Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Joe-Jobs all of a sudden

Discussion in 'General Discussion' started by DavidR, Nov 23, 2005.

  1. DavidR

    DavidR Well-Known Member

    Feb 25, 2003
    Likes Received:
    Trophy Points:
    I'd like some advice in identifying just what might be going on here. For the past few days I have been receiving a lot of bounced emails that look like they were sent to 3rd parties with the "from" address spoofed as The only thing these domains have in common is that they are hosted on the same server - Linux/WHM. At first I thought perhaps the contact forms on some osCommerce sites had been used to send spam so I am adding some safeguards to those and new mod security rules found here and around. However, not all of these sites have a contact form. I've had my own address spoofed before but I am curious as to why/how this time it would involve all these domains from my server. Does this sound like a particular attack of some sort? The only two places these addresses are found together are on the server and my own box. I can't find anything active on either. Some of these bounce-backs are carrying W32/Sober.AD-mm and similar, but most are just a failure bounce from an attempt to email dozens of addresses that don't exist. Does this sound familiar to anyone?

  2. abubin

    abubin Well-Known Member

    Dec 7, 2004
    Likes Received:
    Trophy Points:
    I hate joe-jobs!! I remember having massive problems when I was attacked by some joe-jobs.

    Anyway, if it involves worms like the sober, perhaps some of your users are infected with this worm which will send out emails automatically from the infected PC.
  3. brianoz

    brianoz Well-Known Member

    Mar 13, 2004
    Likes Received:
    Trophy Points:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    It's probably bounce messages from the Sober virus, which apparently has rather quickly risen to the top of the active email-worm-virus list.

    If you're getting flooded out of existence, one way to get yourself out of the hole is to redirect postmaster to fail for the next 48 hours or so, this will cause all the bogus bounces to get refused when they connect, which uses an order of magnitude less resources and should in itself return your machine to normal use.

    I'm not sure how to do this through WHM, but you can do it via editing /etc/aliases and /etc/myaliases (I think myaliases is the one that matters) and replacing the target with ":fail: postmaster has been disabled during virus storm" or something similar.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice