Results 1 to 11 of 11
-
05-16-2007, 11:37 AM #1Disabled
- Join Date
- Jan 2007
- Posts
- 78
How to catch this spammer: Some body help me
None of domain in this email is hosted with us but there are thousand of emails day some body blast in our queue. We are failed to detect. We have enabled phpnobody spam logging but failed to get track of this user.
Please help us and guide how to catch this spammer. There are no clues of to catch him. I need experts help, please advice.
[root@sm4 ~]# /root/qmHandle -m3261696
--------------
MESSAGE NUMBER 3261696
--------------
Received: (qmail 7056 invoked from network); 16 May 2007 05:34:18 -0500
Received: from axicom.net (HELO User) (67.112.176.250)
by 14.32.5446.static.theplanet.com with SMTP; 16 May 2007 05:34:18 -0500
Reply-To: <notice@boamilitary.com>
From: "Bank of America Military Bank"<notice@boamilitary.com>
Subject: Notification from Bank of America Military Bank
Date: Wed, 16 May 2007 04:44:51 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
<title>Military Bank Online and Bill Payer Deactivation</title>
<FONT face=Arial size=2> </FONT>
<DIV>
<p><font face="Arial" size="2" color="#FFFFFF"> ...<img border="0" src="http://power-web43.net/images/boa.bmp"></font></p>
<p><font face="Arial" size="2"> Dear
Member,</font></p>
<DIV><font face="Arial" size="2"> This is your official notification
from Bank of America Military Bank that the service(s) listed below<BR>
will be deactivated and deleted if not renewed immediately. Previous
notifications have<BR>
been sent to the Billing Contact assigned to this account. As
the Primary Contact, you<BR>
must renew the service(s) listed below or it will be deactivated
and deleted. <BR>
<BR>
<BR>
<b> <a target="_blank" href="http://moremail.epicalliance.com/america.php"><FONT color=#003399>Renew
Now</FONT></a> </b>your <b>Military Bank Online </b>and<b> Bill Payer </b>
services.</font></DIV>
<DIV><font face="Arial" size="2"> </font></DIV>
<DIV><font face="Arial" size="2"><BR>
SERVICE: <b>Military Bank Online </b>and<b> Bill Payer</b>.<BR>
EXPIRATION: <b>May, 18 2007</b></font></DIV>
<DIV><font face="Arial" size="2"> </font></DIV>
<DIV><font face="Arial" size="2"><BR>
Thank you for using Military Bank Online.
<br> We appreciate your business and the opportunity to serve you.</font></DIV>
<DIV><font face="Arial" size="2"> </font></DIV>
<DIV><font face="Arial" size="2"> Bank of America Military Bank
Member Service</font></DIV>
<DIV><font face="Arial" size="2"> </font></DIV>
<DIV><font face="Arial" size="2"><BR>
*****************************************************************************<BR>
IMPORTANT MEMBER SERVICE INFORMATION<BR>
*****************************************************************************</font></DIV>
<DIV><font face="Arial" size="2"> </font></DIV>
<DIV><font face="Arial" size="2"> Please do not reply to this message.
For any inquiries, contact Member Service.</font></DIV>
<DIV><font face="Arial" size="2"> </font></DIV>
<DIV><font face="Arial" size="2"> <BR>
Copyright © 2007 Bank of America Corporation. All rights reserved.</font></DIV>
</DIV>
None of domain in this email is hosted with us but there are thousand of emails day some body blast in our queue. We are failed to detect. We have enabled phpnobody spam logging but failed to get track of this user.
Please help us and guide how to catch this spammer. There are no clues of to catch him. I need experts help, please advice.
-
05-16-2007, 05:45 PM #2Retired Moderator
- Join Date
- Oct 2004
- Location
- Southwest UK
- Posts
- 1,175
it could easily be an open relay problem, ensure you have to login to your SMTP service before sending emails is allowed.
Do not meddle in the affairs of Dragons, for you are crunchy and taste good.
-
05-17-2007, 01:09 AM #3Disabled
- Join Date
- Jan 2007
- Posts
- 78
The SMPT authentication is already enabled. please advice.
-
05-17-2007, 08:01 AM #4Aspiring Evangelist
- Join Date
- Aug 2004
- Location
- France
- Posts
- 407
phpnobody won't help in this case as the email is sent from Outlook Express.
I'm not familiar with qmail but did you search for 67.112.176.250 in your mail logs ?
-
05-17-2007, 08:09 AM #5Web Hosting Master
- Join Date
- Apr 2002
- Location
- Seattle, WA
- Posts
- 955
My guess is that someone is using your SMTP service to mail out. It's getting more and more common to see brute force SMTP auth using weak passwords. Is this a Plesk server?
I <3 Linux Clusters
-
05-17-2007, 08:15 AM #6Disabled
- Join Date
- Jan 2007
- Posts
- 78
Could you please advice the location of mail logs?
the mail logs in /var/log/mail and mail.1.2.3.4... are empty
please advice.
-
05-17-2007, 08:34 AM #7Disabled
- Join Date
- Jan 2007
- Posts
- 78
yes, its a Plesk server
-
05-17-2007, 08:54 AM #8Junior Guru Wannabe
- Join Date
- Aug 2006
- Location
- India
- Posts
- 86
Do you have the settings below check in SERVER>>MAIL?
Relaying
authorization is required: "Checked"
SMTP "Checked"
Abee
It is easier to write an incorrect program than understand a correct one.
-
05-17-2007, 08:54 AM #9Web Hosting Master
- Join Date
- Apr 2002
- Location
- Seattle, WA
- Posts
- 955
You might try this one liner. It will identify all the messages in your mail Q as either valid or invalid users on the system. If they are valid, then it will reveal the weak passwords. I would then suggest those users change their passwords.
for faddr in $(qmHandle -R | grep "From:" | sed -e "s/^.*<//g" -e "s/>.*$//g" -e "s/From://g"); do domain=$(echo $faddr | sed -e "s/^.*@//g"); user=$(echo $faddr | sed -e "s/@.*$//g"); echo -n "$user@$domain - "; if [ -d /var/qmail/mailnames/$domain ]; then if [ -d /var/qmail/mailnames/$domain/$user ]; then echo -n "VALID USER - "; mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "select password from domains left join mail on domains.id=mail.dom_id left join accounts on mail.account_id = accounts.id where postbox=\"true\" and mail_name=\"$user\" and domains.name=\"$domain\"\G" | grep "password:" | cut -f2 -d" "; else echo "NOT VALID"; fi; fi; done
Another possible source of spam is the "backscatter" method. For the gory details, refer to http://spamlinks.net/prevent-secure-backscatter.htm. In short, this method only works if your server sends "bounce" messages in response to an inbound message addressed to a nonexistent user in a valid domain. To prevent this, you can go to Server > Mail > Preferences in Plesk and select "Reject" or "Forward to address" instead of "Bounce with message".
To check this, open mysql
mysql -u admin -p`cat /etc/psa/.psa.shadow`
select name from domains left join Parameters on domains.id=Parameters.id where value like "%bounce%";
Might show the domains.
Hope this helps!I <3 Linux Clusters
-
05-17-2007, 08:59 AM #10Web Hosting Master
- Join Date
- Apr 2002
- Location
- Seattle, WA
- Posts
- 955
In case it isn't using an originator that is valid. Here is a way to show all passwords.
mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e 'select concat(mail_name,"@", domains.name) as "e-mail", password from domains left join mail on domains.id=mail.dom_id left join accounts on mail.account_id = accounts.id where postbox="true";'I <3 Linux Clusters
-
05-17-2007, 02:33 PM #11Disabled
- Join Date
- Jan 2007
- Posts
- 78