Results 1 to 4 of 4
  1. #1
    Join Date
    Aug 2007
    Posts
    263

    help: spam mail from server with unknown person

    my server keep sending mail out. i try to figure it out which user but cant find any solutions. any one got experience with this?

    below the is logs.

    E-Mail Headers
    1QKTJv-0003FE-7U-H
    mail 8 12
    <>
    1305196839 0
    -ident mail
    -received_protocol local
    -body_linecount 226
    -max_received_linelength 955
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1305197706
    -localerror
    XX
    1
    [email protected]

    149P Received: from mail by server15.surpass.com.my with local (Exim 4.69)
    id 1QKTJv-0003FE-7U
    for [email protected]; Thu, 12 May 2011 18:40:45 +0800
    1310 X-Failed-Recipients: [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected],
    [email protected]
    029 Auto-Submitted: auto-replied
    067F From: Mail Delivery System <[email protected]>
    024T To: [email protected]
    059 Subject: Mail delivery failed: returning message to sender
    056I Message-Id: <[email protected]>
    038 Date: Thu, 12 May 2011 18:40:39 +0800
    E-Mail Body Chunk:
    1QKTJv-0003FE-7U-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    [email protected]
    Unrouteable address
    pulver.yuliana@headbone.com
    Unrouteable address
    pulwer.lida@gameonline.it
    Unrouteable address
    pum_vanveldhoven@carleton.ca
    Unrouteable address
    pum5cphes@rbnet.com
    Unrouteable address
    puma@0335.net
    Unrouteable address

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <noreply@santrex.net>
    Received: from 92-223-63-74.servebyte.net ([74.63.223.92] helo=User)
    by server15.surpass.com.my with esmtpa (Exim 4.69)
    (envelope-from <noreply@santrex.net>)
    id 1QKTJa-0002rK-Og; Thu, 12 May 2011 18:40:21 +0800
    Reply-To: <pauldglas@blumail.org>
    From: "PAUL DOUGLAS"<noreply@santrex.net>
    Subject: PAUL DOUGLAS
    Date: Thu, 12 May 2011 11:36:39 -0700
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_00B6_01C2A9A6.32CF71B6"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

    This is a multi-part message in MIME format.

    ------=_NextPart_000_00B6_01C2A9A6.32CF71B6
    Content-Type: text/plain;
    charset="Windows-1251"
    Content-Transfer-Encoding: 7bit


    CENTRAL BANK OF NIGERIA
    OFFICE OF THE DIRECTOR
    TELEX / COMPUTER DEPARTMENT
    TINUBU SQUARE
    ABUJA - NIGERIA

    CONTACT NUMBER: 234-8160371862
    PRIVATE EMAIL: pauldglas@blumail.org


    DEAR SIR,

    MY NAME IS MR. PAUL DOUGLAS OF TELEX/COMPUTER DEPARTMENT OF CENTRAL BANK OF NIGERIA.

    I AM SENDING THIS PRIVATE EMAIL BASED ON THE CONFIDENTIALITY OF THE TRANSACTION.
    PLEASE, I WILL LIKE TO ADVISE IF AFTER GOING THROUGH MY PROPOSAL AND YOU DO NOT ACCEPT IT, KINDLY KEEP IT TO YOURSELF. AS OF THIS MOMENT,
    I AM STILL IN SERVICE WITH CENTRAL BANK OF NIGERIA (CBN).
    AND I WILL NOT BY ANY MEANS LIKE TO LOSE MY JOB, IF YOU ARE NOT INTERESTED.

    I HAVE PUT IN OVER 23 YEARS IN THIS BANK BUT I DO NOT HAVE ANYTHING TO SHOW FOR IT. THIS IS JUST MY OPPORTUNITY TO MAKE SURE THAT I GIVE MY CHILDREN A DECENT TRAINING SINCE MY GOVERNMENT WHICH IS CORRUPT HAS REFUSED TO TAKE CARE OF ITS RESPONSIBILITY. INFACT I AM SICK AND TIRED OF EVERYTHING HERE I NEED TO GET OUT. I FOUND OUT THAT YOU ALMOST MET ALL THE STATUTORY REQUIREMENTS IN RESPECT OF YOUR PAYMENT. PLEASE BE EQUALLY ADVISED THAT NO SECURITY COMPANY IN AFRICA CAN HANDLE YOUR CONTRACT PAYMENT/INHERITANCE FUND WITH ANY BANK WITHOUT THE INSTRUCTIONS OF THE CENTRAL BANK OF NIGERIA.

