[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Spoofed email

To: "Administrative (website/upkeep) Discussions" <admin at arabeyes dot org>
Subject: Re: Spoofed email
From: Nadim Shaikli <shaikli at yahoo dot com>
Date: Thu, 6 May 2004 14:19:47 -0700 (PDT)

--- Youcef Rabah Rahal <rahal at arabeyes dot org> wrote:
> On Thursday 06 May 2004 19:08, Nadim Shaikli wrote:
> > We have a serious problem with spoofed emails getting in - could the
> > various more experianced people please step forward and tell us what
> > needs to be done (and or do it themselves) to stop this problem
> > once-n-for-all.
> >
> > Anmar/M.Sameer/Youcef ?
> 
> Well, I have _zero_ experience in that. I thought you had some ideas ? What 
> about tweaking the mailing lists settings ? I remember you were looking into 
> that at some point.

What we have now (or at least I think that's what we have) is a means to
reject any email coming into arabeyes with a '@arabeyes.org' email address.
That is noted in our /etc/postfix/main.cf file as part of the
'smtpd_recipient_restrictions'.  I've tested this and can see in the logs
(/var/log/syslog) that it is working fine.

What baffles me is the recent email that was sent to 'cvs' that was clearly
spam.  I really really don't understand how it made its way into our system.

  http://lists.arabeyes.org/archives/general/2004/May/msg00025.html

The logs note that the email came in as Administrator at RESA dot ORG and then
somehow ended-up with an Administrator at arabeyes address.  How did it
switch its address ?  Mailman, our mailing-lists, will only allow posts
from,

 a. subscribed users (in most cases except 'read-only lists')
 b. from anyone with @arabeyes in their domain

The cvs list is a read-only list which is all fine and dandy, but how did
this email come-in with one address and then get rewritten to contain our
local one.  So the events as I see them were,

 + mail comes-in as @RESA.org destined to 'cvs'
 + postfix looks at it and says, ok its allowed since its no @arabeyes
 + postfix, and I'm guessing here, did something to change the address
   to be @arabeyes (or someone else did or something happened, not sure;
   its also odd that 'cvs-bounces' is involved)
 + mail now gets handed to mailman's cvs list
 + mailman checks the from header and sees @arabeyes address
 + mailman allows it through -> problem

As for munzir's recent spoof of my email account, I'm not really sure we
can do much here other than to start blocking "open relays" (ie. machines
that bounce mail on behalf of others without checks, etc).  We can easily
get postfix to check for known open-relays and reject 'em,

  http://ordb.org/faq
  http://www.spamhaus.org

but this "could" harm legit users and I'm not 100% certain it'll capture
all future spoofs (not sure there is a method to do that - but I'm a
newbie to all of this).

Thoughts/Comments ?

Salam.

 - Nadim

__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover

Follow-Ups:
- Re: Spoofed email
  - From: Nadim Shaikli
- Re: Spoofed email
  - From: Youcef Rabah Rahal

References:
- Re: Spoofed email
  - From: Youcef Rabah Rahal

Prev by Date: Re: Spoofed email
Next by Date: Re: Spoofed email
Previous by thread: Re: Spoofed email
Next by thread: Re: Spoofed email
Index(es):
- Date
- Thread