Spam relay?

Spam relay?

am 24.04.2008 13:16:50 von Joe Makowiec

I received the following email this morning; .com and .org changed to
..invalid:

/// Start copied message ///
From ???@??? Thu Apr 24 06:23:52 2008
X-Persona:
Return-Path:
Received: from spamfilter1.connetik.com ([142.166.135.76])
by makowiec.com (8.14.1/8.13.8) with ESMTP id m3O985v8013761
for ; Thu, 24 Apr 2008 05:08:16 -0400
MIME-Version: 1.0
From: Connetik Spam Firewall 1
Message-Id: <20080424073804.3040.qmail@orient>
Subject: **Message you sent blocked by our bulk email filter**
Content-Type: multipart/report; report-type=delivery-status;
charset=utf-8;
boundary="----------=_1209028080-22933-63"
To:
Date: Thu, 24 Apr 2008 06:08:00 -0300 (ADT)

Your message to: antigonish@coastalinns.invalid
was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:
Subject: 60% Off All Luxury Designer Shoes & Boots Men & Women Gucci Prada Chanel
Reporting-MTA: dns; spamfilter1.connetik.com
Received-From-MTA: smtp; spamfilter1.connetik.com ([127.0.0.1])
Arrival-Date: Thu, 24 Apr 2008 06:08:00 -0300 (ADT)

Final-Recipient: rfc822; antigonish@coastalinns.invalid
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=22933-01-43
Last-Attempt-Date: Thu, 24 Apr 2008 06:08:00 -0300 (ADT)

Received: from orient (localhost [127.0.0.1])
by spamfilter1.connetik.com (Spam Firewall) with SMTP id EC0931B84D3
for ; Thu, 24 Apr 2008 06:07:58 -0300 (ADT)
Received: from orient ([123.236.157.84]) by spamfilter1.connetik.com with SMTP id 7bRoZVvCgMJntF9P for ; Thu, 24 Apr 2008 06:07:58 -0300 (ADT)
X-Originating-IP: [35.15.2.3]
X-Originating-Email: [antigonish@coastalinns.invalid]
X-Sender: antigonish@coastalinns.invalid
Message-Id: <20080424073804.3040.qmail@orient>
To:
Subject: 60% Off All Luxury Designer Shoes & Boots Men & Women Gucci Prada Chanel
From:
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Date: Thu, 24 Apr 2008 06:07:58 -0300 (ADT)
/// End copied message ///

The relevant entries from maillog:

Apr 24 05:08:07 makowiec sendmail[13762]: ruleset=check_relay, arg1=[123.236.157.84], arg2=127.0.0.11, relay=[123.236.157.84], reject=550 5.7.1 Denied RBL 123.236.157.84 by zen.spamhaus.org
Apr 24 05:08:16 makowiec sendmail[13761]: m3O985v8013761: from=<>, size=2481, class=0, nrcpts=1, msgid=<20080424073804.3040.qmail@orient>, proto=ESMTP, daemon=MTA, relay=[142.166.135.76]
Apr 24 05:08:16 makowiec sendmail[13763]: m3O985v8013761: to=, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=32675, dsn=2.0.0, stat=Sent

My home IP is 72.231.x.x; my mailserver is at 64.33.x.x.

I didn't receive the original spam; however, the following lines lead
me to wonder whether I have an open relay.

--
Joe Makowiec
http://makowiec.org/
Email: http://makowiec.org/contact/?Joe
Usenet Improvement Project: http://improve-usenet.org/

Re: Spam relay?

am 25.04.2008 00:06:40 von John Thompson

On 2008-04-24, Joe Makowiec wrote:

> I received the following email this morning; .com and .org changed to
> .invalid:
>
> /// Start copied message ///
> From ???@??? Thu Apr 24 06:23:52 2008
> X-Persona:
> Return-Path:
> Received: from spamfilter1.connetik.com ([142.166.135.76])
> by makowiec.com (8.14.1/8.13.8) with ESMTP id m3O985v8013761
> for ; Thu, 24 Apr 2008 05:08:16 -0400
> MIME-Version: 1.0
> From: Connetik Spam Firewall 1
> Message-Id: <20080424073804.3040.qmail@orient>
> Subject: **Message you sent blocked by our bulk email filter**
> Content-Type: multipart/report; report-type=delivery-status;
> charset=utf-8;
> boundary="----------=_1209028080-22933-63"
> To:
> Date: Thu, 24 Apr 2008 06:08:00 -0300 (ADT)
>
> Your message to: antigonish@coastalinns.invalid
> was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:
> Subject: 60% Off All Luxury Designer Shoes & Boots Men & Women Gucci Prada Chanel
> Reporting-MTA: dns; spamfilter1.connetik.com
> Received-From-MTA: smtp; spamfilter1.connetik.com ([127.0.0.1])
> Arrival-Date: Thu, 24 Apr 2008 06:08:00 -0300 (ADT)
>
> Final-Recipient: rfc822; antigonish@coastalinns.invalid
> Action: failed
> Status: 5.7.1
> Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=22933-01-43
> Last-Attempt-Date: Thu, 24 Apr 2008 06:08:00 -0300 (ADT)
>
> Received: from orient (localhost [127.0.0.1])
> by spamfilter1.connetik.com (Spam Firewall) with SMTP id EC0931B84D3
> for ; Thu, 24 Apr 2008 06:07:58 -0300 (ADT)
> Received: from orient ([123.236.157.84]) by spamfilter1.connetik.com with SMTP id 7bRoZVvCgMJntF9P for ; Thu, 24 Apr 2008 06:07:58 -0300 (ADT)
> X-Originating-IP: [35.15.2.3]
> X-Originating-Email: [antigonish@coastalinns.invalid]
> X-Sender: antigonish@coastalinns.invalid
> Message-Id: <20080424073804.3040.qmail@orient>
> To:
> Subject: 60% Off All Luxury Designer Shoes & Boots Men & Women Gucci Prada Chanel
> From:
> MIME-Version: 1.0
> Content-Type: text/plain; charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
> Date: Thu, 24 Apr 2008 06:07:58 -0300 (ADT)
> /// End copied message ///
>
> The relevant entries from maillog:
>
> Apr 24 05:08:07 makowiec sendmail[13762]: ruleset=check_relay, arg1=[123.236.157.84], arg2=127.0.0.11, relay=[123.236.157.84], reject=550 5.7.1 Denied RBL 123.236.157.84 by zen.spamhaus.org
> Apr 24 05:08:16 makowiec sendmail[13761]: m3O985v8013761: from=<>, size=2481, class=0, nrcpts=1, msgid=<20080424073804.3040.qmail@orient>, proto=ESMTP, daemon=MTA, relay=[142.166.135.76]
> Apr 24 05:08:16 makowiec sendmail[13763]: m3O985v8013761: to=, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=32675, dsn=2.0.0, stat=Sent
>
> My home IP is 72.231.x.x; my mailserver is at 64.33.x.x.
>
> I didn't receive the original spam; however, the following lines lead
> me to wonder whether I have an open relay.

I don't see your IP in any of the Received: lines. Looks like it's just
backscatter from a joe-job operation.

There are a number of places that can check your IP for an open relay,
just google "Mail relay testing" if you want to check.

--

John (john@os2.dhs.org)