Spaming in different ways?

[sunil001]

HI,

Can any one tell me this, when i check my exim mail logs i found following

2009-08-10 23:56:01 1MajOy-0003Cy-Tx <= service@paypal.fr H=(User) [213.175.204.108] P=esmtpa A=fixed_login:mdsutama@banksinar.co.id S=3344

banksinar.co.id is my customer domain But i wonder how come "From " address had service@paypal.fr
please tell me how to prevent this type of spaming.

Regards
Sunil

[JawadArshad]

HI,

Can any one tell me this, when i check my exim mail logs i found following

2009-08-10 23:56:01 1MajOy-0003Cy-Tx <= service@paypal.fr H=(User) [213.175.204.108] P=esmtpa A=fixed_login:mdsutama@banksinar.co.id S=3344

banksinar.co.id is my customer domain But i wonder how come "From " address had service@paypal.fr
please tell me how to prevent this type of spaming.

Regards
Sunil

1- Ask your customer to audit his/her scripts and remove any bulk mailing scripts especially using php mail() function.
2- Enable SMTP Tweak under "WHM >> Security >> Security Center >> SMTP Tweak". This will help avoid any emails bypassing the mail server and getting logged in exim_mainlog.
3- If you are running SuPHP/Suexec setup, enable the option "Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)" in "WHM >> Tweak Settings".
4- Enable extended logging in exim to find the exact script sending email.
5- Limit emails per domain to avoid any script vulnerability exploiting unlimited mailing facility. Set the maximum email per domain option in tweak settings "The maximum each domain can send out per hour (0 is unlimited)".

[sparek-3]

SMTP has no authentication element on the from address.

Anyone can send any message from any e-mail address.

This is where anti-spoofing methods such as SPF come into play. The message may say it is from paypal.com, but it is not sent out from an IP address that paypal.com has designated as a legitimate sender.

[sunil001]

HI sparek-3,

Yes you are right, but how to prevent this ?

Also we found it is not generated from scripts, it seems like a normal email. If it is php mail then it will shown as nobody@

Regards
sunil

[sparek-3]

I would suspend or at the very least write the account owner for the banksinar.co.id domain.

The mdsutama@banksinar.co.id e-mail account owner is either sending out the spam themselves, or their account has been compromised.

In either case, suspending the banksinar.co.id account will stop the activity.

You might also consider blocking the 213.175.204.108 IP address, but I would recommend writing the user, because if their account has been compromised, it's very likely that 213.175.204.108 is not the only IP address that knows the password to the mdsutama@banksinar.co.id account.

How do you stop this from happening in the future? I don't know if you can. Anyone that signs up for a hosting account will be able to use this method to send out spam. Anyone whose account has been compromised can be used to send out spam. The good thing is, you have logs that show you exactly who is responsible for sending out the messages.