    YOUR PROBLEM IS THAT OF INTEREST GROUP IN THE CENTRAL BANK OF NIGERIA THAT IS SUPPOSED TO TRANSFER YOUR FUND WITH THE APPROVAL OF CENTRAL BANK. A LOT OF PEOPLE IS INTERESTED IN YOUR PAYMENT AND THAT EXPLAINS WHY YOU RECEIVE EMAILS AND PHONE CALLS FROM DIFFERENT PEOPLE EVERYDAY. THEIR WHOLE GAME PLAN IS TO FRUSTRATE YOU IN ORDER FOR YOU TO ABANDON THE CONTRACT PAYMENT AND THEN, THEY WILL BE COMFORTABLE AND FREE ENOUGH TO TRANSFER THE CONTRACT FUNDS INTO THEIR OVERSEAS ACCOUNT. THEIR AIM AND TARGET IS NOT THE MONEY YOU ARE GIVING THEM BUT TO FRUSTRATE YOU.HENCE, YOU HAVE LOST TRUST ON WHOM TO BELIEVE TO BE GENUINE. I CAN ASSURE YOU THAT THIS MAY LAST FOR YEARS, YET NOTHING HAPPENS. TO SUM IT UP, I WISH TO ASSURE YOU THAT WITH MY POSITION HERE IN THE TELEX DEPARTMENT, I CAN ACCOMPLISH THIS UNDER FIVE WORKING DAYS. BUT WE HAVE TO REACH AN AGREEMENT. FIRST OF ALL, YOU HAVE TO LET ME KNOW HOW MUCH YOU WILL GIVE ME AT THE CONSUMMATION OF THIS DEAL.

    KINDLY GET BACK TO ME IMMEDIATELY ON MY ABOVE PRIVATE TELEPHONE NUMBER-234-8160371862 OR MY PRIVATE MAIL pauldglas@blumail.org

    REGARDS,

    MR.PAUL DOUGLAS



    ------=_NextPart_000_00B6_01C2A9A6.32CF71B6
    Content-Type: application/octet-stream;
    name="PAUL DOUGLAS.txt"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    filename="PAUL DOUGLAS.txt"

    DQpDRU5UUkFMIEJBTksgT0YgTklHRVJJQQ0KT0ZGSUNFIE9GIFRIRSBESVJF
    Q1RPUg0KVEVMRVggLyBDT01QVVRFUiBERVBBUlRNRU5UDQpUSU5VQlUgU1FV
    QVJFDQpBQlVKQSAtIE5JR0VSSUENCg0KQ09OVEFDVCBOVU1CRVI6IDIzNC04
    MTYwMzcxODYyDQpQUklWQVRFIEVNQUlMOiBwYXVsZGdsYXNAYmx1bWFpbC5v
    cmcNCg0KDQpERUFSIFNJUiwNCg0KTVkgTkFNRSBJUyBNUi4gUEFVTCBET1VH
    TEFTIE9GIFRFTEVYL0NPTVBVVEVSIERFUEFSVE1FTlQgT0YgQ0VOVFJBTCBC
    QU5LIE9GIE5JR0VSSUEuDQoNCkkgQU0gU0VORElORyBUSElTIFBSSVZBVEUg
    RU1BSUwgQkFTRUQgT04gVEhFIENPTkZJREVOVElBTElUWSBPRiBUSEUgVFJB
    TlNBQ1RJT04uIA0KUExFQVNFLCBJIFdJTEwgTElLRSBUTyBBRFZJU0UgSUYg
    QUZURVIgR09JTkcgVEhST1VHSCBNWSBQUk9QT1NBTCBBTkQgWU9VIERPIE5P
    VCBBQ0NFUFQgSVQsIEtJTkRMWSBLRUVQIElUIFRPIFlPVVJTRUxGLiAgQVMg
    T0YgVEhJUyBNT01FTlQsIA0KSSBBTSBTVElMTCBJTiAgU0VSVklDRSBXSVRI
    IENFTlRSQUwgQkFOSyBPRiBOSUdFUklBIChDQk4pLg0KQU5EIEkgV0lMTCBO
    T1QgQlkgQU5ZIE1FQU5TIExJS0UgVE8gTE9TRSBNWSBKT0IsIElGIFlPVSBB
    UkUgTk9UIElOVEVSRVNURUQuDQoNCkkgSEFWRSBQVVQgSU4gT1ZFUiAyMyBZ
    RUFSUyBJTiBUSElTIEJBTksgQlVUIEkgRE8gTk9UIEhBVkUgQU5ZVEhJTkcg
    VE8gU0hPVyBGT1IgSVQuIFRISVMgSVMgSlVTVCBNWSBPUFBPUlRVTklUWSBU
    TyBNQUtFIFNVUkUgVEhBVCBJIEdJVkUgTVkgQ0hJTERSRU4gQSBERUNFTlQg
    VFJBSU5JTkcgU0lOQ0UgTVkgR09WRVJOTUVOVCBXSElDSCBJUyBDT1JSVVBU
    IEhBUyBSRUZVU0VEIFRPIFRBS0UgQ0FSRSBPRiBJVFMgUkVTUE9OU0lCSUxJ
    VFkuIElORkFDVCBJIEFNIFNJQ0sgQU5EIFRJUkVEIE9GIEVWRVJZVEhJTkcg
    SEVSRSBJIE5FRUQgVE8gR0VUIE9VVC4gSSBGT1VORCBPVVQgVEhBVCBZT1Ug
    QUxNT1NUIE1FVCBBTEwgVEhFIFNUQVRVVE9SWSBSRVFVSVJFTUVOVFMgSU4g
    UkVTUEVDVCBPRiBZT1VSIFBBWU1FTlQuIFBMRUFTRSBCRSBFUVVBTExZIEFE
    VklTRUQgVEhBVCBOTyBTRUNVUklUWSBDT01QQU5ZIElOIEFGUklDQSBDQU4g
    SEFORExFIFlPVVIgQ09OVFJBQ1QgUEFZTUVOVC9JTkhFUklUQU5DRSBGVU5E
    IFdJVEggQU5ZIEJBTksgV0lUSE9VVCBUSEUgSU5TVFJVQ1RJT05TIE9GIFRI
    RSBDRU5UUkFMIEJBTksgT0YgTklHRVJJQS4NCg0KWU9VUiBQUk9CTEVNIElT
    Log:
    2011-05-12 18:40:48 Received from <> R=1QKTJa-0002rK-Og U=mail P=local S=11076 T="Mail delivery failed: returning message to sender"
    2011-05-12 18:40:51 noreply@santrex.net R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host
    2011-05-12 18:55:06 SMTP error from remote mail server after RCPT TO:<noreply@santrex.net>: host mail.santrex.net [188.72.241.202]: 550 5.1.1 <noreply@santrex.net>: Recipient address rejected: User unknown in virtual mailbox table
    2011-05-12 18:55:06 noreply@santrex.net F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<noreply@santrex.net>: host mail.santrex.net [188.72.241.202]: 550 5.1.1 <noreply@santrex.net>: Recipient address rejected: User unknown in virtual mailbox table
    *** Frozen (delivery error message)

  2. #2
    Join Date
    Sep 2004
    Location
    Miami, FL
    Posts
    2,762
    From what I could see above (too long and lazy to really read), you are having a script or something like that running.

    On the other hand when I see "Unroutable Address" then I'd think that the domain is not resolving. Is your server resolving it's addresses? Considering that you're using a Malaysian line/server, is your DNS resolving correctly?
    Aaron Ong
    Dedicated Servers - 100TB Servers - 100Mbps Unmetered Servers - Web Hosting - CDN Network
    Servers in Central, East/West Coast USA, EUROPE and ASIA
    Welltodo Century
    - www.welltodocentury.com

  3. #3
    it's looks like php mail header injection. you are using an unsecure script. maybe a contact formular?

  4. #4
    One of the things that is a must on shared servers is to extend exim's logging.
    Follow the guide here, http://www.webhostgear.com/118.html

    After that exim will log the directory from where the emails are coming, ie: /home/spaminguser/public_html/funky_folder

    You can also run a grep for cwd and sort the output to get where are most mails coming from.

Similar Threads

  1. from my server mail goes always in spam
    By onel0ve in forum Hosting Security and Technology
    Replies: 9
    Last Post: 08-21-2010, 03:38 AM
  2. spam mail from unknown server
    By seachen in forum Hosting Security and Technology
    Replies: 2
    Last Post: 08-15-2009, 04:10 AM
  3. Mail server ip comes up as spam
    By Hostingunderadollar in forum Hosting Security and Technology
    Replies: 4
    Last Post: 12-19-2008, 12:10 PM
  4. Help: Exim + Unknown Domain SPAM?
    By LiNUxG0d in forum Hosting Security and Technology
    Replies: 0
    Last Post: 12-27-2005, 02:20 PM
  5. using mail server for spam
    By cannibal in forum Dedicated Server
    Replies: 23
    Last Post: 07-31-2004, 03:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •