[BlueOnyx:14259] Re: Stopping User at localhost.localdomain Spam
bob richards
bob at blacklab.com
Mon Jan 13 00:28:22 -05 2014
another thing that I have seen is that it's coming from a script on the
server.
I'm not sure how it got there but there was a php program that was
forwarding mail from remote places through my local mail server. It took me
a while to figure that one out.
Once I deleted the program and changed all the users passwords on the
infected site everything was fine.
On Sun, Jan 12, 2014 at 11:16 PM, David Hahn <blueonyx at sb9.com> wrote:
> That is not a actual User on the system except as admin file owner right?
> and it appears to be coming from outside the server...
> I have no accounts with 'User' as the user name.
> I don't believe I have a open relay. They use different IP's so blocking
> is not really a option sine they use it once then use another..
> Using localhost.localdomain as a forged header i assume to fool
> spamassassin..
>
> Below is header from me to a test account on the same server.
>
> Received: from [192.168.0.11] (cpe-666-688-111-203.austin.res.com[666.688.111.203])
> (authenticated bits=0) by fs.mailserver.com (8.13.8/8.13.8) with ESMTP id
> s0D56s3B013948 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
> verify=NO) for <x at xxx.com> <x at xxx.com>; Sun, 12 Jan 2014 23:06:56 -0600
> Message-ID: <52D37472.5000709 at xxx.com> <52D37472.5000709 at xxx.com>
> i've never seen localhost.localdomain using local mail...
>
> Thanks to all.. i'll look further..
>
>
>
> On 1/12/2014 12:38 PM, Chuck Tetlow wrote:
>
> It appears that someone has a valid username/password on your server, and
> is using the SMTP-Auth to relay e-mail.
>
> So, first and easiest thing to do to stop it is firewall out that
> address. At the command line, enter:
> iptables -I acctin 1 -s 200.111.101.0/24 -j DROP
> That will stop the scumbag from relaying any e-mail through you, even if
> he changes his IP to another in his network.
>
> Then you've got to figure out which account on your server is being used.
> That's a little harder - and takes time sorting through the logs to find.
> Although sometimes you can spot it by going through the management GUI and
> looking at USAGE reports on which domain/user is sending the most
> e-mail/using the network the heaviest.
>
> Once you've figured out which account is being used, simply change the
> password. That should stop it. Worse case, delete that account. I had
> one just like it two weeks ago, and even suspending the account didn't
> prevent him from relaying through the server. So I just deleted the
> account which put a end to it.
>
>
>
> Chuck
>
>
> *---------- Original Message -----------*
> From: David Hahn <blueonyx at sb9.com> <blueonyx at sb9.com>
> To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it><blueonyx at mail.blueonyx.it>
> Sent: Sun, 12 Jan 2014 11:51:22 -0600
> Subject: [BlueOnyx:14253] Stopping User at localhost.localdomain Spam
>
> > I Hi all hope all is well,
> > I can't seem to stop some spam. I have the from address (*@icicibank.com)
>
> > Blacklisted in the GUI but it always gets through.
> >
> > Here are the headers:
> >
> > Return-Path: <customer.care at icicibank.com> <customer.care at icicibank.com>
> > Received: from localhost.localdomain ([200.111.101.6])
> > by fs.xxx.com (8.13.8/8.13.8) with ESMTP id s0CFCENu001942
> > (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
> > for <x at xxx.com> <x at xxx.com>; Sun, 12 Jan 2014 09:12:16 -0600
> > Received: from User (localhost.localdomain [127.0.0.1])
> > by localhost.localdomain (8.13.8/8.13.8) with SMTP id
> s07GUSDv031525;
> > Tue, 7 Jan 2014 13:30:30 -0300
> > Message-Id: <201401071630.s07GUSDv031525 at localhost.localdomain><201401071630.s07GUSDv031525 at localhost.localdomain>
> > From: "ICICI Bank"<customer.care at icicibank.com><customer.care at icicibank.com>
> > Subject: ICICI ALERT: Important Security Message
> >
> > Logs:
> > Jan 12 09:12:15 fs sendmail[1942]: STARTTLS=server,
> relay=[200.111.101.6], version=TLSv1/SSLv3, verify=NO,
> cipher=DHE-RSA-AES256-SHA, bits=256/256
> > Jan 12 09:12:16 fs milter-greylist: s0CFCENu001942: addr 200.111.101.6
> from <customer.care at icicibank.com> <customer.care at icicibank.com> rcpt
> <xt at xxx.com> <xt at xxx.com>: autowhitelisted for 72:00:00
> > Jan 12 09:12:19 fs sendmail[1942]: s0CFCENu001942: from=
> <customer.care at icicibank.com> <customer.care at icicibank.com>,
> size=1195619, class=0, nrcpts=1, msgid=
> <201401071630.s07GUSDv031525 at localhost.localdomain><201401071630.s07GUSDv031525 at localhost.localdomain>,
> proto=ESMTP, daemon=MTA, relay=[200.111.101.6]
> > Jan 12 09:12:19 fs sendmail[1956]: s0CFCENu001942: to=<x at xxx.com><x at xxx.com>,
> delay=00:00:03, xdelay=00:00:00, mailer=local, pri=1226110, dsn=2.0.0,
> stat=Sent
> >
> > It looks like the 'Received: from User (localhost.localdomain
> [127.0.0.1])' might be the reason it bypasses the spam a/v and
> spamassassin.
> >
> > Any suggestions would be helpful.
> >
> > --
> > Thank you
> > David Hahn
> > ----
> > Hey Super Users! - su
> > Get E Mail Alerts when sites or services are up or down.
> > Remotely Monitor Website and/or Service Absolutely Free in seconds.
> > http://mon.pagekeeperservice.com
> >
> > _______________________________________________
> > Blueonyx mailing list
> > Blueonyx at mail.blueonyx.it
> > http://mail.blueonyx.it/mailman/listinfo/blueonyx
> *------- End of Original Message -------*
>
>
> --
> Thank you
> David Hahn
> ----
> Hey Super Users! - su
> Get E Mail Alerts when sites or services are up or down.
> Remotely Monitor Website and/or Service Absolutely Free in seconds.http://mon.pagekeeperservice.com
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20140112/bf9fd5e6/attachment.html>
More information about the Blueonyx
mailing list