Mailing List Archive: SpamAssassin: users

joe jobbed or hacked?

Index | Next | Previous | View Threaded

jp at jpkvideo

May 5, 2008, 9:45 AM

Post #1 of 6 (141 views)
Permalink

joe jobbed or hacked?

I just received around 2000 bounce messages from various servers
rejecting messages (supposedly) coming from my email address.
This has happened to me before but not on this scale. Any ideas on how
to tell if this is just a joe job or if someone has actually used my
server as a spam sending platform?
I am on a centos5 box.
Any help on this will be greatly appreciated.

rbennett at thatitguy

May 5, 2008, 9:53 AM

Post #2 of 6 (135 views)
Permalink

Re: joe jobbed or hacked? [In reply to]

Read the headers in the bounce messages; look for the originating IP
address. If it's the address of your server, then you know it's not a
joe job (but it probably is).

Rubin

On Mon, 2008-05-05 at 09:45 -0700, Jon-Paul Kelly wrote:
> I just received around 2000 bounce messages from various servers
> rejecting messages (supposedly) coming from my email address.
> This has happened to me before but not on this scale. Any ideas on how
> to tell if this is just a joe job or if someone has actually used my
> server as a spam sending platform?
> I am on a centos5 box.
> Any help on this will be greatly appreciated.
--
Rubin Bennett
RB Technologies
http://thatitguy.com
rbennett[at]thatitguy.com
(802)223-4448

"They that can give up essential liberty to obtain a little
temporary security deserve neither liberty nor safety"
--Benjamin Franklin, Historical Review of Pennsylvania, 1759

jasone at venturenet

May 5, 2008, 9:57 AM

Post #3 of 6 (122 views)
Permalink

RE: joe jobbed or hacked? [In reply to]

What are people doing about joe jobs at this point? What custom rules, and or pluggins? I use qmail with spamassassin and I'm seeing a increase in these over the last few weeks on some of my domains.

Jason

> -----Original Message-----
> From: Rubin Bennett [mailto:rbennett[at]thatitguy.com]
> Sent: Monday, May 05, 2008 11:53 AM
> To: Jon-Paul Kelly
> Cc: spamassassin-users
> Subject: Re: joe jobbed or hacked?
>
> Read the headers in the bounce messages; look for the originating IP
> address. If it's the address of your server, then you know it's not a
> joe job (but it probably is).
>
> Rubin
>
> On Mon, 2008-05-05 at 09:45 -0700, Jon-Paul Kelly wrote:
> > I just received around 2000 bounce messages from various servers
> > rejecting messages (supposedly) coming from my email address.
> > This has happened to me before but not on this scale. Any ideas on
> how
> > to tell if this is just a joe job or if someone has actually used my
> > server as a spam sending platform?
> > I am on a centos5 box.
> > Any help on this will be greatly appreciated.
> --
> Rubin Bennett
> RB Technologies
> http://thatitguy.com
> rbennett[at]thatitguy.com
> (802)223-4448
>
> "They that can give up essential liberty to obtain a little
> temporary security deserve neither liberty nor safety"
> --Benjamin Franklin, Historical Review of Pennsylvania, 1759
>

kelson at speed

May 5, 2008, 10:02 AM

Post #4 of 6 (135 views)
Permalink

Re: joe jobbed or hacked? [In reply to]

Jon-Paul Kelly wrote:
> I just received around 2000 bounce messages from various servers
> rejecting messages (supposedly) coming from my email address.
> This has happened to me before but not on this scale. Any ideas on how
> to tell if this is just a joe job or if someone has actually used my
> server as a spam sending platform?

The first thing to do is look at the bounces to see whether your IP
address is listed anywhere. If none of them mention your server, either
in the original Received headers on the rejected message or in the
bounce notice itself, you can be confident that it was just a forged sender.

If it does list your server, you'll need to look more closely. Is it
the immediate sender (the one that connected to the server issuing the
rejection)? If so, you've got problems. Is it further down in the
Received chain? In that case, it could also be forged, and you'll have
to keep looking.

You can also look at your mail logs, in case they found a hole in your
relay config or something. Though if the system is actually hacked,
they could send using their own SMTP engine, bypassing your mail queue,
and the messages probably wouldn't be logged.

Hope this helps.

--
Kelson Vibber
SpeedGate Communications <www.speed.net>

larsi at gnus

May 5, 2008, 12:25 PM

Post #5 of 6 (132 views)
Permalink

Re: joe jobbed or hacked? [In reply to]

Jon-Paul Kelly <jp[at]jpkvideo.com> writes:

> I just received around 2000 bounce messages from various servers
> rejecting messages (supposedly) coming from my email address.

It's most likely just a joe-job thing. While backscatter is nothing
new, I haven't seen backscatter on the current scale before. (It's been
going on for about three weeks now.) It's starting to get some press:

http://www.computerworld.com.au/index.php/id;1698505531;fp;16;fpid;1

Other web sites claim that the spam network that sends out these forged
messages is connected to the Storm Worm network...

I've gotten on the order of 40K messages per week since it started.
Most of it is tagged as spam, but the "out of office" and
challenge-response messages slip through.

--
(domestic pets only, the antidote for overdose, milk.)
larsi[at]gnus.org * Lars Magne Ingebrigtsen

jonas_lists at frukt

May 7, 2008, 2:45 AM

Post #6 of 6 (113 views)
Permalink

Re: joe jobbed or hacked? [In reply to]

Jason Esman wrote:
> What are people doing about joe jobs at this point? What custom rules, and or pluggins?

We
1) Use VBounce
2) For any message hitting ANY_BOUNCE_MESSAGE our MD filter tries
to extract the original message from the bounce and run that
through SpamAssassin and then use the higher of the two scores
for filtering.

/Jonas
--
Jonas Eckerman, FSDB & Frukttr�det
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com