged.

using the \/ will get the matched data set in the MATCH variable

i.e.
:0fw
* ! ^From\/.*@nol\.be
| /usr/bin/spamassassin -P

A period will match any character, escaping it might help.


[Snip of other comingled comments from the previous three posters]

AK

Re: how does this spam abuse of Received: header work?

Alan Clifford schreef:
>
> Looks like it has passed through you mailserver to clamscan and that
> utility has put in the received header.
>

I found the reason.

It is my qmail-scanner-queue software that wrote the header line.

I updated to the latest version. And now the headers look like this
Received: from 211.109.227.102 by linuxnol2004 (envelope-from
, uid 64011) with qmail-scan (clamdscan: 0.88.2/1638.
perlscan: 2.01st.
Clear:RC:0(211.109.227.102):.
Processed in 4.283812 secs); 07 Aug 2006 11:46:30 -0000

I seems that the spammer is faking the envelope-from. but the new
version of qmail-scanner-queue is giving me now more useful info.