new kind of spammer?

**luis** · 07-01-2006 10:32 AM

For the second time in a week my server has been used to send out spam.

The first time was at the end of last week. Investigating I found that the spammer seemed to have a password for client's email account since:
a) all spam were originated from that account and
b) analizing the headers of the spam messages the mail was sent by an authenticated user, using an email client (I mean, it wasn't sent by "nobody" exploiting a web form or something like that, headers were very clean)

Anyway, I suspended the account, discussed the problem with the client and we ended suspecting at that moment that it was an isolated case of a worm, trojan or keyloger on his machine.

But...

The second time was yesterday... It was exactly the same method and type of spam:
* very short message
* porn type
* every mail was to exactly 10 recipients
* short message with an <img> tag to display an external image
So I suspect it was the same spammer.
Only this time he was using a completely different mail account. The interesting part is that this email account is from another client that has no relation with the first one whatsoever.

Taking this into account now I'm considering the posibility that somehow spammers are getting email passwords at the server end. I'm suspecting packet sniffing at the datacenter.

Clues anyone?

Thanks in advance

**bmcpanel** · 07-01-2006 02:34 PM

Originally Posted by luis

For the second time in a week my server has been used to send out spam.

The first time was at the end of last week. Investigating I found that the spammer seemed to have a password for client's email account since:
a) all spam were originated from that account and
b) analizing the headers of the spam messages the mail was sent by an authenticated user, using an email client (I mean, it wasn't sent by "nobody" exploiting a web form or something like that, headers were very clean)

Anyway, I suspended the account, discussed the problem with the client and we ended suspecting at that moment that it was an isolated case of a worm, trojan or keyloger on his machine.

But...

The second time was yesterday... It was exactly the same method and type of spam:
* very short message
* porn type
* every mail was to exactly 10 recipients
* short message with an <img> tag to display an external image
So I suspect it was the same spammer.
Only this time he was using a completely different mail account. The interesting part is that this email account is from another client that has no relation with the first one whatsoever.

Taking this into account now I'm considering the posibility that somehow spammers are getting email passwords at the server end. I'm suspecting packet sniffing at the datacenter.

Clues anyone?

Thanks in advance

Maybe someone has root access to your box. Check for evidence of intrusion.

**luis** · 07-02-2006 12:03 AM

Of course that is always a posibility buy I don't think the evidence points that way... A user with root access could easily create an email account instead of using an existing one from a web hosting customer... or even find a way to send those without leaving evidence...

Anyone has had this type of issue?

**MMarko** · 07-02-2006 05:50 AM

Contact Chirpy for this issue... he might help.

LinkBack

Thread Tools

new kind of spammer?

Server has disappeared... kind of.... maybe....

New kind of spam ?

What kind of an error is this?

What kind of hack is this...???

What kind of license is MySQL?