Community Forums
Connect with us on LinkedIn
Joe-Jobs all of a sudden
  
+ Reply to Thread
Results 1 to 3 of 3
  1. 11-23-2005 02:24 AM #1
    DavidR
    DavidR is offline
    Member
    Join Date
    Feb 2003
    Posts
    176

    Default Joe-Jobs all of a sudden

    I'd like some advice in identifying just what might be going on here. For the past few days I have been receiving a lot of bounced emails that look like they were sent to 3rd parties with the "from" address spoofed as postmaster@oneofmyserversdomains.com. The only thing these domains have in common is that they are hosted on the same server - Linux/WHM. At first I thought perhaps the contact forms on some osCommerce sites had been used to send spam so I am adding some safeguards to those and new mod security rules found here and around. However, not all of these sites have a contact form. I've had my own address spoofed before but I am curious as to why/how this time it would involve all these domains from my server. Does this sound like a particular attack of some sort? The only two places these addresses are found together are on the server and my own box. I can't find anything active on either. Some of these bounce-backs are carrying W32/Sober.AD-mm and similar, but most are just a failure bounce from an attempt to email dozens of addresses that don't exist. Does this sound familiar to anyone?

    David
    Reply With Quote Reply With Quote
  2. 11-23-2005 04:04 AM #2
    abubin
    abubin is offline
    Member
    Join Date
    Dec 2004
    Posts
    388

    Default

    I hate joe-jobs!! I remember having massive problems when I was attacked by some joe-jobs.

    Anyway, if it involves worms like the sober, perhaps some of your users are infected with this worm which will send out emails automatically from the infected PC.
    Reply With Quote Reply With Quote
  3. 11-24-2005 07:50 AM #3
    brianoz
    brianoz is offline
    Member brianoz's Avatar
    Join Date
    Mar 2004
    Location
    Melbourne, Australia
    Posts
    1,117
    cPanel/Enkompass Access Level

    Root Administrator

    Default

    It's probably bounce messages from the Sober virus, which apparently has rather quickly risen to the top of the active email-worm-virus list.

    If you're getting flooded out of existence, one way to get yourself out of the hole is to redirect postmaster to fail for the next 48 hours or so, this will cause all the bogus bounces to get refused when they connect, which uses an order of magnitude less resources and should in itself return your machine to normal use.

    I'm not sure how to do this through WHM, but you can do it via editing /etc/aliases and /etc/myaliases (I think myaliases is the one that matters) and replacing the target with ":fail: postmaster has been disabled during virus storm" or something similar.
    Reply With Quote Reply With Quote
«   Mass spam attacks / Paris Hilton and Nicole Richie emails | Spam issues »     
Similar Threads & Tags
Similar threads

  1. Joe Job? or,and emails stolen?
    By VirtuaLira in forum E-mail Discussions
    Replies: 0
    Last Post: 10-09-2008, 10:22 AM
  2. Quick question (joe-job?)
    By Wallaby in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 05-10-2008, 06:43 AM
  3. How can I forward joe@allParkedDomains.com to joe@maindomain.com ?
    By BianchiDude in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 03-24-2006, 11:37 AM
  4. Receiving email for joe@domain.com and joe@domain.net in one inbox, how to do this?
    By AbeFroman in forum cPanel and WHM Discussions
    Replies: 8
    Last Post: 03-11-2004, 10:50 PM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube