For the second time in a week my server has been used to send out spam.
The first time was at the end of last week. Investigating I found that the spammer seemed to have a password for client's email account since:
a) all spam were originated from that account and
b) analizing the headers of the spam messages the mail was sent by an authenticated user, using an email client (I mean, it wasn't sent by "nobody" exploiting a web form or something like that, headers were very clean)
Anyway, I suspended the account, discussed the problem with the client and we ended suspecting at that moment that it was an isolated case of a worm, trojan or keyloger on his machine.
But...
The second time was yesterday... It was exactly the same method and type of spam:
* very short message
* porn type
* every mail was to exactly 10 recipients
* short message with an <img> tag to display an external image
So I suspect it was the same spammer.
Only this time he was using a completely different mail account. The interesting part is that this email account is from another client that has no relation with the first one whatsoever.
Taking this into account now I'm considering the posibility that somehow spammers are getting email passwords at the server end. I'm suspecting packet sniffing at the datacenter.
Clues anyone?
Thanks in advance
The first time was at the end of last week. Investigating I found that the spammer seemed to have a password for client's email account since:
a) all spam were originated from that account and
b) analizing the headers of the spam messages the mail was sent by an authenticated user, using an email client (I mean, it wasn't sent by "nobody" exploiting a web form or something like that, headers were very clean)
Anyway, I suspended the account, discussed the problem with the client and we ended suspecting at that moment that it was an isolated case of a worm, trojan or keyloger on his machine.
But...
The second time was yesterday... It was exactly the same method and type of spam:
* very short message
* porn type
* every mail was to exactly 10 recipients
* short message with an <img> tag to display an external image
So I suspect it was the same spammer.
Only this time he was using a completely different mail account. The interesting part is that this email account is from another client that has no relation with the first one whatsoever.
Taking this into account now I'm considering the posibility that somehow spammers are getting email passwords at the server end. I'm suspecting packet sniffing at the datacenter.
Clues anyone?
Thanks in advance
Last edited:
