Relay for spam?

Tony Pursell ajp at princeswalk.fsnet.co.uk
Wed May 18 17:29:48 UTC 2011 

On Wed, 2011-05-18 at 11:13 -0400, Bill Stanley wrote:
> I just got a notification from my ISP that I am sending spam.  I am 
> somewhat doubtful but I would like to check my computer anyways.  In the 
> last week and a half, I have used Linux exclusively but the only thing 
> that I have doubts about is the spam email on this list entitled "An 
> Invitation ....", which  I didn't open up.
> 
> Now my ISP is complaining about being a relaay for spam.  their email is 
> as follows...
> 
> **************************************************
> Your email account was used to send a huge amount of spam messages 
> during this week.  Most likely your computer had been infected by a 
> recent virus and now contains a hidden proxy server.
> *************************************************
> 
> Where should I look for hidden email proxies?  They go on about an 
> attachment on what to do but there is no attachment and if there was one 
> would probably only contain information relevant to Windows systems.   I 
> am suspicious about that email as well.
> 
> Bill Stanley
> 

Who is your ISP? Do they supply you with a fixed IP address or a dynamic
one?

Are they basing this just on your email address being used for spam? Or
is it you IP address?  This is important because email addresses can be
spoofed, so almost anyone can send an email 'From' you.  If you use
Evolution, go into Edit > Preferences > select your default account >
Edit, then put ajp at princeswalk.fsnet.co.uk in the Email address box and
you will be sending all your mail 'From' me.  Its as easy as that!  I
know because I have one of the most comprehensively spoofed email
addresses around, if the non-delivery notices I've been getting lately
from various Russian email servers is anything to go on. 

I don't believe that your ISP would not be so naive as to think your
email address alone indicates you as the spam source, so if the email
from your ISP is not a hoax, then they must be identifying the spam from
the IP address they have given you.  So you either have an open proxy or
a SMTP mail sever (which sends mail) set up as an open relay.  

A proxy server usually is set up so that people on the internal IP
addresses of a network can access the internet.  An open proxy allows
anyone on the world wide web who happens to know your IP address to use
that proxy server. (I talk from bitter experience!)  Unfortunately, they
don't just use it to browse the web (although it would be a way to
access illegal pornographic content) but use various http commands to
relay mail.

By default, SMTP mail servers should not be set up to relay mail.  So
the mail server I administered only sent out mail originating from our
internal IP addresses and not 'relay' mail from other external IP
addresses.  But SMTP mail servers are very easy to set up.  Most Windows
viruses that send spam have there own built in SMTP mail servers.  Even
OpenOffice.org/LibreOffice has a built-in SMTP server to send its
mail-merge emails. 

You can go to a site like SORBS (http://www.au.sorbs.net/lookup.shtml)
to check if your IP address has been identified as an open proxy or an
open relay.  Sites like Spamcop collect spam emails from people to
identify IP addresses sending spam and inform ISPs of them. They also
have a black-list lookup at http://www.spamcop.net/bl.shtml.

So have a word with your ISP and ask them on what basis are the saying
you are a spammer.  They should know if you are an open proxy or open
relay.  Let us know what they say so we can help you further.

Tony

More information about the ubuntu-users mailing list