The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brazilian SPAM

Discussion in 'General Discussion' started by Doolie, Feb 12, 2006.

  1. Doolie

    Doolie Member

    Joined:
    Apr 22, 2005
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Since friday night I have been getting thousands of emails for a domain that is not on my server. Here's what happens:

    1. Mail comes in for domain "zipmail.com.br" and other ".com.br" domains
    2. My server sends email saying "No such domain here"
    3. Their server bounces MY servers email message
    4. nobody@myserver.com sends me an email
    5. My mailbox fills up with bounced messages


    danyalgil1@yahoo.com.br
    SMTP error from remote mail server after end of data:
    host mx4.mail.yahoo.com [216.155.197.60]: 554 delivery error:
    dd This user doesn't have a yahoo.com.br account
    (danyalgil1@yahoo.com.br) [0] - mta216.mail.dcn.yahoo.com


    You can imagine that after a few days of this - it is now Sunday - its a bit annoying.
    Is this happening to anyone else, and does anyone know how to fix this?

    Craig
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Yes, many of our current and new clients experience this very problem. AOL blacklisted our clients as well as other anti-spam entities. The best way is to find the culprit, stop them, and secure your server.
     
  3. Doolie

    Doolie Member

    Joined:
    Apr 22, 2005
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    The server itself is fine.
    The mail is being blocked and is not coming in to the server.
    The problem is that the Mailer-Daemon messages are bouncing back to me and filling up my mailbox.
    That's the fix I need.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Andy is referring to the fact that the email is coming to you via nobody@myserver.com which suggests that the reason you are getting those bounces is that you have had a php script compromised on your server and it is your server that is sending out the spam and that's why you're receiving the bounces. Best way to establish that is to analyse the email headers of the original spam. If you can post those here we can advise further.
     
  5. Doolie

    Doolie Member

    Joined:
    Apr 22, 2005
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    The header is below.

    The brazilian spam emails coming in to the server are from a completely different IP address.

    My server is blocking those emails and then sending an "undeliverable" message back to the originators.

    The originators are bouncing the mail that we are sending back to them saying that OUR message is now the undeliverable one.

    Those messages are the messages that are coming back to ME saying that the mail I sent back to THEM couldnt be delivered.

    Its not a php script. Its the normal mailer daemon that notifies the root or admin when a message bounces. I'm getting thousands of those messages and all I want to know is how to stop them or redirect them so that I don't get a gazillion of them when these people start bombing again.

    I'm sure this is an easy fix. I just dont know how to fix it.

    _______________________________________________


    Return-path: <>
    Envelope-to: admin@myserver.com
    Delivery-date: Sun, 12 Feb 2006 10:49:01 -0500
    Received: from mainuser by adam.myserver.com with local-bsmtp (Exim 4.52)
    id 1F8JTX-0002Qp-DH
    for admin@myserver.com; Sun, 12 Feb 2006 10:49:01 -0500
    X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
    adam.myserver.com
    X-Spam-Level:
    X-Spam-Status: No, score=0.9 required=5.0 tests=AWL,FRONTPAGE,NO_RELAYS
    autolearn=no version=3.1.0
    Received: from mailnull by adam.myserver.com with local (Exim 4.52)
    id 1F8JTX-0002Qj-B0
    for nobody@adam.myserver.com; Sun, 12 Feb 2006 10:49:01 -0500
    X-Failed-Recipients: garino@yahoo.com.br
    Auto-Submitted: auto-generated
    From: Mail Delivery System <Mailer-Daemon@adam.myserver.com>
    To: nobody@adam.myserver.com
    Subject: Mail delivery failed: returning message to sender
    Message-Id: <E1F8JTX-0002Qj-B0@adam.myserver.com>
    Date: Sun, 12 Feb 2006 10:49:01 -0500
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's the header from the bounce, not the original email, so doesn't help. It's the email header reported within the bounce that you need.
     
  7. Doolie

    Doolie Member

    Joined:
    Apr 22, 2005
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    That's what I'm trying to tell you.
    The bounced messages are the ones causing a problem.
    I'm getting thousands of those.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I know that. But you're posting the bounce header, not the information within the bounce which indicates its source.
     
  9. Doolie

    Doolie Member

    Joined:
    Apr 22, 2005
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Subject: Mail delivery failed: returning message to sender
    From: "Mail Delivery System" <Mailer-Daemon@adam.myserver.com>
    Date: Sun, February 12, 2006 10:49 am
    To: nobody@adam.myserver.com
    Priority: Normal


    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    garino@yahoo.com.br
    SMTP error from remote mail server after end of data:
    host mx2.mail.yahoo.com [67.28.113.19]: 554 delivery error:
    dd This user doesn't have a yahoo.com.br account (garino@yahoo.com.br) [-5] -
    mta251.mail.re2.yahoo.com

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <nobody@adam.myserver.com>
    Received: from nobody by adam.myserver.com with local (Exim 4.52)
    id 1F8EFK-0004C1-HF
    for garino@yahoo.com.br; Sun, 12 Feb 2006 05:14:00 -0500
    To: garino@yahoo.com.br
    Subject: Windows Live Menssenger 8.0
    MIME-Version: 1.0
    Content-type: text/html; charset=iso-8859-1
    From: <microsoft@privacy.msn.com>
    Message-Id: <E1F8EFK-0004C1-HF@adam.myserver.com>
    Date: Sun, 12 Feb 2006 05:14:00 -0500
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Great. So, it's definitely spam coming from your server:
    Check in your exim mainlog for the full transaction of message ID 1F8EFK-0004C1-HF
     
  11. Doolie

    Doolie Member

    Joined:
    Apr 22, 2005
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Yes, its the normal mailer daemon thing that lets us know when a mail bounces.
    Since every time we block a message, it sends an undeliverable message - those emails are bouncing to us as if we are in fact spamming ourselves.

    Ok. will check exim mainlog but I'm pretty sure this is a standard feature of cpanel.
    If we could just have it so that certain IP ranges do not get a bounceback message from our server maybe that would be better?
     
  12. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    If I'm reading all the above correctly, "Nobody" is a script on your server. So when you see

    That says adam.myserver.com got a message from a script(nobody) on itself. That's the source of the original email: the one going to a non-existent account, so it is effect spamming yourself...

    yes?
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's not a bounceback. The header in the bounce clearly shows that the spam is originating from your server. You're seeing two things. The first is the original spam leaving your server, then second is the bounce from the recipient going back to the nobody user. Since you haven't configured nobody's email to be forwarded anywhere, it's going to the mailer-daemon which is routing to your root account.
     
Loading...

Share This Page