The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is This A Case Of Zombie M/c?

Discussion in 'General Discussion' started by anup123, May 29, 2005.

  1. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    I have a corporate client using account primarily for mails, though there is a site (no php/pl/cgi ... just plain html content)

    I knwo they are not spammers. But i get this often:

    2005-05-29 15:35:11 1DcKaT-0006x8-UD H=(srvinet) [xxx.xxx.xx.xxx] F=<wojtek@seznam.cz> rejected after DATA: This message scored 21.6 spam points. Sorry we do not allow such mails.
    Envelope-from: <wojtek@seznam.cz>
    Envelope-to: <rvlb8a0eup4j9j@se.net>
    P Received: from [xxx.xxx.xx.xxx] (helo=srvinet)
    by ourserverhostname.tld with esmtp (Exim 4.50)
    id 1DcKaT-0006x8-UD
    for rvlb8a0eup4j9j@se.net; Sun, 29 May 2005 15:30:06 +0530
    P Received: from 127.0.0.1 by srvinet ([127.0.0.1] running VPOP3) with SMTP for <rvlb8a0eup4j9j@se.net>; Sun, 29 May 2005 15:29:10 +0530
    Date: Mon, 23 May 2005 17:18:34 +0000
    F From: Wojtek <wojtek@seznam.cz>
    Subject: Rvlb8a0eup4j9j, OEM Šŏftware!!!!! – Instant download – ŠŬPĔŔ ÐÎSC0ÜNTs..
    T To: Rvlb8a0eup4j9j <rvlb8a0eup4j9j@se.net>
    References: <8886AJ2G5BI4EJB3@se.net>
    In-Reply-To: <8886AJ2G5BI4EJB3@se.net>
    I Message-ID: <8CL21C7F82691JA7@seznam.cz>
    R Reply-To: Calendarspske <calendarspske@ftknowledge.com>
    S Sender: K6j32 <k6j32@dth.com>
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit
    X-Server: VPOP3 V1.4.0e - Registered to: Manoj


    POP before SMTP.
    POP'ing from fixed IP xxx.xxx.xx.xxx
    svinet is one of the m/c on the client's network.
    I am aware that Manoj (as in X-Server) is their CEO's First Name.

    Being a corporate house, i am dead sure they are not spammers. They aremanufacturers of elctrical and telecom panels and equipments.

    Is this a case of hijacked/zombie machine on their network? Nothing is able to go through so far.

    Any Clue?

    TIA
     
    #1 anup123, May 29, 2005
    Last edited: May 29, 2005
  2. Trigger

    Trigger Well-Known Member

    Joined:
    May 17, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    Is this line their IP address?
    If not then you just have someone phishing email and using their name to send emails out. Because the email identifies itself using their email address the bounce back comes back to them.

    If thats the case then there is not a lot you can do about it, SPF records will help but not everyone has them implemented or is using them to make sure that the email is from who it says it is from.
     
  3. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Yes that's their fixed IP address
    Oh Yes, i have SPF records for all our clients published

    Anup
     
    #3 anup123, May 29, 2005
    Last edited: May 29, 2005
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    As Trigger says, the important part is the first Received header record and it that is their fixed IP address then more than likely they have a virus on one of their local PCs.
     
  5. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Noon i get a mail from them that they urgently wanted to shift another domain of their's to us. Around the same time all this started started (though nothing of it could get through), and we alerted them with the details and ask them to check "srvinet" and we get a reply that they have seen few virus mails.

    Their "other domain" is on a Windows Server with someone else on serverbeach network. (We are M$ free) Then all this subsides. So Apparently it is a case of Virus infection though We are still waiting for a feedback from them to our request of letting us have the complete header of the infected mail.

    Thanks
    Anup
     
Loading...

Share This Page