Mailing List CGatePro@mail.stalker.com Message #99822
From: Paul Chauvet <chauvetp@newpaltz.edu>
Subject: Re: Email origin - forged address
Date: Tue, 30 Mar 2010 12:58:06 -0400 (EDT)
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Zimbra 6.0.5_GA_2213.RHEL5_64 (ZimbraWebClient - FF3.0 (Linux)/6.0.5_GA_2213.RHEL5_64)
Hi Robert,

Does your CGP server accept mail from outside if it hasn't passed through the Barracuda yet?  Even though the Barracuda may be what is in your MX record, some spammers will still try to send directly to your mail server.

What we do here is basically blacklist all IP addresses on the Internet, excluding our own servers.  This way messages which are sent from users (via SMTP AUTH), from our mail gateway, or other servers on our network goes through.  All other mail that tries to send to our CGP server (non-authenticated, and not from our client IPs) is rejected - even to internal users.

------------------------------------------
Paul Chauvet
UNIX/Linux Systems Administrator
State University of New York at New Paltz
845-257-3828
chauvetp@newpaltz.edu
------------------------------------------

----- "Robert M. Opalko" <opalko@oxfordms.net> wrote:
Thanks, the odd thing is the message does not appear in our Barracuda (spam appliance which hands off mail to our CGPro server) log as a message that has been received.  Shouldn't it?  Again, I'm missing the obvious I think.
Cheers,
Robert Opalko

On 2010-03-30 10:07 AM, Paul Chauvet wrote:
Hello Robert,

It looks to me as if zorak.unsl.edu.ar sent the message with the spoofed from address of your user to that same user.  I don't see anything that indicates the message was sent from within your network (and since its to a local user, there's no improper relaying going on).



------------------------------------------
Paul Chauvet
UNIX/Linux Systems Administrator
State University of New York at New Paltz
845-257-3828
chauvetp@newpaltz.edu
------------------------------------------

----- "Robert M. Opalko" <opalko@oxfordms.net> wrote:
I had several users today complain of receiving a spam message from
their own email address, forged.  However, I cannot tell if this message
is being generated from withing our network internally from a trojan or
if it is coming from an external source that CGPro is letting through as
if it were a valid client.  Here are the headers from the message
(account name changed to "user"):

Return-Path:<user@oxfordms.net>
Received: from zorak.unsl.edu.ar ([170.210.174.89] verified)
   by oxfordms.net (CommuniGate Pro SMTP 5.3.4)
   with SMTPS id 1834916 for user@oxfordms.net; Tue, 30 Mar 2010 08:18:39 -0500
From: Approved VIAGRA® Store<user@oxfordms.net>
Subject: Your Future Order with 73% off retail
To:<user@oxfordms.net>
MIME-Version: 1.0
Content-Type: text/html
X-Antivirus: avast! (VPS 100330-0, 30/03/2010), Outbound message
X-Antivirus-Status: Clean
Date: Tue, 30 Mar 2010 08:18:40 -0500
Message-ID:<auto-000001834916@oxfordms.net>

And the relevant log item from CGPro (which I unfortunately have turned
way down):

08:18:40.777 2 SMTPI-004726(zorak.unsl.edu.ar) [1834916] received encrypted, 2781 bytes
08:18:40.777 2 QUEUE([1834916]) from<user@oxfordms.net>, 2781 bytes (<auto-000001834916@oxfordms.net>)
08:18:40.779 2 QUEUE([1834916]) enqueued
08:18:40.781 2 ACCOUNT(user) [1834916] delivered
08:18:40.781 2 DEQUEUER [1834916] LOCAL(user) delivered: Delivered to the user mailbox
08:18:40.781 2 QUEUE([1834916]) deleted

I think I'm missing the forest for the trees here, but I don't know
what.  Any help appreciated.
Cheers
Robert Opalko

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster