Where is this spam coming from?

**cooldude7273** · 08-19-2008 10:56 PM

Which account is being used to send this spam? I'm having thousands and thousands of emails being sent and I can't seem to track it down:

Code:

1KVcv6-0004iF-Tr-H
mailnull 47 12
<prohrdept@gmail.com>
1219197332 0
-helo_name 192.168.1.100
-host_address 65.185.121.96.2210
-host_name cpe-65-185-121-96.woh.res.rr.com
-interface_address 208.43.97.172.25
-received_protocol smtp
-body_linecount 47
-max_received_linelength 250
NN tracyp16@aol.com
2
panther_34654@yahoo.com
tracyp16@aol.com

232P Received: from cpe-65-185-121-96.woh.res.rr.com ([65.185.121.96] helo=192.168.1.100)
	by angela.limitlesshosting.net with smtp (Exim 4.69)
	(envelope-from <prohrdept@gmail.com>)
	id 1KVcv6-0004iF-Tr; Tue, 19 Aug 2008 21:55:10 -0400
045F From: "mary lizzabeth" <prohrdept@gmail.com>
004T To:
094  Subject: EZ twenty now is exploding...$20$20...to many twenties not enough time...hee...hee..
047S Sender: "mary lizzabeth" <prohrdept@gmail.com>
018  Mime-Version: 1.0
081  Content-Type: multipart/alternative;
	boundary="= Multipart Boundary 0819082155"
038  Date: Tue, 19 Aug 2008 21:55:32 -0400
014  X-ACL-Warn: {

**furry** · 08-19-2008 11:07 PM

Are they being sent from you accounts? have you contacted your hosting companies security department to see if they can aid you?

**chirpy** · 08-20-2008 05:00 AM

Read the first Received: header line. This appears to show that email coming from 65.185.121.96. If that's not on your server, then the spam is incoming, not outgoing. If your server is being reported for spam, check whether you have any forwarders in /etc/valiases/* pointing to aol.com, yahoo.com or any other free email service. If you have then most likely your users are tagging email relayed through your server to their forwarder as spam. If so, you need to either:

1. Educate them to not tag as spam email relayed through your server
2. Remove the forwarders and tell them to POP their accounts

**cooldude7273** · 08-21-2008 09:56 PM

Couldn't find anything out of the normal.

Problem is I have thousands of spam emails being sent every few days with identical spam messages with this kind of header, just with different email address. "prohrdept@gmail.com" is always in there though.

**sparek-3** · 08-21-2008 10:21 PM

Is angela.limitlesshosting.net your server?

It looks like someone is relaying mail through your server. Chances are someone from IP address 65.185.121.96 is logging into your POP3 server, which then allows that IP to relay mail through your server.

Check the /var/log/maillog for a mention of that IP address.

cat /var/log/maillog | grep 65.185.121.96

**vinoo** · 08-23-2008 09:08 PM

You can set filters on your account to avoid spam.Mail filters allow you to automatically perform different actions on emails received, based on who sent them, where they were sent to, and what they contain. Some of the possible actions are: discard, redirect, move to a folder or pipe to a program. For example, you could create a filter that automatically discards any email received from prohrdept@gmail.com. Also check spam assassin is configured for the account and the spam score is set to lower value which can reduce the spams.

LinkBack

Thread Tools