Hello, I usually try to check logs quite often, also I have several options to trace email abuse, however today I got some kind of attack to an account, I tried to change the password of this account (motoco21) however it keep sending spam. Also it didn't have ant x-trace flag in order to look for any script.
exim_main_log have entries like this
2013-05-17 12:55:05 1UdPo1-0005gA-0k <= [email protected]***.com U=motoco21 P=local S=453 T="Test mail 1771488919" for [email protected]***.com
2013-05-17 12:55:05 cwd=/home/motoco21 2 args: /usr/sbin/sendmail -t
The content of the mail is this:
Mail Control Data:
motoco21 596 32007
<[email protected]***.com>
1368817023 0
-ident motoco21
-received_protocol local
-body_linecount 3916
-max_received_linelength 382
-auth_id motoco21
-auth_sender [email protected]***.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
NN >[email protected]:[email protected]
1
[email protected]
Date:
Fri, 17 May 2013 12:57:03 -0600
From:
Bonus Chips <[email protected]>
To:
[email protected]
Subject:
Open an account at Platinum Play Casino and we'll give you 1,500 free bets!
Content-Type:
multipart/mixed; boundary="PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da"
Message-Id:
<[email protected]***.com>
--PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: multipart/alternative; boundary="PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da"
--PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: text/plain; charset="utf-8""
Content-Transfer-Encoding: 7bit
EUROPALACE
--PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
....
....
.....
Most time I have found a site sending spam is usually a php script or something like that that got uploaded, but never something like this, I haven't been able to trace or prevent. Any help on this will be appreciated it.
Thanks in advance.
exim_main_log have entries like this
2013-05-17 12:55:05 1UdPo1-0005gA-0k <= [email protected]***.com U=motoco21 P=local S=453 T="Test mail 1771488919" for [email protected]***.com
2013-05-17 12:55:05 cwd=/home/motoco21 2 args: /usr/sbin/sendmail -t
The content of the mail is this:
Mail Control Data:
motoco21 596 32007
<[email protected]***.com>
1368817023 0
-ident motoco21
-received_protocol local
-body_linecount 3916
-max_received_linelength 382
-auth_id motoco21
-auth_sender [email protected]***.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
NN >[email protected]:[email protected]
1
[email protected]
Date:
Fri, 17 May 2013 12:57:03 -0600
From:
Bonus Chips <[email protected]>
To:
[email protected]
Subject:
Open an account at Platinum Play Casino and we'll give you 1,500 free bets!
Content-Type:
multipart/mixed; boundary="PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da"
Message-Id:
<[email protected]***.com>
--PHP-mixed-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: multipart/alternative; boundary="PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da"
--PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: text/plain; charset="utf-8""
Content-Transfer-Encoding: 7bit
EUROPALACE
--PHP-alt-7dd96a9ef3d7332cc72cbb99d7c952da
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
....
....
.....
Most time I have found a site sending spam is usually a php script or something like that that got uploaded, but never something like this, I haven't been able to trace or prevent. Any help on this will be appreciated it.
Thanks in advance.
