Interesting spam sent via Exim...

ispro

Well-Known Member
Verifed Vendor
Apr 8, 2004
628
2
168
Chirpy, perhaps you could be able to help? :)

Yesterday we got the warning from our Datacenter about phishing email sent.

We have reviewed logs and found some interesting things (partial logs of course).

Code:
2006-03-06 03:39:09 SMTP connection from [58.69.8.77]:3056 I=[OURIP]:25 (TCP/IP connection count = 3)
2006-03-06 03:39:10 no IP address found for host 58.69.8.77.pldt.net (during SMTP connection from (COMETTA) [58.69.8.77]:3056 I=[OURIP]:25)
2006-03-06 03:39:10 1FG4gn-0000UC-Qq <= [email protected] H=localhost (OURHOSTNAME) [127.0.0.1]:53606 I=[127.0.0.1]:25 P=smtp S=32232 [email protected] T="Scanned cheque, $17,051.58 to your e-gold" from <[email protected]> for [email protected]
2006-03-06 03:39:10 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1FG4gn-0000UC-Qq
2006-03-06 03:39:10 SMTP connection from localhost (OURHOSTNAME) [127.0.0.1]:53606 I=[127.0.0.1]:25 closed by QUIT
2006-03-06 03:39:11 1FG4gn-0000UC-Qq ** [email protected] F=<[email protected]> R=fail_remote_domains: unrouteable mail domain "ozlinx.com.au"
2006-03-06 03:39:11 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1FG4gn-0000UC-Qq
This is clear that email was not delivered (as relay forbidden, right?) - also emails were unroutable as well, but some were misteriously sent as Spamcop got the report...

We have phpsuexec installed, mails from nobody are blocked, POP before SMTP not allowed, just the plain SMTP Authorization and etc. What way has been used to send these emails? I'm really confused...

EDIT: Looks like we have found something even more interesting... Check the domain ozlinx.com.au and you will see that its A records is 127.0.0.1 (!):
Code:
$ host ozlinx.com.au ns1.ev1.net
Using domain server:
Name: ns1.ev1.net
Address: 216.88.76.6#53
Aliases:

ozlinx.com.au has address 127.0.0.1
The domain ozlinx.com.au is hosted on the HostGator. We will contact them for explanations.