Author Topic: Could I be spamming without knowing it ??? (Read 3257 times)

atjurhs · « **on:** May 19, 2003, 11:36:21 AM »

Hi all,

Like you I HATE spam

yes even the edible kind

And I've been getting a bunch of emails (hate mail) that appears to indicate that I am spamming folks, which I don't want to do!

These emails could either be genuine (meaning that somehow my OSX machine IS being used as a spam server, which I don't want that to be the casse), or they could be just clever (or maybe not so clever) attempts to get me to reply to their hate mail (in which case they've confirmed my email address is alive and active, and I don't want spammers to know that either).

Is there some way that I can verify that my OSX machne is not acting as some sort of "spam server" or "spam repeated" or whatever the correct computer jargon is?

cdub1988 · « **Reply #1 on:** May 19, 2003, 02:15:59 PM »

Just so I don't stick my foot in my mouth so far as to choke myself,

, I guess I'd ask first if you are in fact running your OS X box as a mail server.

If you ARE, then you might want to check your IP on ordb.org to verify that you're not marked as an Open Relay.

A little more detail about your setup might help.

1. What mail client are you using?
2. Are you running Sendmail or some other MTA?
3. What services are running at startup?

If you're not running a mail server, then you might check to see what services are loading up at startup by getting into Terminal and typing ps -aux at the command line for a process listing.

You'd be looking for any odd processes running (outside of the normal for boot, i.e., cron, httpd (if hosting), sendmail (if hosting mail), smbd (if running Samba) and so on).

Just a couple of thoughts.

Tacit or Diana will come and clarify, I'm sure.

They know the drill better than me.

Take care.

Chris

Paddy · « **Reply #2 on:** May 19, 2003, 02:42:23 PM »

Atjurhs, if you post the headers (you can xxxx out your own email addy if you wish) then maybe we can help you figure out where these emails are coming from. Just copy and paste them into your post - or you can email me directly through the board.

I suspect that it is yet another spammer-scam!

atjurhs · « **Reply #3 on:** May 19, 2003, 05:14:41 PM »

I'm not sure how to determine if I'm runnng it as a mail server or not.

I'm using Apple's Mail app.

As to Sendmail or MTA, I have no idea, or know how to determine.

The current jobs (ps -U username) I'm running include:

System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/
System/Library/CoreServices/WindowServer -daemon
System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console
System/Library/CoreServices/pbs
System/Library/CoreServices/Dock.app/Contents/MacOS/Dock -psn_0_393217
System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer -psn_0_524289
System/Library/CoreServices/Finder.app/Contents/MacOS/Finder -psn_0_655361
Applications/iCal.app/Contents/MacOS/iCal -psn_0_1048577
Applications/_More_Apps/Launcher/Launcher.app/Contents/MacOS/Launcher -psn_0_1179649
System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell -psn_0_1310721
Applications/Utilities/TextEdit.app/Contents/MacOS/TextEdit -psn_0_2359297
Applications/iTunes.app/Contents/MacOS/iTunes -psn_0_2883585
Applications/Address Book.app/Contents/MacOS/Address Book -psn_0_3145729
Applications/Safari.app/Contents/MacOS/Safari -psn_0_3276801
Applications/System Preferences.app/Contents/MacOS/System Preferences -psn_0_3407873
Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_3538945
tcsh

tacit · « **Reply #4 on:** May 19, 2003, 08:53:18 PM »

Please post one of the bounce messages, with full headers.

Unless you deliberately changed your OS X configuration, by means of a series of Terminal commands, you are not running a mail server--OS X does not come with the mail server turned on, and you need to type a set of Terminal commands in order to turn it on.

More likely, your email address is being spoofed.

"Spoofing" is the process of changing the From: address. It's easy to do; anyone anywhere can send any email with any From: address that you want. I can send you email that will say From: bill.gates@admin.microsoft.com if I like.

Spammers never use real From: addresses. They either use From: addresses that are totally bogus (like From: rfhghdfughdhg@fghfgfgfgfdhg.dfiigfg) or From: addresses that are stolen from Web sites or other email sources. (Right now, there is a spammer in Russia who is sending out spam for "penis enlargement" that says From: tacitr@aol.com, which is my email address).

If you post the bounce message with full headers, we can tell you if the message came from your computer or some other computer.

atjurhs · « **Reply #5 on:** May 20, 2003, 09:36:36 AM »

Well I've been trying to pull off the email's headers by using Show All Headers in Mail, but when I do a copy and paste of the header info nothing showed in TechSurvivor's window, so I tried to first paste it into TexEdit, TexEdit wants to save the pasted text as an .rtfd file which I've never heard of. When I try to paste that into Techsurvivors, same thing, nothing shows. So I tried opening the .rtfd file with BBEdit, again nothing showed. So using a terminal, I stripped off the "d" from the .rtfd. That turned the supposed text file into a directory containing a bunch of .TIFFs. This was all a bit too weird for me, so I opened the email again using Show Raw Source. And the html code below is what I got. I did a search and replace on the html of my actual email address and replaced it with atjurhs@bozo_the_clown, so any spamming bozos who might be lurking about in Techsurvivor land won't get my actual email address. Hopefully this won't cause any problems in determining if I am actually spammng or spoofing others.

What's an .rtfd file anyway?

From info@evocash.com Mon May 19 10:02:07 2003
Return-Path: <info@evocash.com>
Received: from servidor1.tecnoimagenes.com ([200.74.146.203])
 by filter.bozo_the_clown (8.11.6/8.11.2) with ESMTP id h4JEv8g05019
 for <atjurhs@bozo_the_clown>; Mon, 19 May 2003 09:57:09 -0500
Message-Id: <200305191457.h4JEv8g05019@filter.bozo_the_clown>
Received: from smtp0210.mail.yahoo.com (200-207-168-9.speedyterra.com.br [200.207.168.9]) by servidor1.tecnoimagenes.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
 id HJ9WTBVW; Mon, 19 May 2003 09:50:34 -0500
Date: Mon, 19 May 2003 14:39:58 GMT
From: info@evocash.com
X-Priority: 3
To: atjurhs@bozo_the_clown
Subject: ***Potential SPAM*** >>>>> FUCK OFF ARSEHOLE <<<<<<<
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-MailScanner: Found to be clean
X-Spam-Status: Yes, hits=18.3 required=10.0
 tests=NO_REAL_NAME,DOUBLE_CAPSWORD,LINES_OF_YELLING,
 UPPERCASE_25_50,FRONTPAGE,BIG_FONT,CTYPE_JUST_HTML,
 MSG_ID_ADDED_BY_MTA_2,RCVD_IN_DSBL,RCVD_IN_OSIRUSOFT_COM
 version=2.31
X-Spam-Flag: YES
X-Spam-Level: ******************
X-Spam-Checker-Version: SpamAssassin 2.31 (devel $Id: SpamAssassin.pm,v 1.94.2.2 2002/06/20 17:20:29 hughescr Exp $)
X-Spam-Report: Detailed Report
SPAM: ----
SPAM: This message was determined to contain certain SPAM traits.
SPAM: This message had 18.3 and only 10 were required.
SPAM: ----
Status:

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>New Page 1</title>
</head>

<body>

DON'T SEND US ANY MORE OF YOUR  
SHIT SPAM YOU ARSEHOLE !!! 
 
 

<img border="0" src="http://www.super-mens.de/Galerie/Fun%20Pic/index_img/bum.gif" width="170" height="177">
 
Your email address is being added to 500
Spamlists! 
Enjoy all the extra emails !!<a href="http://www.e-forexgold.com"> 
</a>
<a href="http://www.evocash.com">www.evocash.com
 
</a>

 
 
<img border="0" src="http://hitscan.freeyellow.com/wanker.gif" width="162" height="159">
 
 
 
 

</body>

</html>

kelly · « **Reply #6 on:** May 20, 2003, 09:46:56 AM »

Found this.

"I won't comment on the security, or lack of it, of the RTFD format, but I can explain how it works. An RTFD "file" isn't a file at all. It's really a NeXT bundle, like a Mac OS X application, font or nib file. It appears as a directory in terminal sessions, and you can get the Finder to display its contents. All the images, PDFs, movies, sounds, applications and other non-text content is stored in this directory, along with an RTF file containing the textual content and links to the embedded content. This is an easy way to create a composite document without resource forks or MIME encoding. I, personally, think RTFD is great. OmniWeb can save web pages as RTFD, complete with images and full formatting information. Soon other applications will be able to export to this format as well. Sure, the only operating systems that recognise it are Mac OS X and OpenStep, but this can only improve."

http://www.macosxhints.com/article.php?sto...010402012633547

Paddy · « **Reply #7 on:** May 20, 2003, 11:06:28 AM »

See the link below for the SpamCop.net report:

SpamCop Report

As you can see from the report, the ISP has already taken action against this creep. If you keep getting the emails though, I'd sign up for SpamCop and send in some more reports - or simply contact the two adminstrators referenced at the bottom of the report. However, having now looked at the EvoCash site, it would appear that the problem is a bit nastier than it first appears. See:

http://www.evocash.com/index.cfm?w=1280

And click on the "Warning" button too - there are a number of items listed, one of which sounds like your threatening email.

Mayo · « **Reply #8 on:** May 20, 2003, 11:47:51 AM »

Here is a related story in The New York Times about how PCs are being used to relay spam http://www.nytimes.com/2003/05/20/technolo...pagewanted=1&th

You will need to register before you can read the article.

atjurhs · « **Reply #9 on:** May 20, 2003, 05:43:23 PM »

I have couple of other emails' raw source that I could also post, but hopefully in all this, your telling me that I'm NOT acting as a spam relay server ? And that this is just part of another spammer's scam?

tacit · « **Reply #10 on:** May 20, 2003, 07:03:38 PM »

The spam came from an open mail relay with the IP address

200.207.168.9

If that's your IP address, then you are an open relay. If that isn't your address, it's not you.

Paddy · « **Reply #11 on:** May 20, 2003, 10:57:58 PM »

The short answer is, yes, you are being spammed!

A couple of things - I looked up that IP - unless you're using a Brazilian ISP (!) then I don't think YOU are providing the open relay. If you read Portuguese, you may make better head or tail of this than I can (not sure who, of the three names I see here, is the responsible person), but the results are shown below. The other thing I did was check to see if the IP was listed on any of the "blackholes" lists - you can view the results (oh, yes!) here:

http://openrbl.org/ip/200/207/168/9.htm

And one of the blackholes sites listed spam associated with the IP, which you can view here:

http://work-rss.mail-abuse.org/cgi-bin/nph...w?200.207.168.9

F
rom the Caribbean & Latin America IP listings (Latnic):

inetnum: 200.207/16
asn: AS10429
ID abusos: ABL226
entidade: TELECOMUNICACÕES DE SAO PAULO S/A - TELESP
documento: 002.558.157/0001-62
responsável: Paulo Arthur Juliano
endereço: Av. Paulista, 2300, 19º andar
endereço: 01310-300 - Sao Paulo - SP
telefone: (011) 4689-3599 []
ID entidade: PAJ93
ID técnico: MAP728
inetrev: 200.207.0/17
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 UDN
último AA: 08/03/2003
inetrev: 200.207.128/19
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.160/24
inetrev: 200.207.161/24
inetrev: 200.207.162/23
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
inetrev: 200.207.164/22
inetrev: 200.207.168/21
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.176/21
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
inetrev: 200.207.184/22
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.188/23
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
inetrev: 200.207.190/24
inetrev: 200.207.192/24
inetrev: 200.207.193/24
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.194/23
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
inetrev: 200.207.197/24
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.198/23
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
inetrev: 200.207.200/21
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.208/21
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
inetrev: 200.207.216/22
inetrev: 200.207.220/23
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.222/24
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
inetrev: 200.207.223/24
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.224/21
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
inetrev: 200.207.232/22
inetrev: 200.207.236/24
inetrev: 200.207.239/24
inetrev: 200.207.240/24
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.241/24
servidor DNS: DNSQIPBR3.TELESP.NET.BR
status DNS: 19/05/2003 UH
último AA: 15/04/2002
servidor DNS: SSCNS1.TELESP.NET.BR
status DNS: 19/05/2003 UH
último AA: 15/04/2002
inetrev: 200.207.242/23
inetrev: 200.207.244/23
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.247/24
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
inetrev: 200.207.248/22
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
inetrev: 200.207.252/23
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 20/05/2003 AA
último AA: 20/05/2003
inetrev: 200.207.254/23
servidor DNS: DNSQIPBR1.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
servidor DNS: DNSQIPBR2.TELESP.NET.BR
status DNS: 19/05/2003 AA
último AA: 19/05/2003
criado: 17/11/1999
alterado: 02/07/2001

ID: ABL226
nome: Alicia Bernarda Contreras Lamas
e-mail: security@TELESP.NET.BR
endereço: rua martins fontes, 152, 9º
endereço: 01050-000 - São Paulo - Sp
telefone: (11) 31560097 [0098]
criado: 13/03/2003
alterado: 13/03/2003

ID: MAP728
nome: Marilda Amelia Martins de Paula
e-mail: mamartin@TELEFONICAEMPRESAS.NET.BR
endereço: Av. Brig. Faria Lima, 1188, 5 andar
endereço: 01451-001 - São Paulo - SP
telefone: (11) 3038-7198 []
criado: 05/06/2001
alterado: 19/12/2002

ID: PAJ93
nome: Paulo Arthur Juliano
e-mail: gestaoip@TELESP.COM.BR
endereço: Av. Paulista, 2300, 19o. andar
endereço: 01310-300 - São Paulo - SP
telefone: (11) 3329-5132 []
criado: 25/10/2002
alterado: 03/02/2003

remarks: Security issues should also be addressed to
remarks: nbso@nic.br, http://www.nic.br/nbso.html
remarks: Mail abuse issues should also be addressed to
remarks: mail-abuse@nic.br

% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.

News:

Author Topic: Could I be spamming without knowing it ??? (Read 3257 times)