dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
949
share rss forum feed


sm5w2
Premium
join:2004-10-13
St Thomas, ON

Spam email from Cogego server

Anyone from cogeco read this forum? Might want to look into this:

==============
Return-Path: basement@cogeco.ca
Received: from wmipb01.cogeco.net ([216.221.81.100]) by my-SMTP-server.My-Domain.tld
with ESMTP id AAA202 for sales@My-Domain.tld; Tue, 14 May 2013 04:19:12 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: (long string of alpha-numeric garbage)
X-IronPort-AV: E=Sophos;i="4.87,667,1363147200"; d="pdf'?scan'208";a="18793861"
X-SBRS: None
Received: from unknown (HELO cgocable.ca) ([192.168.200.207]) by wmipb01.cogeco.net
with ESMTP; 14 May 2013 04:19:06 -0400
Received: from [192.168.201.168] (Forwarded-For: 41.151.52.29) by busywm01.int.cogeco.net
(mshttpd); Tue, 14 May 2013 10:19:06 +0200
From: "Climatic" basement@cogeco.ca
Reply-To: marinkattorneys@live.com
Message-ID: 74e0c9e910842.51920f9a@cgocable.ca
Date: Tue, 14 May 2013 10:19:06 +0200
X-Mailer: Oracle Communications Messenger Express 7u4-23.01(7.0.4.23.0)

--
Read the attached safe our planet

Some pdf file included as attachment, which is really just a form you fill out with various items of personal / identity information.

exseven
Premium,VIP
join:2003-05-23
L8E0G6
kudos:1
What was the TO: email domain?


sm5w2
Premium
join:2004-10-13
St Thomas, ON
> What was the TO: email domain?

There was no "To:" line in the header, but the first Received: line contains the recipient's account address (sales@my-domain.tld) where "my-domain.tld" is a munged form for my company's actual domain.

exseven
Premium,VIP
join:2003-05-23
L8E0G6
kudos:1
can you PM me the domain.


sm5w2
Premium
join:2004-10-13
St Thomas, ON
> can you PM me the domain.

Don't you know how to read the header of a spam e-mail?

All the information is there for you to see and know that a cogeco server was used to relay a piece of spam to an external domain.

It's standard practice in spam-decoding circles to mung any personally-identifiable information when posting email headers.

exseven
Premium,VIP
join:2003-05-23
L8E0G6
kudos:1
fine, ill pass it on. i was going to look at it ahead of the admins coming in but i guess i wont.


sm5w2
Premium
join:2004-10-13
St Thomas, ON
I'll give you a lesson in how to read email headers: Look at the chain of Received lines (in reverse order).

First, we have a machine located at IP 41.151.52.29 that connects to an internal (non-routable) IP address 192.168.201.168 which might be busywm01.int.cogeco.net.

Now, that line might be forged, because the next received line is this:

Received: from unknown (HELO cgocable.ca) ([192.168.200.207]) by wmipb01.cogeco.net

So your actual (real) server - wmipb01.cogeco.net - picked up the spam from some unknown internal machine (192.168.200.207). If the first received line is real, then the Ironport spam-checking function happened between the two machines with internal (non-routable) IP addresses.

Lastly, my server picked up the spam from wmipb01.cogeco.net.

You need to look at this internal machine busywm01.int.cogeco.net (192.168.201.168) and see why it was allowed to relay mail from an external domain (41.151.52.29 = 8ta-151-52-29.telkomadsl.co.za).

Most likely a cogeco user's SMTP authentication credentials were hacked / stolen by malware, and the credentials were used to allow the machine in South Africa to relay mail through your server.

A simple rule to have busywm01.int.cogeco.net reject any contact with IP addresses outside of Canada would go a long way to prevent this sort of spam relay technique.

exseven
Premium,VIP
join:2003-05-23
L8E0G6
kudos:1

1 recommendation

all i wanted to see with the domain is if it was for whatever reason hosted on the cogeco servers. That is all.

I can actually see how the spam probably got sent through the system (hint: not SMTP) and i'm sure if you think hard about the wm acronym you can too.

Again ill bring it up with those that need to know, and i don't need your lessons on how headers are read.


sm5w2
Premium
join:2004-10-13
St Thomas, ON
My SMTP server is running on a Windows NT4 server located at our office. We are connected to the internet through Tek Savvy.

Yes, the spam was probably sent through web-mail, but again it must be using the login credentials of a cogeco customer. You must disable that user's SMTP login credentials to stop the flow of this spam (which is probably still happening). If you don't stop it, your server will be listed in various DNSBL's (if it isin't already).

cog_biz_user
i ruin threads apparently

join:2011-04-19
Hamilton, ON
reply to exseven
I think the point he was trying to make was that Cogeco shouldn't be routing mail for anyone outside of Cogeco's IP space.
Expand your moderator at work


mememe

@cgocable.ca
reply to cog_biz_user

Re: Spam email from Cogego server

exseven was pointing to the fact the the wm acronym should stand for webmail, so what would be the purpose of preventing out-of-network mails since webmail is at the moment the way Cogeco allows customers from afar to send mail using their Cogeco mail accounts.

Stolen credentials is a reality and investigations prolly happen on a daily basis regarding this... Running an office server vs running an ISP server is way different and mitigation techniques are different altogether... And I'm sure sm5w2 understands that.

MrPink

join:2003-08-15
Peterborough, ON

1 recommendation

said by mememe :

And I'm sure sm5w2 understands that.

I wouldn't be so sure about that...

said by sm5w2:

I'll give you a lesson in how to read email headers



DigitalXeron
There is a lack of sanity

join:2003-12-17
Hamilton, ON

1 recommendation

reply to sm5w2
said by sm5w2:

> can you PM me the domain.

Don't you know how to read the header of a spam e-mail?

All the information is there for you to see and know that a cogeco server was used to relay a piece of spam to an external domain.

It's standard practice in spam-decoding circles to mung any personally-identifiable information when posting email headers.

With due respect, while this may be standard practice in "spam decoding" forums and groups, in network operations (including abuse reporting) it's quite different. With the Internet and operationally, for every source there's a destination and often logs track these source/destination sets. Further, the operator having this "personal information" can check their configuration to ensure that there isn't something domain specific on their end.

The usual reason "spam decoding" groups request to omit this information is because often times these groups are targeting investigating the "source" of the spam where the destination is irrelevant since they are not the originating mail operator and are in fact an unrelated third party. Cogeco in this case does not match that "third party" definition.

Whenever I file abuse reports, I often have in the preface of my message something to the tune of "One or more systems on your network has been cited issuing abusive, malicious or otherwise unwelcome traffic toward our system situated at {$IP} (host {$REVERSE_DNS})". If you feel uncomfortable reporting all information on a forum like this, consider contacting Cogeco's abuse department directly via an off-forum/out-of-the-public-eye method.
--
--Kradorex Xeron
[an error occurred while processing this signature]


sm5w2
Premium
join:2004-10-13
St Thomas, ON
> With due respect, while this may be standard practice in "spam
> decoding" forums and groups, in network operations (including
> abuse reporting) it's quite different. With the Internet and
> operationally, for every source there's a destination and often
> logs track these source/destination sets.

Get off your high horse.

I posted the message ID without munging.

If you can't track the spam/email being emitted by your servers when you're handed the MID on a silver platter, then you don't deserve to run a nintendo console let alone enterprise-level mail system.


Cogeco_Aaron
Premium,VIP
join:2011-07-11
kudos:6

1 recommendation

reply to sm5w2
This has been passed along to network security and they'll investigate it.

Thanks for letting us know about it.