How do spammers spoof my internal domain?

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
I was going through my spam folder and noticed something interesting. There are some of them are actually spoofing my INTERNAL domain. That domain is not valid on the internet and is not part of the email addresses being sent to. How are they doing this? I also saw some where the spoofed email is a mix of the internal server name, and other email account names. Basically randomized based on info on the server. Interestingly a lot of these seem to also have two from emails and not just one, one of them will be the host name of my online mail server.

The way my setup works is that I have an online mail server, and my internal mail server uses fetchmail to get the mail from the online one. So all my mail resides locally on my network and is accessed via imap. When I send mail it just relays to the online mail server.

The local mail server is a very old server that is running fedora core 9, so it probably has tons of exploits, but that server is sitting behind a firewall on my internal network and has no services port forwarded to it. Is there somehow a way it could still have been compromised, through a specially formated email or something? I do have plans to decommission this server but still have services to migrate off it such as mail, just have not gotten around to it. I'm kinda curious to rename the server just to see if I start getting spam spoofing the new name too.

I checked the mail logs for some of these emails, but there's not really much details, just basic stuff, showing that it got delivered etc.

Should I be worried about this? One thing I can think of is that the server hostname is on the internet in the form of forum posts etc where I may have previously posted logs or other info when seeking help for something else. Spam bots could theoretically pick that up, but how would they associate it with me?
 
you can make emails look like they're being sent from whoever you want... valid or invalid... it's your mail server's responsibility to check the validity of those emails... there are technologies in place to aid with this... look up "SPF"

one of the many many reasons it's not worth it to run your own mail servers anymore... it's a ton of work...

a ton...
 
you can make emails look like they're being sent from whoever you want... valid or invalid... it's your mail server's responsibility to check the validity of those emails... there are technologies in place to aid with this... look up "SPF"

one of the many many reasons it's not worth it to run your own mail servers anymore... it's a ton of work...

a ton...
Agreed. Mail service is non-trivial, but rewarding if you do it right.
 
I was going through my spam folder and noticed something interesting. There are some of them are actually spoofing my INTERNAL domain. That domain is not valid on the internet and is not part of the email addresses being sent to. How are they doing this? I also saw some where the spoofed email is a mix of the internal server name, and other email account names. Basically randomized based on info on the server. Interestingly a lot of these seem to also have two from emails and not just one, one of them will be the host name of my online mail server.

The way my setup works is that I have an online mail server, and my internal mail server uses fetchmail to get the mail from the online one. So all my mail resides locally on my network and is accessed via imap. When I send mail it just relays to the online mail server.

The local mail server is a very old server that is running fedora core 9, so it probably has tons of exploits, but that server is sitting behind a firewall on my internal network and has no services port forwarded to it. Is there somehow a way it could still have been compromised, through a specially formated email or something? I do have plans to decommission this server but still have services to migrate off it such as mail, just have not gotten around to it. I'm kinda curious to rename the server just to see if I start getting spam spoofing the new name too.

I checked the mail logs for some of these emails, but there's not really much details, just basic stuff, showing that it got delivered etc.

Should I be worried about this? One thing I can think of is that the server hostname is on the internet in the form of forum posts etc where I may have previously posted logs or other info when seeking help for something else. Spam bots could theoretically pick that up, but how would they associate it with me?

Your internal domain name is still there in the e-mail's headers. If you click 'show original' on one of your mails like in gmail or your e-mail client you'll see something like:

Received: from 10.0.0.5 (localhost [IPv6:::1]) by groupofficevm.localdomain (Postfix)(blah blah) even though I'm routing this mail through a relay with a FQDN.
 
Yeah I understand it will be in the headers, but the part that kinda baffles me is that they are spoofing the internal domain, so that means that somehow someone or an automated process on the internet knows that onlinedomain.com actually goes to internaldomain.com, how do they know? What I'm wondering is if somehow these are originating from inside the network and that I'm somehow compromised. Here is an example header:


Code:
Received: from localhost by [internaldomain].loc
   with SpamAssassin (version 3.2.5);
   Tue, 06 Dec 2016 09:49:06 -0500
From: From@[internaldomain].loc:"cron, sherri" <[email protected]>
To: services@[onlinedomain].com
Subject: (16.9) [SPAM] Inv# 7192437 for PO# A447130
Date: Tue, 06 Dec 2016 21:44:34 +0700
Message-Id: <[email protected]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on [internaldomain].loc
X-Spam-Level: ****************
X-Spam-Status: Yes, score=16.9 required=4.5 tests=AGEN_fake_order4766458,
   AGEN_lines7051021665,DNS_FROM_AHBL_RHSBL,MISSING_MIMEOLE,RCVD_IN_PBL,
   RCVD_IN_XBL,RDNS_NONE autolearn=failed version=3.2.5
X-Spam-Report:
   *  1.5 AGEN_lines7051021665 BODY: AGEN_lines7051021665
   *  1.2 AGEN_fake_order4766458 BODY: possible pharmacy or fake order number
   *  2.0 DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org
   *  4.0 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
   *      [123.25.33.187 listed in zen.spamhaus.org]
   *  4.8 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
   *  3.4 RDNS_NONE Delivered to trusted network by a host with no rDNS
   *  0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5846CFE2.6A442B25"

This is a multi-part message in MIME format.

------------=_5846CFE2.6A442B25
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "[internaldomain].loc", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Please do not respond to this email address. For questions/inquires,
   please contact our Accounts Receivable Department. This email has been scanned
   by the MessageLabs outbound Email Security System for CIRCOR International
   Inc. For more information please visit http://www.symanteccloud.com [...]
   

