Results 1 to 11 of 11
  1. #1

    How to catch this spammer: Some body help me

    None of domain in this email is hosted with us but there are thousand of emails day some body blast in our queue. We are failed to detect. We have enabled phpnobody spam logging but failed to get track of this user.

    Please help us and guide how to catch this spammer. There are no clues of to catch him. I need experts help, please advice.




    [root@sm4 ~]# /root/qmHandle -m3261696

    --------------
    MESSAGE NUMBER 3261696
    --------------
    Received: (qmail 7056 invoked from network); 16 May 2007 05:34:18 -0500
    Received: from axicom.net (HELO User) (67.112.176.250)
    by 14.32.5446.static.theplanet.com with SMTP; 16 May 2007 05:34:18 -0500
    Reply-To: <notice@boamilitary.com>
    From: "Bank of America Military Bank"<notice@boamilitary.com>
    Subject: Notification from Bank of America Military Bank
    Date: Wed, 16 May 2007 04:44:51 -0700
    MIME-Version: 1.0
    Content-Type: text/html;
    charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 1
    X-MSMail-Priority: High
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

    <title>Military Bank Online and Bill Payer Deactivation</title>
    <FONT face=Arial size=2> </FONT>
    <DIV>
    <p><font face="Arial" size="2" color="#FFFFFF"> ...<img border="0" src="http://power-web43.net/images/boa.bmp"></font></p>
    <p><font face="Arial" size="2">&nbsp;&nbsp; Dear
    Member,</font></p>
    <DIV><font face="Arial" size="2">&nbsp;&nbsp; This is your official notification
    from Bank of America Military Bank that the service(s) listed below<BR>
    &nbsp;&nbsp; will be deactivated and deleted if not renewed immediately. Previous
    notifications have<BR>
    &nbsp;&nbsp; been sent to the Billing Contact assigned to this account. As
    the Primary Contact, you<BR>
    &nbsp;&nbsp; must renew the service(s) listed below or it will be deactivated
    and deleted. <BR>
    <BR>
    <BR>
    &nbsp;&nbsp; <b> <a target="_blank" href="http://moremail.epicalliance.com/america.php"><FONT color=#003399>Renew
    Now</FONT></a>&nbsp;</b>your <b>Military Bank Online </b>and<b> Bill Payer </b>
    services.</font></DIV>
    <DIV><font face="Arial" size="2">&nbsp;</font></DIV>
    <DIV><font face="Arial" size="2"><BR>
    &nbsp;&nbsp; SERVICE: <b>Military Bank Online </b>and<b> Bill Payer</b>.<BR>
    &nbsp;&nbsp; EXPIRATION: <b>May,&nbsp;18 2007</b></font></DIV>
    <DIV><font face="Arial" size="2">&nbsp;</font></DIV>
    <DIV><font face="Arial" size="2"><BR>
    &nbsp;&nbsp; Thank you for using Military Bank Online.
    <br> &nbsp;&nbsp; We appreciate your business and the opportunity to serve you.</font></DIV>
    <DIV><font face="Arial" size="2">&nbsp;</font></DIV>
    <DIV><font face="Arial" size="2">&nbsp;&nbsp;&nbsp;Bank of America Military Bank
    Member Service</font></DIV>
    <DIV><font face="Arial" size="2">&nbsp;</font></DIV>
    <DIV><font face="Arial" size="2"><BR>
    &nbsp;&nbsp; *****************************************************************************<BR>
    &nbsp;&nbsp; IMPORTANT MEMBER SERVICE INFORMATION<BR>
    &nbsp;&nbsp; *****************************************************************************</font></DIV>
    <DIV><font face="Arial" size="2">&nbsp;</font></DIV>
    <DIV><font face="Arial" size="2">&nbsp;&nbsp; Please do not reply to this message.
    For any inquiries, contact Member Service.</font></DIV>
    <DIV><font face="Arial" size="2">&nbsp;</font></DIV>
    <DIV><font face="Arial" size="2">&nbsp;&nbsp; <BR>
    &nbsp;&nbsp; Copyright © 2007 &nbsp;Bank of America Corporation. All rights reserved.</font></DIV>
    </DIV>


    None of domain in this email is hosted with us but there are thousand of emails day some body blast in our queue. We are failed to detect. We have enabled phpnobody spam logging but failed to get track of this user.

    Please help us and guide how to catch this spammer. There are no clues of to catch him. I need experts help, please advice.

  2. #2
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,175
    it could easily be an open relay problem, ensure you have to login to your SMTP service before sending emails is allowed.
    Do not meddle in the affairs of Dragons, for you are crunchy and taste good.

  3. #3
    The SMPT authentication is already enabled. please advice.

  4. #4
    Join Date
    Aug 2004
    Location
    France
    Posts
    407
    phpnobody won't help in this case as the email is sent from Outlook Express.
    I'm not familiar with qmail but did you search for 67.112.176.250 in your mail logs ?
    Marie - Co-Owner
    Need Further Assistance ? Here you go !
    English, french and spanish support

  5. #5
    Join Date
    Apr 2002
    Location
    Seattle, WA
    Posts
    955
    My guess is that someone is using your SMTP service to mail out. It's getting more and more common to see brute force SMTP auth using weak passwords. Is this a Plesk server?
    I <3 Linux Clusters

  6. #6
    Could you please advice the location of mail logs?

    the mail logs in /var/log/mail and mail.1.2.3.4... are empty

    please advice.

  7. #7
    yes, its a Plesk server

  8. #8
    Join Date
    Aug 2006
    Location
    India
    Posts
    86
    Do you have the settings below check in SERVER>>MAIL?


    Relaying

    authorization is required: "Checked"

    SMTP "Checked"


    Abee

    It is easier to write an incorrect program than understand a correct one.

  9. #9
    Join Date
    Apr 2002
    Location
    Seattle, WA
    Posts
    955
    You might try this one liner. It will identify all the messages in your mail Q as either valid or invalid users on the system. If they are valid, then it will reveal the weak passwords. I would then suggest those users change their passwords.

    for faddr in $(qmHandle -R | grep "From:" | sed -e "s/^.*<//g" -e "s/>.*$//g" -e "s/From://g"); do domain=$(echo $faddr | sed -e "s/^.*@//g"); user=$(echo $faddr | sed -e "s/@.*$//g"); echo -n "$user@$domain - "; if [ -d /var/qmail/mailnames/$domain ]; then if [ -d /var/qmail/mailnames/$domain/$user ]; then echo -n "VALID USER - "; mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "select password from domains left join mail on domains.id=mail.dom_id left join accounts on mail.account_id = accounts.id where postbox=\"true\" and mail_name=\"$user\" and domains.name=\"$domain\"\G" | grep "password:" | cut -f2 -d" "; else echo "NOT VALID"; fi; fi; done

    Another possible source of spam is the "backscatter" method. For the gory details, refer to http://spamlinks.net/prevent-secure-backscatter.htm. In short, this method only works if your server sends "bounce" messages in response to an inbound message addressed to a nonexistent user in a valid domain. To prevent this, you can go to Server > Mail > Preferences in Plesk and select "Reject" or "Forward to address" instead of "Bounce with message".

    To check this, open mysql

    mysql -u admin -p`cat /etc/psa/.psa.shadow`

    select name from domains left join Parameters on domains.id=Parameters.id where value like "%bounce%";

    Might show the domains.

    Hope this helps!
    I <3 Linux Clusters

  10. #10
    Join Date
    Apr 2002
    Location
    Seattle, WA
    Posts
    955
    In case it isn't using an originator that is valid. Here is a way to show all passwords.

    mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e 'select concat(mail_name,"@", domains.name) as "e-mail", password from domains left join mail on domains.id=mail.dom_id left join accounts on mail.account_id = accounts.id where postbox="true";'
    I <3 Linux Clusters

  11. #11
    yes, SMTP authorization is checked. please advice further


    Quote Originally Posted by Abee View Post
    Do you have the settings below check in SERVER>>MAIL?


    Relaying

    authorization is required: "Checked"

    SMTP "Checked"



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •