0

Some nice person has kindly spoofed my e-mail and sent everyone a virus file from "me".

I think I can see the originating IP address of the server the spoofed mail was sent from by looking at some of the bounce back mail log messages.

My postfix is configured to bounce any messages from non-real e-mail addresses at my domain.

Here is an example of some of the mail log entries:-

Jun  6 05:44:09 server3 postfix/smtpd[5567]: NOQUEUE: filter: RCPT from unknown[37.139.21.195]: <>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<> to=<salas@xxxxxxxxx.com> proto=ESMTP helo=<sconline.com>

Jun  6 05:44:09 server3 postfix/smtpd[5567]: NOQUEUE: filter: RCPT from unknown[37.139.21.195]: <>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<> to=<salas@xxxxxxxxx.com> proto=ESMTP helo=<sconline.com>

Jun  6 05:44:09 server3 postfix/smtpd[5567]: NOQUEUE: reject: RCPT from unknown[37.139.21.195]: 550 5.1.1 <salas@xxxxxxxxx.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<salas@xxxxxxxxx.com> proto=ESMTP helo=<sconline.com>

Jun  6 05:44:09 server3 postfix/smtpd[5567]: NOQUEUE: filter: RCPT from unknown[37.139.21.195]: <>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<> to=<salas@xxxxxxxxx.com> proto=ESMTP helo=<sconline.com>

Jun  6 05:44:09 server3 postfix/smtpd[5567]: NOQUEUE: filter: RCPT from unknown[37.139.21.195]: <>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<> to=<salas@xxxxxxxxx.com> proto=ESMTP helo=<sconline.com>

Jun  6 05:44:09 server3 postfix/smtpd[5567]: NOQUEUE: reject: RCPT from unknown[37.139.21.195]: 550 5.1.1 <salas@xxxxxxxxx.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<salas@xxxxxxxxx.com> proto=ESMTP helo=<sconline.com>

What I think the above messages show is the following:-

  1. The blank address of the sender triggers my amavis to check the incoming message.
  2. Seeing as I don't have an e-mail address "Salas@", the message is rejected.
  3. The original mail that was spoofed was sent out from the IP address 37.139.21.195, which has a helo = .

I am pretty sure what I am saying above in point 3 is correct but can anyone tell me why ?

iainpb
  • 4,142
  • 2
  • 16
  • 35
showe1966
  • 11
  • 1
    Please see https://security.stackexchange.com/editing-help for help on formatting your question in a way where others might be inclined to have a look at what you are asking instead of moving away disgusted because it is pretty much unreadable what you've asked. – Steffen Ullrich Jun 07 '17 at 11:10

1 Answers1

1

EDIT: Adding TLDR:

Point 3 is probably not correct, its correct that it states helo to the server, and it is spam, but there is no guarantee it originated at the ip you have. 37.139.21.195 is digital ocean, a well known vps host. This is probably relayed through all kinds of trash. Mail servers do not care who you identify (helo) as or what the contents of the message are, there is no verification of this information.

also scroll to the bottom and follow the link to a hilarious dramatization of a mail server to get a better idea of how this exactly happens. Its worth it.

ORIGINAL:

There isn't really a reliable way to do this. the transactions between mail servers is completely indicative. But why not, lets take a look to see what we can find out from the information. sometimes people mess up so hard by giving correct information. but most of the time all of the info is either useless or fake. but what the hell, its always fun to practice tracking :)

sconline.com, if we look at this we find alot of relations to russia. but then we get a whois, find the ip and nslookup that:

Domain Name: sconline.com
Registry Domain ID: 131697708_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ename.com
Registrar URL: http://www.ename.net
Updated Date: 2016-03-10T07:28:28Z
Creation Date: 2004-10-03T18:23:32Z
Registrar Registration Expiration Date: 2017-10-03T18:23:32Z
Registrar: 1331
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registry Registrant ID:Not Available From Registry
Registrant Name: li wei
Registrant Organization: li wei
Registrant Street: hu nan chang sha fu rong qu jie fang dong lu
Registrant City: chang sha shi
Registrant State/Province: hu nan
Registrant Postal Code: 410000
Registrant Country: CN
Registrant Phone: +86.73188888888
Registrant Phone Ext:
Registrant Fax: +86.73188888888
Registrant Fax Ext:
Registrant Email: walktv@126.com
...
all other details for admin and tech the same
...
Name Server:ns1.sedoparking.com
Name Server:ns2.sedoparking.com
DNSSEC: unsigned

so the search engine sees it as russia, but the nslookup shows a name and adress from china. cool, but this is all fake details.

taking this line from the above:

hu nan chang sha fu rong qu jie fang dong lu

in google maps we find:

Jiefang E Rd, HuoCheZhan ShangQuan, Furong Qu, Changsha Shi, Hunan Sheng, China, 410001

which is an autoservice shop. ok. but were not certain about the exact address. lets get the other ip in that mail.

WHOIS result for 37.139.21.195

inetnum: 37.139.16.0 - 37.139.23.255
netname: DIGITALOCEAN-AMS-3
descr: Digital Ocean, Inc.
country: NL
admin-c: BU332-RIPE
tech-c: BU332-RIPE
status: ASSIGNED PA
mnt-by: digitalocean
mnt-lower: digitalocean
mnt-routes: digitalocean
created: 2013-08-05T17:05:20Z
last-modified: 2013-08-21T16:15:42Z
source: RIPE

person: Ben Uretsky
address: 101 Ave of the Americas, 10th Floor
address: New York, NY 10013
phone: +16463978051
nic-hdl: BU332-RIPE
mnt-by: digitalocean
created: 2012-12-21T18:34:57Z
last-modified: 2014-09-03T16:32:57Z
source: RIPE # Filtered

we see entries here that look quite valid. for digital ocean. a well known vps host.

From this evidence what probably happened (not at all sure, just a theory):

  • spammer in russia finds a way into a computer in china. probably uses it as a relay, not necessary but a good step for anonymity. especially china which doesnt like to cooperate with anyone regarding this sort of thing.
  • spammer also buys a vps server, probably to act as that place's vps, or his own. (we don't know the network he has behind this at all, only digital ocean would have the next bounce if there are any)
  • spammer issues mail to various people with helo statement coming from his server on some compromised system somewhere, going through vps or vpn and probably other places.
  • you receive this mail.

like i said before, the mail server doesn't care who you identify as, mail was never all that secure. that's why spammers still exist.

There is an excellent answer to how the mail process works on this site a while ago, still makes me laugh to this day, give it a read. if for nothing else than a smile for the day:

How can PayPal spoof emails so easily to say it comes from someone else?

Anyway hope that helps!

Nalaurien
  • 1,614
  • 9
  • 16