Results 1 to 9 of 9
  1. #1
    Join Date
    Jun 2002

    Spam to all my legitimate accounts... Umm?

    So I fired up mutt tonight to check my mail, and got the same message about ten times. I'm looking, and it was sent to most of the legitimate accounts/aliases on my domain. (All of which get to my mailbox.)

    What I'm concerned about isn't that I'm getting spam, but how they got my account. Some are very limited-use. ([email protected] -- given for my student loan.... [email protected] -- an unpublished forwarder to my mom's cell phone.)

    How exactly do the spammers know to target these? I'm thinking 1 of 2 things:

    1.) Someone (my mom?) to whom I've forwarded various e-mails using various mailboxes has gotten a virus, that has harvested these and sent them off to spammers?

    2.) Someone has somehow obtained a listing of all my cPanel mail accounts.

    Not to sound like a snob (?), but I haven't had to deal with viruses in a couple years (if you're careful, it's really not that hard?). Is #1 going on a lot these days? (And if so, has anyone made a link between the virus and the spammer themselves and filed massive criminal charges?) Is there a known exploit that allows #2?

    Someone tell me I can stop freaking out.

  2. #2
    Join Date
    Oct 2003

  3. #3
    Set up new aliases for all those accounts and then forward those aliases getting spammed to spamcop, atleast thats what I do

  4. #4
    Join Date
    Dec 2003
    Sunny So. Calif.
    You mention 'various accounts', but would your mom's computer have *all* those names/aliases on her computer? If not *all*, then another possibility is that a malicious script is on your server harvesting info directly. Something to check in any case...

    And the mom.cell forwarder, that would show up on her phone, but would it show up in her regular mail as well? (I suppose if you had put it into a CC: or something it could).

    It's not a bad idea to check mom's computer for trojan/worm/virus/spyware in any case...

  5. #5
    Join Date
    Jun 2002
    Let me guess - included in the e-mail was a zip file?
    Actually, it was just spam, no attachments. (It's for deeply-discounted software.)

    would your mom's computer have *all* those names/aliases on her computer?
    Possibly. What's making me wonder about things is that not all of my aliases/accounts got spammed, just most of them. A lot of them are just distinctive names so I can tell where they got my address (ie, spam to [email protected] couldn't have come anywhere but from What I'm thinking happened is that she got hit with some form of virus, which harvested mail from the headers of various messages I'd forwarded her over the years.

    The e-mails originated on a RoadRunner IP, apparently out of Philadelphia based on the names at the end of a traceroute. We don't have RoadRunner, and don't live anywhere near Philly. Do most address-harvesting viruses send mail directly, or do they send it off somewhere for spamming?

  6. #6
    Join Date
    Dec 2003
    Sunny So. Calif.
    Most of today's infectious mass mailers usually have their own SMTP engine built in, so who do you or your mom know that lives in the Philly area??

    It is possible that all those addresses made it onto a spam mailing list and as such are now receiving additional spam.

    Email addresses can also be harvested directly from internet packets as they travel around the world.

    If not *all* server mail accounts got hit, then it lowers the probability that your server was compromised, but it's always good to do routine security checks anyways. (check your /tmp folder, run RKHunter and Chkrootkit regularly, and keep them updated!)

    You could contact Road Runner and ask for their help in tracking down their user who may be infected. They won't tell you any specifics, but they could certainly contact their user in the best interests of all parties involved.

  7. #7
    Join Date
    Jun 2005

    Re: Spam to all my legitimate accounts... Umm?


    * I have taken this post from This post was originally posted by the GREAT JONATHAN (chirpy)
    * if you have a cpanel id please have a look at this thread


    A few important considerations if you haven't already done so:

    1. Make sure all the /etc/valiases/ are using :fail: and not :blackhole:

    2. Where possible, make sure that all the valiases domains have the catchall disabled and set to :fail:

    3. Install a dictionary attack ACL:

    4. Make sure that you have not set split_spool_directory to no (i.e. use the default yes)

    5. Make sure you're running exim v4.50:

    exim -bV

    If it's not:


    6. Make sure that you don't have the queue processing running too frequently, i.e. leave WHM > Tweak Settings > Number of minutes between mail server queue runs > 60

    7. Make sure that you have both of the following selected in WHM > Exim Configuration Editor>

    Verify the existance of email senders
    Discard emails for users who have exceeded their quota

    8. In conjuction with sender verification, make sure that you're running bind on your server locally and that it is working and that your servers main IP address appears as the top nameserver in /etc/resolv.conf

    9. Limit the length of time that you keep bounce emails in the queue by adding the following into the first texarea of the advanced exim editor:

    timeout_frozen_after = 2d
    ignore_bounce_errors_after = 12h

    All the above can often make a huge difference to the exim load.
    I hope it will help you to solve this problem

    Let me know the status
    With regards,

  8. #8
    fog, i was wondering if you are getting spams like mine:

    all incoming emails are virus infected and they send to unpublished forwarder as if they know my address inside CPanel

  9. #9
    There are programs who long into email servers and pretend they just want to send an email but in fact they scan for valid email addresses...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts