Loading ...
Sorry, an error occurred while loading the content.

trusted Ip address spoofed?

Expand Messages
  • Dimitrios Karapiperis
    Hi there I have a Postfix installation (postfix-2.6.5-1.rhel5) and I relay a couple of remote ip addresses (static adsl) of remote sites. I cannot figure out
    Message 1 of 3 , Jan 31, 2010
    • 0 Attachment
      Hi there

      I have a Postfix installation (postfix-2.6.5-1.rhel5) and I relay a
      couple of remote ip addresses
      (static adsl) of remote sites.

      I cannot figure out how a spam originator fired some e-mails through my
      mail server
      using a specific remote IP, which was relayed

      Return-Path: <oqoxlcfs@...>
      Received: from hhyllw (smtp.domain.tld[111.222.333.444])
      by smtp.thessaloniki.gr (Postfix) with ESMTP id 8DB72180C1
      for <jrochez@...>; Mon, 1 Feb 2010 08:49:00 +0200 (EET)
      Received: from beoeb ([xxx.yyy.zzz.ccc])
      by EADYCSRY (8.13.4/8.13.4) with SMTP id u4231584378453i6Ib016100
      for <jrochez@...>; Mon, 01 Feb 2010 08:48:56 +0200 (CDT)

      The 111.222.333.444 is the relayed trusted ip and xxx.yyy.zzz.ccc is the
      malicious one.


      How can I prevent such things?????


      Thanks in advane
      Dimitrios
    • Daniel V. Reinhardt
      ... Dimitrios, Can you not hide the IP addresses, they are needed to help you out. Thanks, Daniel Reinhardt Website: www.cryptodan.com Email:
      Message 2 of 3 , Feb 1 3:16 AM
      • 0 Attachment
        ----- Original Message ----
        > From: Dimitrios Karapiperis <dimkar@...>
        > To: postfix-users@...
        > Sent: Mon, February 1, 2010 7:57:36 AM
        > Subject: trusted Ip address spoofed?
        >
        > Hi there
        >
        > I have a Postfix installation (postfix-2.6.5-1.rhel5) and I relay a couple of
        > remote ip addresses
        > (static adsl) of remote sites.
        >
        > I cannot figure out how a spam originator fired some e-mails through my mail
        > server
        > using a specific remote IP, which was relayed
        >
        > Return-Path:
        > Received: from hhyllw (smtp.domain.tld[111.222.333.444])
        > by smtp.thessaloniki.gr (Postfix) with ESMTP id 8DB72180C1
        > for ; Mon, 1 Feb 2010 08:49:00 +0200 (EET)
        > Received: from beoeb ([xxx.yyy.zzz.ccc])
        > by EADYCSRY (8.13.4/8.13.4) with SMTP id u4231584378453i6Ib016100
        > for ; Mon, 01 Feb 2010 08:48:56 +0200 (CDT)
        >
        > The 111.222.333.444 is the relayed trusted ip and xxx.yyy.zzz.ccc is the
        > malicious one.
        >
        >
        > How can I prevent such things?????
        >
        >
        > Thanks in advane
        > Dimitrios

        Dimitrios,

        Can you not hide the IP addresses, they are needed to help you out.

        Thanks,

        Daniel Reinhardt
        Website: www.cryptodan.com
        Email: cryptodan@...
      • Noel Jones
        ... It is extremely difficult to spoof the source IP of a full SMTP transaction, no spammer would ever bother trying. Be assured that the mail really did come
        Message 3 of 3 , Feb 1 9:13 AM
        • 0 Attachment
          On 2/1/2010 1:57 AM, Dimitrios Karapiperis wrote:
          > Hi there
          >
          > I have a Postfix installation (postfix-2.6.5-1.rhel5) and I relay a
          > couple of remote ip addresses
          > (static adsl) of remote sites.
          >
          > I cannot figure out how a spam originator fired some e-mails through my
          > mail server
          > using a specific remote IP, which was relayed
          >
          > Return-Path: <oqoxlcfs@...>
          > Received: from hhyllw (smtp.domain.tld[111.222.333.444])
          > by smtp.thessaloniki.gr (Postfix) with ESMTP id 8DB72180C1
          > for <jrochez@...>; Mon, 1 Feb 2010 08:49:00 +0200 (EET)
          > Received: from beoeb ([xxx.yyy.zzz.ccc])
          > by EADYCSRY (8.13.4/8.13.4) with SMTP id u4231584378453i6Ib016100
          > for <jrochez@...>; Mon, 01 Feb 2010 08:48:56 +0200 (CDT)
          >
          > The 111.222.333.444 is the relayed trusted ip and xxx.yyy.zzz.ccc is the
          > malicious one.
          >
          >
          > How can I prevent such things?????
          >
          >
          > Thanks in advane
          > Dimitrios
          >
          >

          It is extremely difficult to spoof the source IP of a full
          SMTP transaction, no spammer would ever bother trying. Be
          assured that the mail really did come from your trusted IP.

          The likely possibilities are:
          - Trusted IP is running a mail server and accepted the spam,
          which was then forwarded to you. (maybe an infected LAN client?)
          - Trusted IP is infected with a virus.

          This will need to be fixed on the Trusted IP end.

          If you need further help with this, we'll need full details of
          both your postfix config and the Trusted IP.

          -- Noel Jones
        Your message has been successfully submitted and would be delivered to recipients shortly.