Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Interesting spam sent via Exim...

Discussion in 'General Discussion' started by ispro, Mar 6, 2006.

  1. ispro

    ispro Well-Known Member Verifed Vendor

    Apr 8, 2004
    Likes Received:
    Trophy Points:
    Chirpy, perhaps you could be able to help? :)

    Yesterday we got the warning from our Datacenter about phishing email sent.

    We have reviewed logs and found some interesting things (partial logs of course).

    2006-03-06 03:39:09 SMTP connection from []:3056 I=[OURIP]:25 (TCP/IP connection count = 3)
    2006-03-06 03:39:10 no IP address found for host (during SMTP connection from (COMETTA) []:3056 I=[OURIP]:25)
    2006-03-06 03:39:10 1FG4gn-0000UC-Qq <= H=localhost (OURHOSTNAME) []:53606 I=[]:25 P=smtp S=32232 id=009901c4bb26$7a1b82ef$586ac347@ofkl T="Scanned cheque, $17,051.58 to your e-gold" from <> for
    2006-03-06 03:39:10 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1FG4gn-0000UC-Qq
    2006-03-06 03:39:10 SMTP connection from localhost (OURHOSTNAME) []:53606 I=[]:25 closed by QUIT
    2006-03-06 03:39:11 1FG4gn-0000UC-Qq ** F=<> R=fail_remote_domains: unrouteable mail domain ""
    2006-03-06 03:39:11 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1FG4gn-0000UC-Qq
    This is clear that email was not delivered (as relay forbidden, right?) - also emails were unroutable as well, but some were misteriously sent as Spamcop got the report...

    We have phpsuexec installed, mails from nobody are blocked, POP before SMTP not allowed, just the plain SMTP Authorization and etc. What way has been used to send these emails? I'm really confused...

    EDIT: Looks like we have found something even more interesting... Check the domain and you will see that its A records is (!):
    $ host
    Using domain server:
    Aliases: has address
    The domain is hosted on the HostGator. We will contact them for explanations.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice