The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SPAM - Message Being returned

Discussion in 'General Discussion' started by noimad1, Jan 22, 2004.

  1. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    I have a friend of mine who I have given a hosting account on one of our servers. Everything has been good for about a year, then all of a sudden a couple of days ago his inbox starts to fill up with undeliverable messages.

    I changed his default e-mail address to mine so I could see some of the messages, and sure enough he is getting around 100-150 e-mails a day stating that a message he sent was undelieverable. But he didn't send any of the messages?

    Each message has a different to in the e-mail address - such as bob@hisdomain.com and sam@hisdomain.com

    here is a sample e-mail that was returned:

    Received: from logs-tp.proxy.aol.com (logs-tp.proxy.aol.com [152.163.246.15]) by rly-ip03.mx.aol.com (v95.1) with ESMTP id RELAYIN2-3400f91bc246; Thu, 22 Jan 2004 04:02:52 1900
    Received: from mail.postmark.net (AC956C46.ipt.aol.com [172.149.108.70]) by logs-tp.proxy.aol.com (8.12.10/8.12.10) with SMTP id i0M9037H496960 for <wijnhoud@postmark.net>; Thu, 22 Jan 2004 09:00:04 GMT
    Message-ID: 89341091724478.14999@10782
    Date: Thu, 22 Jan 200408:58:51 AM
    From: "Cleora NEITO" <NEITO88@hisdomain.com>
    Subject: led them over the crest of some granite hill that was higher than
    To: wijnhoud@postmark.net
    X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.18 i686)
    Importance: Normal
    MIME-version: 1.0
    Content-type: text/plain; charset=US-ASCII
    X-AOL-IP: 152.163.246.15



    Plain Text Attachment [ Download File Save to my Yahoo! Briefcase ]

    That’s it! No more c.r,ea,ms or e,x,e.rc.i.s.e.s and you don’t h,a.v.e
    to remember to take a p.il,l three times a day

    http://yyqxymvxz.medalive.biz/index.php?refid=P0300

    GET a b,i.gge.r pe,n.i.s t.od.ay ( 1 to 3 i.nc,h.e.s ) 1.00, % m.o,n.ey
    back guaranteed

    I wanna remove
    http://yqngvcsgqn.medalive.biz/ouptout.php?refid=P0300

    depreciation and gold was worth far more than silver. The two young
    surgeons, a,b.o.u.t twenty years of age at the m,os,t, yielded themselves
    up to the poesy of their situation with all the enthusiasm of youth.
    Between Strasburg and

    Is there a way we can tell where this e-mail is comming from? I'm not really sure how to read those headers....
     
  2. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Somebody is spoofing your friend's eMail address -- not much can be done about that. It does appear though, as if the eMail is orginating from: postmark.net. That you should be able to do something about, by forwarding some/all of the returned eMail (don't change anything though) to either the Domain name or Hoster of the Domain name. I'd sent to both actually.
     
  3. kipper3d

    kipper3d Well-Known Member

    Joined:
    Jul 14, 2002
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    What is causing this email spoofing? It is happening to a bunch of my customers including myself. I first thought it was my desktop windoze box, but I've been running updated anti virus for over a year now.

    Have I been rooted? Is this a linux virus?? Specific to cpanel? Because non of my ensim machines are doing this that I know of.

    All Linux 7.3 WHM 8.5.1 cPanel 8.5.3-S3

    Thanks!

    -John
     
  4. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    It's probably the MyDoom/Novarg Virus that came out last week. Has various attachments the Exim filter will catch, but because the addresses are invalid it has nowhere to kick them back to.
     
Loading...

Share This Page