tarballed
April 3rd, 2003, 19:12
Quick question on email headers. I wasn't sure where to post this, so I thought I would post it here
Here are some headers from a user on our network who continually receives viruses from the same place:

Return-Path: <festival@smukfest.dk>
Received: from smtp.mail-hotel.dk (smtpre.mail-hotel.dk [194.239.250.243])
by courtesymortgage.com (8.10.2/8.10.2) with SMTP id h3156Yl15475
for <djaureguizar@courtesymortgage.com>; Mon, 31 Mar 2003 21:06:35 -0800
Date: Mon, 31 Mar 2003 21:06:35 -0800
Message-Id: <200304010506.h3156Yl15475@r4-sd010.aspadmin.com>
Received: (qmail 6042 invoked from network); 1 Apr 2003 05:39:41 -0000
Received: from smtp.mail-hotel.dk (195.41.82.245)
by smtpre.mail-hotel.dk with SMTP; 1 Apr 2003 05:39:41 -0000
Received: from Hqpxnfp (adsl-67-119-224-58.dsl.sndg02.pacbell.net [67.119.224.58]) by smtp.mail-hotel.dk with SMTP (MailShield v2.0 - SOLARIS/INTEL Oct 16 2000 14:33:02); Tue, 01 Apr 2003 06:39:34 +0100
From: sales <sales@burtonjames.com>
To: djaureguizar@courtesymortgage.com
Subject: How are you
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=UqP0Q3Z27pz6C9d827H2ZyU6g2P7B78br486v
X-SMTP-HELO: Hqpxnfp
X-SMTP-MAIL-FROM: festival@smukfest.dk
X-SMTP-RCPT-TO: djaureguizar@courtesymortgage.com
X-SMTP-PEER-INFO: adsl-67-119-224-58.dsl.sndg02.pacbell.net [67.119.224.58]
X-UIDL: -]i"!Bmk"!>l%"!71["!

Just following the course of the email, you see it go from pacbell, to the smtpre.mail-hotel.dk. My inital thought was to it was coming from smtp.mail-hotel.dk, from reading the information.

Do you see anything else in there I may be able to pick apart?

Tarballed

|MiNi0n|
April 3rd, 2003, 19:38
Received: from Hqpxnfp (adsl-67-119-224-58.dsl.sndg02.pacbell.net [67.119.224.58]) by smtp.mail-hotel.dk with SMTP (MailShield v2.0 - SOLARIS/INTEL Oct 16 2000 14:33:02);

Someone with high speed adsl at pacbell.net is using smtp.mail-hotel.dk as an open relay likely. I tried to test it as an open relay but it dropped offline :roll:

What exactly are you trying to figure out? What virus is being sent?

tarballed
April 3rd, 2003, 20:00
I have tried to contact the administrator at smtp.mail-hotel.dk to let them know they keep sending my user a ton of viruses.

The viruses being sent are of the klez type.

Any ideas on a way to contact these people so they can address it? They have not responded to my emails for almost 2 weeks now.

Suggestions?

Tarballed

|MiNi0n|
April 3rd, 2003, 20:11
Sounds like the pacbell user is infected with klez and doesn't know and you keep getting it's crap. You might inform abuse @ pacbell, if they log properly they should be able to determine which user was connected at that IP in your headers at the time in question. But, chances are they won't care one bit.

My answer:

blackhole the bitch!!! You can either drop them by tweaking your firewall rules or by tweaking your smtp settings.

soup4you2
April 4th, 2003, 09:56
if your running a bsd based mail server (recommend postfix) setup amavis for it so you get nice virus scanning for your mail server.. it's rather nice supports nix/mac and windows viruses

|MiNi0n|
April 4th, 2003, 12:25
Judging from the headers and from other posts I've seen from tarballed, I think he's running Linux and qmail. Is that correct tarballed?

Regardless, as soup suggests for bsd, amavis will run in that scenario as well but if you're continually recieving mail from this source, virus scanned or not, it's still going to annoy the hell outta of you :( So just drop all his packets :lol:

tarballed
April 4th, 2003, 12:37
Hello everyone.

Well, at this time, the mail server is not on our network. (Not Yet...my next project.) The current mail server is being hosted with our ISP. To my knowledge, it is running Linux with sendmail.

Since I have started working for this company, I have made leaps and bounds to get this company up and running efficiently as possible. One of my next priorities is a mail server. (But the suits like to think otherwise, so I battle with them to let them know what is important.)

For instance, a few things that I have implemented since I have been here.

Firewall -- They had no firewall, just a router.
DNS server --
New backup server --
LDAP Addressbook

So I am making some progress here, setting everything up as quickly as I can.

As far as the email, I have tried and contacted pacbell, but I have received no response.

Guess I will just have to start dropping the d00d.
:)

tarballed

tarballed
April 4th, 2003, 15:36
Speaking of setting up a email server, soup4you2 mentioned a virus scanner for the mail server. I believe it was amavis.

I've heard this mentioned before, but I am not really familiar with it.

Do you have some good links/documentation that I can read upon? I may implement this on our email server when I set it up.

Thanks.

Tarballed

|MiNi0n|
April 4th, 2003, 15:55
Integrating amavis with postfix is relatively simple and is quite likely the most recommended solution (at least in this forum). Postfix is absolutely incredible. And amavis integrates nicely. The question that will arise for you is whether to use amavis, amavisd or amavisd-new. Generally, I'd suggest it boils down to either amavis or amavisd-new. This is straight from amavis.org:

* amavis - for low / medium mail volume
* amavisd - for higher mail volume
* amavisd-new - for higher mail volume, Anti-Spam, ISP features et al

I would recommend amavisd-new firstly. However, be careful if you're using it because unless you are aware and prepared to config some extras, the later releases of amavisd-new are integrated with spamassasin and Vipul's razor. This is generally a good thing!!! However, I heavily tweak the way my razor and spamassassin work so I prefer to keep them seperate. Anyway, the last release with optional razor and spamassassin is amavisd-new-20020517.tar.gz.

If you get adventurous and want to tackle razor and spamassassin there is a good how-to here on SE, which I plan to update soon with some new tweaks I've added:

http://www.screamingelectron.org/phpBB2/viewtopic.php?t=279

Sounds like I should add a how-to for amavis to. Hmmmmm....

soup4you2
April 4th, 2003, 16:03
If you get adventurous and want to tackle razor and spamassassin there is a good how-to here on SE, which I plan to update soon with some new tweaks I've added:



New tweaks.... oh do tell...

that article is great btw minion thanks for the effort of posting it

frisco
April 4th, 2003, 16:50
As far as the email, I have tried and contacted pacbell, but I have received no response.


How are you going about contacting them? ` whois -h whois.arin.net 67.119.224.58 ` will get you proper contact information for that IP. For the danish IP, you'll need to use `whois -h whois.ripe.net 194.239.250.243`

Other whois servers you may need for resolving IP's:
whois.apnic.net - Asia and Pacific
whois.lacnic.net - Latin America

I believe African IP info is still under whois.arin.net. Anyways, doing a whois on whois.arin.net will point out the proper whois server to use.

tarballed
April 4th, 2003, 17:28
Thanks Frisco. I went ahead and fired off another couple emails to them, letting them know what was going on.

Good stuff to learn.

Thanks.

Tarballed