The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spammer spoofing IP ?

Discussion in 'General Discussion' started by kernow, Jan 29, 2006.

  1. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    We had a complaint saying a client from our IP was spamming their web submission form, but the included copy of the spam mail had a message ID that contained a domain not hosted by us and we don't allow user nobody to send out mail. Is it possible the spammer spoffed our IP ??
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yes, but the only way to be sure would be for you to post the full email header (with obfuscation if you prefer). The only header record of relevance is the Received: header. And of those that appear only the last added (the first from the top) is to be reliably trusted as all the others could be forged.
     
  3. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The data centre sent me a copy of the mail which i was unable to view the headers in firefox, but opening the file up in a text editor revealed the following:
    ###################
    From: "Kirk" <kirk@whispelna-gatha.com>
    To: <trialwar@trialware.org>
    Subject: Join Trialware Professional Association
    Date: Sun, 29 Jan 2006 00:36:47 -0000
    Message-ID: <E1F30Yh-0000WL-Fn@eta.asmallorange.com>
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit
    X-Mailer: cgiemail 1.6(form="http://www.trialware.org/join.html")(action="/cgi-bin/cgiemail/join.txt")
    Thread-Index: AcYkbBckD1+y/0aqS/KUzCzeQtyn1w==
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on eta.asmallorange.com
    X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED,BAYES_00,INFO_TLD autolearn=ham version=3.1.0
    X-Spam-Level:
    X-PMFLAGS: 33570944 0 1 PLL2A124.CNM

    IP: ( EDITED OUT )

    Update: False

    email: kirk@whispelna-gatha.com

    input_company: Whispelna Gatha

    name: Kirk

    HideEMail: True

    input_website: http://www.smoking-girls.info

    input_desc: What do Women Want? But if I really wanted to impress my girl
    friend, what is something I can try? Like what really get's some of you
    ladies going?
    I read <a
    href='http://www.smoking-girls.info'>http://www.smoking-girls.info
    </a> that sex in a public place is a popular fantasy for females, is this
    true?

    keywords: sex,asshole,boobs,tits,pussy,vagina,booby,cake hole, sex movies,
    porn gallery,smoke boy, smoking girl

    input_linktype: Other
    ###################
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Ah, i understand more clearly what the problem is you've had reported. I can only presume they ,the complainer, has the IP address of your server in their web logs and so identified your server as the source of the mail form spam. Unfortunately, with form mail spammers, there's likely very little at all you can do about it whether it's true or not except to try and ensure that no scripts on your server have been compromised. One thing you can certainly do in the short-term is to block the IP address of the complainers web site (presumably www.trialware.org) in your firewall on the server so that no traffic from your server can get to theirs.
     
  5. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Good idea, thanks for that. :)
    BTW i did notice that the email message ID ( asmallorange.com ) is a web hosting company.........
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The only thing that actually helps you in the email message is where the mail for script is hoste, everything else in it is irrelevant as it doesn't contain any other useful information.
     

Share This Page