Is it spam?

[Richard Slater]

Someone has suggested that signing up to the website I run has resulted in his e-mail receiving spam, I have asked the Administrator Team to change their passwords and check their machines (only way I can think of that you could "use" phpBB to get e-mail addresses). I have checked the hosting and removed everything that isn't used at the moment, and checked the login log for my web host in case something was in there.

I asked the person in question to send me the "spam" and this is what I got back:

Quote:

Return-Path: <chlfirm@server7.jiffynet-hosting.net>
X-Envelope-To: Thor@TheAsgard
X-Spam-Status: No, hits=1.2 required=5.0
tests=AWL: 1.046,NO_REAL_NAME: 0.124
X-Spam-Level: *
Return-Path: <chlfirm@server7.jiffynet-hosting.net>
Received: from punt3.mail.demon.net by mailstore
for hhh@<USER IN QUESTIONS ISP DOMAIN> id 1H1muE-2VcGPo-06-G65;
Tue, 02 Jan 2007 16:54:30 +0000
Received: from [194.217.242.210] (lhlo=lon1-hub.mail.demon.net)
by punt3.mail.demon.net with lmtp id 1H1muE-2VcGPo-06
for hhh@<USER IN QUESTIONS ISP DOMAIN>; Tue, 02 Jan 2007 16:54:30 +0000
Received: from [216.67.224.66] (helo=server7.jiffynet-hosting.net)
by lon1-hub.mail.demon.net with esmtp id 1H1muE-0000PG-Id
for hhh@<USER IN QUESTIONS ISP DOMAIN>; Tue, 02 Jan 2007 16:54:30 +0000
Received: from chlfirm by server7.jiffynet-hosting.net with local (Exim 4.63)
(envelope-from <chlfirm@server7.jiffynet-hosting.net>)
id 1H1muT-0001iR-MP
for hhh@<USER IN QUESTIONS ISP DOMAIN>; Tue, 02 Jan 2007 11:54:45 -0500
X-Boxtrapper: EDfHOJm2sPPcn3ODICrbMxuKw_vM6qPU
From: r.choueiri@chlfirm.com
To: hhh@<USER IN QUESTIONS ISP DOMAIN>
Subject: Your email requires verification verify#D5paaQrSsvuQCwmmT80fUFcjxgylc6JY
Message-Id: <E1H1muT-0001iR-MP@server7.jiffynet-hosting.net>
Date: Tue, 02 Jan 2007 11:54:45 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server7.jiffynet-hosting.net
X-AntiAbuse: Original Domain - <USER IN QUESTIONS ISP DOMAIN>
X-AntiAbuse: Originator/Caller UID/GID - [32035 12] / [47 12]
X-AntiAbuse: Sender Address Domain - server7.jiffynet-hosting.net
X-Source: /usr/local/cpanel/bin/boxtrapper
X-Source-Args: /usr/local/cpanel/bin/boxtrapper r.choueiri@chlfirm.com
X-Source-Dir: /tmp

The message you sent requires that you verify that you
are a real live human being and not a spam source.

To complete this verification, simply reply to this message and leave
the subject line intact.

The headers of the message sent from your address are show below:

>From hhh@<USER IN QUESTIONS ISP DOMAIN> Tue Jan 02 11:54:45 2007
Received: from [196.206.91.227] (helo=adsl196-227-91-206-196.adsl196-3.iam.net.ma)
by server7.jiffynet-hosting.net with smtp (Exim 4.63)
(envelope-from <hhh@<USER IN QUESTIONS ISP DOMAIN>>)
id 1H1muN-0001hJ-Bt
for r.choueiri@chlfirm.com; Tue, 02 Jan 2007 11:54:45 -0500
Received: from hvrk ([227.235.166.74])
by adsl196-227-91-206-196.adsl196-3.iam.net.ma (8.13.1/8.13.1) with SMTP id l02GtX2B059306;
Tue, 2 Jan 2007 16:55:33 +0000
Message-ID: <001f01c72e8e$947640c0$4aa6ebe3@hvrk>
From: "Joy" <hhh@<USER IN QUESTIONS ISP DOMAIN>>
To: <r.choueiri@chlfirm.com>
Subject: multiply
Date: Tue, 2 Jan 2007 16:49:29 +0000
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C72E8E.94729740"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409


__________ NOD32 1952 (20070102) Information __________

This message was checked by NOD32 antivirus system.

http://www.eset.com

Quote:

Return-Path: <>
X-Envelope-To: Thor@TheAsgard
X-Spam-Status: No, hits=0.3 required=5.0
tests=NO_REAL_NAME: 0.124,VIRUS_WARNING268B: 0.2
X-Spam-Level:
Return-Path: <>
Received: from punt3.mail.demon.net by mailstore
for qumhfx@<USER IN QUESTIONS ISP DOMAIN> id 1H1lkQ-4cIknw-06-8jN;
Tue, 02 Jan 2007 15:40:18 +0000
Received: from [194.217.242.223] (lhlo=lon1-hub.mail.demon.net)
by punt3.mail.demon.net with lmtp id 1H1lkQ-4cIknw-06
for qumhfx@<USER IN QUESTIONS ISP DOMAIN>; Tue, 02 Jan 2007 15:40:18 +0000
Received: from [195.238.4.117] (helo=outmx018.isp.belgacom.be)
by lon1-hub.mail.demon.net with esmtp id 1H1lkQ-0000m4-Ct
for qumhfx@<USER IN QUESTIONS ISP DOMAIN>; Tue, 02 Jan 2007 15:40:18 +0000
Received: from outmx018.isp.belgacom.be (localhost [127.0.0.1])
by outmx018.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-OUT-2.22) with ESMTP id l02FeABx009841
for <qumhfx@<USER IN QUESTIONS ISP DOMAIN>>; Tue, 2 Jan 2007 16:40:10 +0100
(envelope-from <>)
Received: from hvhp.be (34.103-240-81.adsl-dyn.isp.belgacom.be [81.240.103.34])
by outmx018.isp.belgacom.be (8.12.11.20060308/8.12.11/Skynet-OUT-2.22) with ESMTP id l02FeA1A009835
for <qumhfx@<USER IN QUESTIONS ISP DOMAIN>>; Tue, 2 Jan 2007 16:40:10 +0100
(envelope-from <>)
Message-Id: <200701021540.l02FeA1A009835@outmx018.isp.belgacom .be>
Reply-To: No-one@hvhp.be
From: Mailer_Daemon@hvhp.be
To: qumhfx@<USER IN QUESTIONS ISP DOMAIN>
Subject: Mail Delivery Failure
Date: Tue, 2 Jan 2007 16:45:13 +0100

Delivery Failure Report.
The following message was incorrectly addressed.
Recipient: "gorissenrudi@hvhp.be" is unrecognised.

Please contact "postmaster@hvhp.be" for further assistance


---------------------------------------
Received: from mail.hvhp.be by hvhp.be (VPOP3) with POP3 (Tue, 2 Jan 2007 16:45:13 +0100); Tue, 02 Jan 2007 16:03:57 +0100
Return-path: <qumhfx@<USER IN QUESTIONS ISP DOMAIN>>
Envelope-to: gorissenrudi@hvhp.be
Delivery-date: Tue, 02 Jan 2007 16:03:57 +0100
Received: from mail by host01.tela.be with spam-scanned (Exim 4.42)
id 1H1lBF-0003X3-CI
for gorissenrudi@hvhp.be; Tue, 02 Jan 2007 16:03:57 +0100
Received: from in.dishatech.com ([220.225.70.109])
by host01.tela.be with smtp (Exim 4.42)
id 1H1lBB-0003Wy-KE
for gorissenrudi@hvhp.be; di, 02 jan 2007 16:03:57 +0100
Received: (qmail 15941 invoked from network); Tue, 2 Jan 2007 20:42:18 +0530
Received: from unknown (HELO nlhtoa) (207.127.228.141)
by in.dishatech.com with SMTP; Tue, 2 Jan 2007 20:42:18 +0530
Message-ID: <459A7652.1000009@<USER IN QUESTIONS ISP DOMAIN>>
Date: Tue, 2 Jan 2007 20:42:18 +0530
From: Kelly I. Essie <qumhfx@<USER IN QUESTIONS ISP DOMAIN>>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: gorissenrudi@hvhp.be
Subject: luscious Hindu
Content-Type: multipart/related;
boundary="------------080707000701010106080101"
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on host01.tela.be
X-Spam-Level: **
X-Spam-Status: No, score=2.9 required=5.0 tests=HTML_20_30,HTML_IMAGE_ONLY_16,
HTML_MESSAGE,MIME_HTML_ONLY autolearn=no version=3.0.1

__________ NOD32 1949 (20061230) Information __________

This message was checked by NOD32 antivirus system.

http://www.eset.com

Quote:

Return-Path: <chlfirm@server7.jiffynet-hosting.net>
X-Envelope-To: Thor@TheAsgard
X-Spam-Status: No, hits=2.2 required=5.0
tests=MISSING_SUBJECT: 1.109,NO_REAL_NAME: 0.124,SARE_FROM_NONAME: 0.983
X-Spam-Level: **
Return-Path: <chlfirm@server7.jiffynet-hosting.net>
Received: from punt3.mail.demon.net by mailstore
for hhh@<USER IN QUESTIONS ISP DOMAIN> id 1H1muB-2xLGPo-05-G68;
Tue, 02 Jan 2007 16:54:27 +0000
Received: from [194.217.242.223] (lhlo=lon1-hub.mail.demon.net)
by punt3.mail.demon.net with lmtp id 1H1muB-2xLGPo-05
for hhh@<USER IN QUESTIONS ISP DOMAIN>; Tue, 02 Jan 2007 16:54:27 +0000
Received: from [216.67.224.66] (helo=server7.jiffynet-hosting.net)
by lon1-hub.mail.demon.net with esmtp id 1H1muB-0002h8-HD
for hhh@<USER IN QUESTIONS ISP DOMAIN>; Tue, 02 Jan 2007 16:54:27 +0000
Received: from chlfirm by server7.jiffynet-hosting.net with local (Exim 4.63)
(envelope-from <chlfirm@server7.jiffynet-hosting.net>)
id 1H1muT-0001iW-NP
for hhh@<USER IN QUESTIONS ISP DOMAIN>; Tue, 02 Jan 2007 11:54:45 -0500
To: "Joy" <hhh@<USER IN QUESTIONS ISP DOMAIN>>
X-Autorespond: multiply
X-Loop: "Joy" <hhh@<USER IN QUESTIONS ISP DOMAIN>>
From: "" <r.choueiri@chlfirm.com>
Content-type: text/plain; charset=us-ascii
Subject:
Message-Id: <E1H1muT-0001iW-NP@server7.jiffynet-hosting.net>
Date: Tue, 02 Jan 2007 11:54:45 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server7.jiffynet-hosting.net
X-AntiAbuse: Original Domain - <USER IN QUESTIONS ISP DOMAIN>
X-AntiAbuse: Originator/Caller UID/GID - [32035 32002] / [47 12]
X-AntiAbuse: Sender Address Domain - server7.jiffynet-hosting.net
X-Source: /usr/local/cpanel/bin/autorespond
X-Source-Args: /usr/local/cpanel/bin/autorespond r.choueiri@chlfirm.com /home/chlfirm/.autorespond
X-Source-Dir: /



























__________ NOD32 1952 (20070102) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

There are more of them, however they are all similar to the second e-mail posted above.

Does anyone know enough about this stuff to explain how this could happen?

[Garp]

If I'm reading those right whats happened is someone is spoofing his address as a source of spam. What he's seeing are the bouncebacks from other e-mail servers rejecting the e-mails.

The first one is where someone has it setup to only allow e-mails from people that will click on the link first to confirm they are a valid user (that beats most bots that get used to send spam as they ignore any replies.) In this case the e-mail has attempted to go to r.choueiri@chlfirm.com

The second one is another bounceback as a consequence of trying to be sent to an invalid address.

The third one is possibly tied in with the first, I'm not quite certain what the implications are there.

I'm going to make a fair stab at the domain being one like my freeserve one, where you've got an infinite number of e-mail addresses theoretically, taking the form:

whatever-you-chose@username.isp.co.uk

As is a huge flaw and well known about in the ISP (and thus these services are not offered to new users), as soon as a spammer trawls your domain from anywhere, then they'll send it as if coming from anything before the @ symbol.
Currently on my home's freeserve account we're getting between 600 - 800 e-mails all sent from addresses we don't use. Hence I've stopped using it too as its too much hassle trawling through the spam.

There is nothing that can be done, and I'd argue its highly unlikely its come from having signed up to your server, its something completely unavoidable for him.

Spoofing an address for e-mails is simple. I can very easily connect to any mail server and send a message pertaining to be from any e-mail address under the sun, even using basic command line instructions:

telnet mail.domainname.co.uk 25
HELO anotherdomainname.co.uk
RCPT TO: <destinationaddress@domainname.co.uk>
MAIL FROM: <madeupaddress@domainname.co.uk>
DATA

Its really that simple. No checking is done (unless the ISP uses Sender Mail Verification, something more and more prevelant)

[Richard Slater]

Quote:

Originally Posted by Garp

I'm going to make a fair stab at the domain being one like my freeserve one, where you've got an infinite number of e-mail addresses theoretically, taking the form:

whatever-you-chose@username.isp.co.uk

You would be correct

My main problem now is that he claims that the account was spam free before he signed up. And there is no way that I can prove that it wasn't.

Thanks Garp

[Mark]

Quote:

Originally Posted by Richard Slater

You would be correct

My main problem now is that he claims that the account was spam free before he signed up. And there is no way that I can prove that it wasn't.

Unhappy coincidence - unless, that is, your phpBB installation isn't fully patched and/or the user in question included their email address in a signature (both of which are well known issues).

Some ISPs do still give out anything@your-domain email addresses. The problem isn't that spammers can use these as fake From: addresses (they can do that anyway - just pick any old domain and use info@, sales@, webmaster@, admin@ and so forth), the problem is that ISPs that offer these set up the default email account as a catch-all (so anything unrecognised goes there), and don't provide a means of stopping such emails. My PlusNet account has this problem. Fortunately spammers have (so far) confined themselves to two addresses and I've had them both black holed (set up so that anything sent there just goes directly into the bin without ever touching the real email account).

[Richard Slater]

Quote:

Originally Posted by Bumhug

Unhappy coincidence - unless, that is, your phpBB installation isn't fully patched and/or the user in question included their email address in a signature (both of which are well known issues).

It is fully patched up, unmodded other than templates. I have combed through the installs on there and comparing them to the default installs, it all matches up.

If it was in his signature he has removed it since. He dosn't seem to be pushing the matter.