So I fired up mutt tonight to check my mail, and got the same message about ten times. I'm looking, and it was sent to most of the legitimate accounts/aliases on my domain. (All of which get to my mailbox.)
What I'm concerned about isn't that I'm getting spam, but how they got my account. Some are very limited-use. ([email protected] -- given for my student loan.... [email protected] -- an unpublished forwarder to my mom's cell phone.)
How exactly do the spammers know to target these? I'm thinking 1 of 2 things:
1.) Someone (my mom?) to whom I've forwarded various e-mails using various mailboxes has gotten a virus, that has harvested these and sent them off to spammers?
2.) Someone has somehow obtained a listing of all my cPanel mail accounts.
Not to sound like a snob (?), but I haven't had to deal with viruses in a couple years (if you're careful, it's really not that hard?). Is #1 going on a lot these days? (And if so, has anyone made a link between the virus and the spammer themselves and filed massive criminal charges?) Is there a known exploit that allows #2?
You mention 'various accounts', but would your mom's computer have *all* those names/aliases on her computer? If not *all*, then another possibility is that a malicious script is on your server harvesting info directly. Something to check in any case...
And the mom.cell forwarder, that would show up on her phone, but would it show up in her regular mail as well? (I suppose if you had put it into a CC: or something it could).
It's not a bad idea to check mom's computer for trojan/worm/virus/spyware in any case...
Let me guess - included in the e-mail was a zip file?
Actually, it was just spam, no attachments. (It's for deeply-discounted software.)
would your mom's computer have *all* those names/aliases on her computer?
Possibly. What's making me wonder about things is that not all of my aliases/accounts got spammed, just most of them. A lot of them are just distinctive names so I can tell where they got my address (ie, spam to [email protected] couldn't have come anywhere but from Amazon.com). What I'm thinking happened is that she got hit with some form of virus, which harvested mail from the headers of various messages I'd forwarded her over the years.
The e-mails originated on a RoadRunner IP, apparently out of Philadelphia based on the names at the end of a traceroute. We don't have RoadRunner, and don't live anywhere near Philly. Do most address-harvesting viruses send mail directly, or do they send it off somewhere for spamming?
Most of today's infectious mass mailers usually have their own SMTP engine built in, so who do you or your mom know that lives in the Philly area??
It is possible that all those addresses made it onto a spam mailing list and as such are now receiving additional spam.
Email addresses can also be harvested directly from internet packets as they travel around the world.
If not *all* server mail accounts got hit, then it lowers the probability that your server was compromised, but it's always good to do routine security checks anyways. (check your /tmp folder, run RKHunter and Chkrootkit regularly, and keep them updated!)
You could contact Road Runner and ask for their help in tracking down their user who may be infected. They won't tell you any specifics, but they could certainly contact their user in the best interests of all parties involved.
4. Make sure that you have not set split_spool_directory to no (i.e. use the default yes)
5. Make sure you're running exim v4.50:
If it's not:
6. Make sure that you don't have the queue processing running too frequently, i.e. leave WHM > Tweak Settings > Number of minutes between mail server queue runs > 60
7. Make sure that you have both of the following selected in WHM > Exim Configuration Editor>
Verify the existance of email senders
Discard emails for users who have exceeded their quota
8. In conjuction with sender verification, make sure that you're running bind on your server locally and that it is working and that your servers main IP address appears as the top nameserver in /etc/resolv.conf
9. Limit the length of time that you keep bounce emails in the queue by adding the following into the first texarea of the advanced exim editor: