Thread: Re: Watch this critical update from the M$
View Single Post

  #10 (permalink)  
Old 09-22-2003
Mojo B. Nichols
 
Posts: n/a
Default qmail relay AND Re: Watch this critical update from the M$
>>>>> "Phil" == Phil Weldon <pweldon@mindspring.com> writes:

> This post is from the worm. Worm.Automat.AGH has an SMPT engine and
> is going after usenet newsgroups. This is a bad one. It only takes
> about 90 of these infected e-mails to fill up a 10 MByte
> mailbox... if you start getting these infected e-mails you'll have
> to empty your mailbox hourly or even more often just to keep
> legitimate e-mail from bouncing.

I recently set up a qmail server and am very much a newbie to qmail as
well as running a mail server in general. I'm trying to get a handle
on what is happening and why. Here is what I've been seeing, I got
everything (qmail-smtp (open), qmail-send, qmail-popd (blocked))
working the started to get mysterious messages something to the effect
of:



MQ == Mail Quoted
MQ> X-From-Line: emailroutine@aol.net Mon Sep 22 15:44:49 2003
MQ> Return-Path: <wingatesigns@btinternet.com>
MQ> Delivered-To: mnichols@mojosoft.org
MQ> Received: (qmail 5932 invoked from network); 22 Sep 2003 15:45:37 -0000
MQ> Received: from unknown (HELO zinc.btinternet.com) (194.73.73.148)
MQ> by 192.168.1.4 with SMTP; 22 Sep 2003 15:45:37 -0000
MQ> Received: from host213-122-212-48.in-addr.btopenworld.com ([213.122.212.48] helo=kvkmp)
MQ> by zinc.btinternet.com with smtp (Exim 3.22 #23)
MQ> id 1A1Rvj-0003xf-00; Mon, 22 Sep 2003 15:44:49 +0100
MQ> FROM: "Net Message Storage System" <emailroutine@aol.net>
MQ> TO: "Net Recipient" <recipient@smtpdomain.net>
MQ> SUBJECT: undeliverable mail: user unknown
MQ> Mime-Version: 1.0
MQ> Content-Type: multipart/alternative; boundary="nxgoheqoeh"
MQ> X-Gnus-Mail-Source: pop:mnichols@192.168.1.4
MQ> Message-Id: <E1A1Rvj-0003xf-00@zinc.btinternet.com>
MQ> Date: Mon, 22 Sep 2003 15:44:49 +0100
MQ> X-Content-Length: 144308
MQ> Lines: 1892
MQ> Xref: mymachine spam:429
MQ>
MQ>
MQ>
MQ> Hi.
MQ>
MQ>
MQ> Undeliverable mail to azdateb@aol.net
MQ>
MQ>
MQ> Message follows:


Then I started getting a lot of the messages referenced in here. MS
patch etc. My first concern was that I had an open relay, that
spammer where using, and hence the reason for the above message
showing up on my doorstep. I looked into it and it doesn't appear
that it is an open relay, rcphosts includes my host and my laptops
IP. (Although wouldn't it be possible to spoof this I'll leave that
for another thread).

My conclusion is that my email address was picked up and is now being
used as a reply to for the spam. Likewise I'm recieving the spam as
well. Is this close to correct? I appreciate any help or wisdom in
this. Is this normal when a M$ worm/virus surfaces. I don't run M$
anywhere.


Thanks in advance



Reply With Quote