Topic: I'm being pharmed! (Page 1 of 1) Pages that link to <a href="https://ozoneasylum.com/backlink?for=27897" title="Pages that link to Topic: I&amp;#039;m being pharmed! (Page 1 of 1)" rel="nofollow" >Topic: I&#039;m being pharmed! <span class="small">(Page 1 of 1)</span>\

 
zavaboy
Bipolar (III) Inmate

From: f(x)
Insane since: Jun 2004

posted posted 05-06-2006 22:49

Today when I checked my email, I found 30+ bounced messages under a domain I manage. I remember reading and article about pharming, it explained that this is a good indication of pharming and it will get worse. I colloected as many IPs as I could, compiled a list of 26 IPs, did a whois on a few (one of them was from Korea).

What can I do about this?
Where do I go to prevent our domain from being blacklisted?

Skaarjj
Maniac (V) Mad Scientist

From: :morF
Insane since: May 2000

posted posted 05-07-2006 00:24

Well, your first piece of knowledge should be that the IPs you colleted will, most likely, not bethe IP addresses of your attacker/pharmer. With so many people around the world having unsecured proxy servers and not knowing it, such things are bound ot happen. Crackers compile lists of them, then route themselves through one, five, ten of these if they so choose, to obfusticate their trail. So their apparent originating IP addresses won't help you. As for where you'd go to prevent yourself being spam blacklisted... that I don't know. Perhaps Pugzly or one of the other webserver admins can help. I've got no experience in dealing with pharming. My suggestion, though, would be to warn your webhost (if you're not hosting yourself) and your domain name providor that it's happened, and provide them with copies of some of the bounced mails.

Also realise that the bounced mails may not in fact be genuine. They might not be evidence at all of pharming, but of spammers trying to be tricky. Did these bounced mails have attachments at all? They could also be evidence that spammers are appending your domain to their spam messages, so they get routed back to you. If the email headers contain IP addresses for the originator (which they sometimes do) does this IP match yours?


Justice 4 Pat Richard

(Edited by Skaarjj on 05-07-2006 08:28)

zavaboy
Bipolar (III) Inmate

From: f(x)
Insane since: Jun 2004

posted posted 05-07-2006 01:38
quote:

If the email headers contain IP addresses for the originator (which they sometimes do) does this IP match yours?


No.

Skaarjj
Maniac (V) Mad Scientist

From: :morF
Insane since: May 2000

posted posted 05-07-2006 08:28

And by originator I mean the headers that would be included as part of the message body of the bounced (or apparently bounced) message. I should have made that clearer earlier. Tell me more, thugh, about what you read of pharming, and what makes you think that these emails are evidence of it? Because fro mthe small amount you've said so far, it sounds to me like the kind of faked messages that spammers send to me on a regular basis.


Justice 4 Pat Richard

zavaboy
Bipolar (III) Inmate

From: f(x)
Insane since: Jun 2004

posted posted 05-07-2006 22:50

I was talking about the headers in the message body.

The headers included in the message body say it was from email addresses that don't exist (eg: JohnDoe@mydomain.com). I have catch all on so everything comes to a single account, I get 50+ spam messages through this account daily, I keep it for this reason (detecting pharming) and redirecting legit emails (sender typos).

Just Googling the word pharming will get you many sites that explain pharming.
google->pharming

Skaarjj
Maniac (V) Mad Scientist

From: :morF
Insane since: May 2000

posted posted 05-08-2006 08:32

I didn't ask for information on pharming, because I know about it already. I'm interested to know what you read that leads you to believe that this is evidence of pharming activity. Because, as I have already pointed out, there are several possible explainations for this type of activity, but you seem to be focussed down on one in particular. So I'd like to know why.


Justice 4 Pat Richard

zavaboy
Bipolar (III) Inmate

From: f(x)
Insane since: Jun 2004

posted posted 05-10-2006 03:02

I forgot where I saw that article, I thought I bookmarked it, but I didn't.

What are the other possible explainations?

Skaarjj
Maniac (V) Mad Scientist

From: :morF
Insane since: May 2000

posted posted 05-11-2006 00:46

That these bounced mails have been faked in some way, as a different kind of spam attack, directed at you, not at someone else. If they've been bounced back at you from another domain, and it's part of a DNS hijack, then it must have taken a long time, because you wouldn't have gotten thme unless the domain had been returned to your control first. It's not that difficult to craft a fake 'bounce' message. Or it's possible that instead of someone hijacking your domain, they have instead faked their originating domain, to make it look as if the email has come from your domain. They don't need to go through the fairly complicated procedure of taking your domain away from you to do that. It's a simple matter of altering part of the SMTP header.


Justice 4 Pat Richard

zavaboy
Bipolar (III) Inmate

From: f(x)
Insane since: Jun 2004

posted posted 05-11-2006 03:35
quote:
Or it's possible that instead of someone hijacking your domain, they have instead faked their originating domain, to make it look as if the email has come from your domain. They don't need to go through the fairly complicated procedure of taking your domain away from you to do that. It's a simple matter of altering part of the SMTP header.


I believe that is what's going on, but I'm not sure. I can forward you one (or more) of the bounced massages if you think it would help.



Post Reply
 
Your User Name:
Your Password:
Login Options:
 
Your Text:
Loading...
Options:


« BackwardsOnwards »

Show Forum Drop Down Menu