luis

Well-Known Member
Sep 3, 2001
50
0
306
For the second time in a week my server has been used to send out spam.

The first time was at the end of last week. Investigating I found that the spammer seemed to have a password for client's email account since:
a) all spam were originated from that account and
b) analizing the headers of the spam messages the mail was sent by an authenticated user, using an email client (I mean, it wasn't sent by "nobody" exploiting a web form or something like that, headers were very clean)

Anyway, I suspended the account, discussed the problem with the client and we ended suspecting at that moment that it was an isolated case of a worm, trojan or keyloger on his machine.

But...

The second time was yesterday... It was exactly the same method and type of spam:
* very short message
* porn type
* every mail was to exactly 10 recipients
* short message with an <img> tag to display an external image
So I suspect it was the same spammer.
Only this time he was using a completely different mail account. The interesting part is that this email account is from another client that has no relation with the first one whatsoever.

Taking this into account now I'm considering the posibility that somehow spammers are getting email passwords at the server end. I'm suspecting packet sniffing at the datacenter.

Clues anyone?

Thanks in advance
 
Last edited:

bmcpanel

Well-Known Member
Jun 1, 2002
546
0
316
luis said:
For the second time in a week my server has been used to send out spam.

The first time was at the end of last week. Investigating I found that the spammer seemed to have a password for client's email account since:
a) all spam were originated from that account and
b) analizing the headers of the spam messages the mail was sent by an authenticated user, using an email client (I mean, it wasn't sent by "nobody" exploiting a web form or something like that, headers were very clean)

Anyway, I suspended the account, discussed the problem with the client and we ended suspecting at that moment that it was an isolated case of a worm, trojan or keyloger on his machine.

But...

The second time was yesterday... It was exactly the same method and type of spam:
* very short message
* porn type
* every mail was to exactly 10 recipients
* short message with an <img> tag to display an external image
So I suspect it was the same spammer.
Only this time he was using a completely different mail account. The interesting part is that this email account is from another client that has no relation with the first one whatsoever.

Taking this into account now I'm considering the posibility that somehow spammers are getting email passwords at the server end. I'm suspecting packet sniffing at the datacenter.

Clues anyone?

Thanks in advance
Maybe someone has root access to your box. Check for evidence of intrusion.
 

luis

Well-Known Member
Sep 3, 2001
50
0
306
Of course that is always a posibility buy I don't think the evidence points that way... A user with root access could easily create an email account instead of using an existing one from a web hosting customer... or even find a way to send those without leaving evidence...

Anyone has had this type of issue?