Content analysis details:   (16.9 points, 4.5 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.5 AGEN_lines7051021665   BODY: AGEN_lines7051021665
 1.2 AGEN_fake_order4766458 BODY: possible pharmacy or fake order number
 2.0 DNS_FROM_AHBL_RHSBL    RBL: Envelope sender listed in dnsbl.ahbl.org
 4.0 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [123.25.33.187 listed in zen.spamhaus.org]
 4.8 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
 3.4 RDNS_NONE              Delivered to trusted network by a host with no rDNS
 0.0 MISSING_MIMEOLE        Message has X-MSMail-Priority, but no X-MimeOLE

***This message scanned by the [internaldomain] local server***

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


------------=_5846CFE2.6A442B25
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Return-Path: <[email protected]>
X-Original-To: email_ryan@localhost
Delivered-To: email_ryan@localhost.[internaldomain].loc
Received: from [internaldomain].loc ([internaldomain].loc [127.0.0.1])
   by [internaldomain].loc (Postfix) with ESMTP id 321DF73804C
   for <email_ryan@localhost>; Tue,  6 Dec 2016 09:49:02 -0500 (EST)
X-Original-To: services@[onlinedomain].com
Delivered-To: ryan@[onlinedomain].com
Received: from mail.[onlinedomain].ca [192.95.14.96]
   by [internaldomain].loc with POP3 (fetchmail-6.3.8)
   for <email_ryan@localhost> (single-drop); Tue, 06 Dec 2016 09:49:02 -0500 (EST)
Received: from static.vdc.vn (unknown [123.25.33.187])
   by mail.[onlinedomain].ca (Postfix) with ESMTP id 0DA1936BC12F
   for <services@[onlinedomain].com>; Tue,  6 Dec 2016 09:44:27 -0500 (EST)
Date: Tue, 06 Dec 2016 21:44:34 +0700
From: From@[internaldomain].loc:"cron, sherri" <[email protected]>
Subject: Inv# 7192437 for PO# A447130
To: services@[onlinedomain].com
Message-ID: <[email protected]>
X-Priority: 3
X-MSMail-Priority: Normal
X-Sensitivity: Normal
X-Mailer: KeyesMail 7.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--=_61E7932.."

This is a multipart message in MIME format.

----=_61E7932..
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit



I replaced my internal domain to [internaldomain] and online domain (where the mail is actually being sent to) with [oninedomain].

What is interesting about this particular email is the word cron that is part of the from. Suppose that may be a coincidence but I have a local email account with the word cron in it which is where cron jobs end up. It's just interesting that it somehow got used as a spoofed email. But the fact that the local domain is used is even more baffling. A lot of these spoofed emails have cron in it in one way or the other so I presume they might all be coming from same source as they all have the same basic info such as my internal domain and name of an internal account. There's not that many of these though, maybe a dozen in the past years. A lot of them are spoofing my external domain but that's normal and typical.
 
* 2.0 DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org
* 4.0 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
* [123.25.33.187 listed in zen.spamhaus.org]
* 4.8 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* 3.4 RDNS_NONE Delivered to trusted network by a host with no rDNS

looks like your spam filtering is doing it's job...

the question is not "how did it work being sent to my internal domain" because that's not how emails work... again... you can make an email look like it's coming from whoever you want...

the question is how did they even know what your internal domain was... my guess is it's somewhere in the headers you're sending out for regular emails...
 
SMTP is just text, you can put whatever you want there. Literally everything before the line that your own server puts there can be complete total bullshit.

Things I learned at work ages ago: Email really WANTS to get delivered, you can actually do it wrong and break lots of SMTP RFCs but lots of mail server software will still try to send it somewhere, often successfully. SMTP in a nutshell: shove text at port 25, see what happens!
 
Ok maybe I was not clear. What I'm asking is how does the spammer, bot etc even know what my local domain is when it is sending mail to my external one? That local domain is well, local. How are they spoofing THAT domain, instead of my online domain? The internal domain is only for the internal mailboxes which Fetchmail drops the mail into from the online mail server. It should not be known to the sender, but somehow it is, that's what I'm trying to find out how.
 
There are dozens of ways,,,,,
When someone cc's an internal address it goes out to external sources is one way.
Spammer infects a computer that got that email and bingo they have both the internal and external domain.
 
Are there known infections for Linux that could do this? That's kinda what I'm starting to wonder, if I've been compromised somehow. At one point I had OpenVPN port wide open to the whole internet, instead of only specific IPs, and that was in the heartbleed days. (I quickly turned it off and patched and redid all the keys when I found out about the exploit) so I'm wondering if I may have gotten exploited through heartbleed or other 0-day at some point and it spread to the rest of the network. I don't have SSH brute force protection setup internally nor do I patch stuff as quickly on non internet facing servers so it would be nothing to get into the rest of the severs if something made it on the inside. Suppose I should consider tightening the internal security as well...

There are only a handful of spam emails that have spoofed that domain though, so maybe those are just oddball incidents. The existing one is on the internet in various forms (mostly forum posts where I may have posted a config for something) so in theory a spam bot could have picked it up. Still odd it would know to associate it with my real email though. I'm not so worried about it being known, more worried about how it got known and how said process was able to associate it with my real email. It would almost require the server to be compromised for those details to be known, but hopefully I'm just missing some kind of detail. I will rename that server and keep that name private to see if the new one starts to show up in spam and go from there I guess. If it does then I know I have a real problem to worry about.
 
Back
Top