The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

new kind of spammer?

Discussion in 'General Discussion' started by luis, Jul 1, 2006.

  1. luis

    luis Well-Known Member

    Joined:
    Sep 3, 2001
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    For the second time in a week my server has been used to send out spam.

    The first time was at the end of last week. Investigating I found that the spammer seemed to have a password for client's email account since:
    a) all spam were originated from that account and
    b) analizing the headers of the spam messages the mail was sent by an authenticated user, using an email client (I mean, it wasn't sent by "nobody" exploiting a web form or something like that, headers were very clean)

    Anyway, I suspended the account, discussed the problem with the client and we ended suspecting at that moment that it was an isolated case of a worm, trojan or keyloger on his machine.

    But...

    The second time was yesterday... It was exactly the same method and type of spam:
    * very short message
    * porn type
    * every mail was to exactly 10 recipients
    * short message with an <img> tag to display an external image
    So I suspect it was the same spammer.
    Only this time he was using a completely different mail account. The interesting part is that this email account is from another client that has no relation with the first one whatsoever.

    Taking this into account now I'm considering the posibility that somehow spammers are getting email passwords at the server end. I'm suspecting packet sniffing at the datacenter.

    Clues anyone?

    Thanks in advance
     
    #1 luis, Jul 1, 2006
    Last edited: Jul 1, 2006
  2. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Maybe someone has root access to your box. Check for evidence of intrusion.
     
  3. luis

    luis Well-Known Member

    Joined:
    Sep 3, 2001
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Of course that is always a posibility buy I don't think the evidence points that way... A user with root access could easily create an email account instead of using an existing one from a web hosting customer... or even find a way to send those without leaving evidence...

    Anyone has had this type of issue?
     
  4. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    16
    Contact Chirpy for this issue... he might help.
     

Share This Page