Spam relayed through Mercury?

[Rydain]

(Posting here because I can't get to the support page for some reason or another...)

When tracing the path of this recently-received spam, I noticed that it appeared to have been relayed through 66.227.76.132, which is the IP address of my Mercury-hosted website. I didn't see any weird spike in bandwidth usage, but I'm still concerned because none of the other mail (even spam) sent to my email address is routed in such a manner. Is some sleazeball abusing Mercury as an open relay?

Here are the relevant headers. If anyone really wants to see it, I can post the full set.

------
Received: from [210.82.175.140] (helo=66.227.76.132) by mercury.nocdirect.com with smtp (Exim 4.20) id 19tBOg-0008OT-NF for rydain@rydain.org; Sat, 30 Aug 2003 14:28:32 -0500
Received: from s6.hyl2ae.com [130.115.63.200] by 66.227.76.132 SMTP id 266r1hF5PAHCln; Sun, 31 Aug 2003 00:18:49 +0400
------

[Zhen-Xjell]

That may not be a good thing and hopefully it doesn't get sent to SPEWS if its true.

[jason]

Without seeing the full headers, its hard to say waht's going on for sure, but it looks like the Mercury reference may be the final point of contact. Is your site on Mercury? If so, then the spam has to go there in order to get to you.

--Jason

[G.Bloke]

Through a recent exchange with support I learnt that they've turned off smtp authentication on at least one server. Best I could understand, (they were vague) it was due to a CP bug that had caused it to stop working correctly. I'm fairly suprised by this, because it allows anyone to send mail, spam or otherwise through the servers without having an account.

[Rydain]

jason: As I mentioned in my original post, this sort of routing doesn't show up in the headers of any other email I receive, which is why I'm concerned.

G.Bloke: That scares me. I just mentioned it in my reply to the support ticket regarding this issue.

In general: I got another spam with my IP address in it. Here are its full headers:

----------
From: - Mon Sep 8 14:55:00 2003
X-UIDL: 9021f107a98f508189315a4f5ca111f2
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-path: <8hfuvxuyk@hotmail.com>
Envelope-to: rydain@rydain.org
Delivery-date: Mon, 08 Sep 2003 13:53:37 -0500
Received: from [61.232.226.25] (helo=66.227.76.132) by mercury.nocdirect.com with smtp (Exim 4.20) id 19wR8q-0005GO-9W for rydain@rydain.org; Mon, 08 Sep 2003 13:53:36 -0500
Received: from [194.215.248.81] by 66.227.76.132 id 1vQAbQN877pu; Tue, 09 Sep 2003 03:50:03 -0700
Message-ID: <32u8$8u$510-z-d-28u-w78fhc@skfio.q7.1r.rq>
From: Ruby Gary <8hfuvxuyk@hotmail.com>
Reply-To: Ruby Gary <8hfuvxuyk@hotmail.com>
To: <rydain@rydain.org>
Subject: Newest Medical Center Online is Now Open qmjsm cxfu d
Date: Tue, 09 Sep 03 03:50:03 GMT
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="04FE.DBEBDC5_"
X-Priority: 3
X-MSMail-Priority: Normal

[The Kraken]

is mercury down for anyone else? My site is down as far as I can see, and I can't get e-mail or login to control panel.

Just curious.


...AND I guess I was just kidding...it's back up. Sorry for the false alarm...

[jason]

It looks like you are dealing with someone using forged headers. I did a lookup on the IP addresses listed in the "Received" headers, and this is what I found:

194.215.248.81 - RIPE
66.227.76.132 - JPC
61.232.226.25 - APNIC

RIPE is the body in charge of allocating Internet resources to much of Europe, the Middle East, Asia, and Africa.

APNIC allocates Internet resources to the Asia-Pacific region.

I doubt either of these bodies would knowingly be sending you spam...

One thing that I found particularly interresting is this line:
Received: from [61.232.226.25] (helo=66.227.76.132) by mercury.nocdirect.com...

The portion that says helo= is what the server identified itself as. Basically, in the SMTP protocol, a server (or client) identifies itself a server by saying "Hello, I'm 123.45.67.89." (If you read the comments in the SMTP transmission, the receiving server usually says "Nice to meet you, 123.45.67.89," too.) Anyway, the server doesn't have to identify itself correctly, and in this case, the mercury smtp server figured out that it was connected to the IP address in the [] (the one registered to APNIC).

Exactly what's going on here I don't know. It could be forged headers of some sort, or a compromised box at one or both of the two organizations, or something totally different.

--Jason

[Rydain]

D'oh! I got the helo and the bracketed IP addy mixed up. Thanks for the correction. *breathes a sigh of relief*