The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Interesting spam sent via Exim...

Discussion in 'General Discussion' started by ispro, Mar 6, 2006.

  1. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    Chirpy, perhaps you could be able to help? :)

    Yesterday we got the warning from our Datacenter about phishing email sent.

    We have reviewed logs and found some interesting things (partial logs of course).

    Code:
    2006-03-06 03:39:09 SMTP connection from [58.69.8.77]:3056 I=[OURIP]:25 (TCP/IP connection count = 3)
    2006-03-06 03:39:10 no IP address found for host 58.69.8.77.pldt.net (during SMTP connection from (COMETTA) [58.69.8.77]:3056 I=[OURIP]:25)
    2006-03-06 03:39:10 1FG4gn-0000UC-Qq <= mquinbiz@bellsouth.net H=localhost (OURHOSTNAME) [127.0.0.1]:53606 I=[127.0.0.1]:25 P=smtp S=32232 id=009901c4bb26$7a1b82ef$586ac347@ofkl T="Scanned cheque, $17,051.58 to your e-gold" from <mquinbiz@bellsouth.net> for jsholmes@ozlinx.com.au
    2006-03-06 03:39:10 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1FG4gn-0000UC-Qq
    2006-03-06 03:39:10 SMTP connection from localhost (OURHOSTNAME) [127.0.0.1]:53606 I=[127.0.0.1]:25 closed by QUIT
    2006-03-06 03:39:11 1FG4gn-0000UC-Qq ** jsholmes@ozlinx.com.au F=<mquinbiz@bellsouth.net> R=fail_remote_domains: unrouteable mail domain "ozlinx.com.au"
    2006-03-06 03:39:11 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1FG4gn-0000UC-Qq
    
    This is clear that email was not delivered (as relay forbidden, right?) - also emails were unroutable as well, but some were misteriously sent as Spamcop got the report...

    We have phpsuexec installed, mails from nobody are blocked, POP before SMTP not allowed, just the plain SMTP Authorization and etc. What way has been used to send these emails? I'm really confused...

    EDIT: Looks like we have found something even more interesting... Check the domain ozlinx.com.au and you will see that its A records is 127.0.0.1 (!):
    Code:
    $ host ozlinx.com.au ns1.ev1.net
    Using domain server:
    Name: ns1.ev1.net
    Address: 216.88.76.6#53
    Aliases:
    
    ozlinx.com.au has address 127.0.0.1
    
    The domain ozlinx.com.au is hosted on the HostGator. We will contact them for explanations.
     
Loading...

Share This Page