receiving phishing/spam from known address names and localhost

Joe Mocerino asked:

We are using SmarterMail 11.2 and are receiving spam from senders in our address book (name only, different email). In the header i see “Received: from localhost” and other suspicious things. In the past this would be a compromised email account but we have changes passwords and dont believe that is the case here.

NOTE: “[NAME FROM MY ADDRESS BOOK] ” the display name is something i recognize, the email address is not

example:

Return-Path: <jtw1267@vikingcable.net>
Received: from lead.intertech.net (Lead.intertech.net [24.223.0.82]) by dns19.tntsupport.net with SMTP;
   Mon, 13 May 2013 10:09:39 -0500
Received: from localhost (lead.intertech.net [127.0.0.1])
    by lead.intertech.net (interTECH) with ESMTP id 8668663E92B
    for <MY EMAIL ADDRESS>; Mon, 13 May 2013 09:02:18 -0600 (MDT)
X-Virus-Scanned: amavisd-new at lead.intertech.net
Received: from lead.intertech.net ([127.0.0.1])
    by localhost (lead.intertech.net [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id Di0eiZ8JSOQr for <MY EMAIL ADDRESS>;
    Mon, 13 May 2013 09:02:17 -0600 (MDT)
Received: from localhost (unknown [112.208.70.163])
    by lead.intertech.net (interTECH) with ESMTPSA id 835F063E8F6
    for <MY EMAIL ADDRESS>; Mon, 13 May 2013 09:02:14 -0600 (MDT)
From: [NAME FROM MY ADDRESS BOOK] <jtw1267@vikingcable.net>
Reply-To: [NAME FROM MY ADDRESS BOOK] <jtw1267@vikingcable.net>
Subject: Fwd: for [MY FIRST NAME]
To: <MY EMAIL ADDRESS>
MIME-Version: 1.0
Date: Mon, 13 May 2013 08:02:46 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Message-Id: <20130513150216.835F063E8F6@lead.intertech.net>
X-SmarterMail-Spam: Commtouch 0 [value: Unknown], SPF_Pass, DK_None, DKIM_None, Custom Rules [], HostKarma - Whitelist
X-CTCH-RefId: str=0001.0A010209.5191025B.003C:SCFSTAT14621567,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-SmarterMail-TotalSpamWeight: 0

hey. what do you think about this? http://www.35lezarts.fr/advertisingbunchbriangordon/


Sent from my iPhone

My answer:


You can’t necessary believe anything in the Received: headers, except the one that corresponds to the mail server that directly spoke to your mail server. These are trivial to fake. However, the one added by your own server is certainly real enough.

Reading this, I would believe that the valid Received: header corresponding to receipt by your mail server is this one:

Received: from lead.intertech.net (Lead.intertech.net [24.223.0.82]) by dns19.tntsupport.net with SMTP;
    Mon, 13 May 2013 10:09:39 -0500

Since the listed abuse contact for 24.223.0.82 is nobody@example.com and it seems to be PI address space, I’d suggest just blackholing them, unless you actually know who this company is. In that case, you should call them and find the right person to yell at.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.