The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

spam to accounting@

Discussion in 'General Discussion' started by rs-freddo, Dec 5, 2005.

  1. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I'm getting a lot of spam going to root email address, that seems to be originally addressed to accounting@aDomainOnMyServer.com

    I have not set up any rules to have accounting@ redirected to root. I do have postmaster@, abuse@, and ssladmin@ redirecting to root.

    Anyone else seeing this or know why this is happening?
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Try taking a peek in your Exim logs and see what it says regarding the delivery of such messages.

    This won't directly help, but should help you to narrow things down by confirming or denying whether a filter is in place.
     
  3. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    2005-12-06 09:24:09 1EjOkh-00083r-Um <= billpaxton@casino.com H=(221-sonali-1.pa
    cenet-india.com) [203.115.82.221] P=smtp S=6481 id=7huw55um577ya34utl$m863vtr0nr
    m728$wks27lm19@PC249
    2005-12-06 09:24:09 1EjOkh-00083r-Um == root@hostname.com <postmaster@aDomainOnServer.com> R=central_user_filter defer (-1): bad owner for /etc/vfilters/aDomainOnServer.com
    2005-12-06 09:24:09 1EjOkh-00083r-Um => username <accounting@aDomainOnServer.com
    > R=localuser T=local_delivery
    2005-12-06 09:24:09 1EjOkh-00083r-Um => mark <info@aDomainOnServer.com> R=virtua
    l_user T=virtual_userdelivery

    owner of /etc/vfilters/aDomainOnServer.com is correct...
    They have a forward setup for info@aDomainOnServer.com to go to mark@aDomainOnServer.com...
    I do require all mail addressed to postmaster@ to go to my root email address (root@hostname.com)...
    But that doesn't explain why the email was addressed to accounting@ as the actual email seems to be addressed to info@

    To me it looks like Exim generated a copy of the email and sent it to postmaster. However vfilters is owned and chommoded correctly. It's an empty file actually.

    This has started to happen on a few accounts just in the last couple of days. Just curious why...? I haven't changed anything on the server...
     
  4. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I'm on manual update...
     
  5. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    OK, this is getting really strange here...
    I just got two spams addressed to "Accounting"
    the To: address is not even a proper email address.

    Looking thru the logs the emails were delivered without the vfilters error.

    It looks to me that the spam is being bcc'd to postmaster (via the latest bcc spam vulnerability). This would explain why the To: address is ridiculous and the postmaster address doesn't even appear in the email headers...

    I think...

    Anyway, the main point seems to be that this is not a vulnerability on my server, nor is it a problem with cPanel. Just the latest spam trick...
     
  6. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I have had one of these emails addressed to accounts@ but most have been addressed to accounting@

    Looking thru your logs above I would suppose that you have your RBL's set to allow postmaster@ thru always - this is common RBL procedure. So the others were dropped but postmaster@ was delivered.
    BTW I think you'll soon need to checkout Chirpy's anti-dictionary attack software...

    As I said above I think that the emails are being bcc'd to postmaster@ as well as accounting@, info@ and whatever else.
     
    #6 rs-freddo, Dec 6, 2005
    Last edited: Dec 6, 2005
  7. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    i know this is an old discussion but im wondering if anyone has identified how thiwas happening?

    Ive noticed it popup its ugly spammy head again...
     
  8. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    same here.. Just started happening across every single domain.. and all my servers have been locked down by Chirpy so it must be a new trick.
    Havent started to dig into it yet though.
     
  9. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    No sooner said that then another one pops in..

    Return-path: <johnpreskot@uk2.net>
    Envelope-to: postmaster@xxxxxxxx.com
    Delivery-date: Thu, 23 Feb 2006 19:17:50 -0600
    Received: from [24.34.191.210] (helo=3FD41D78)
    by talis.xxxxxxxx.com with smtp (Exim 4.52)
    id 1FCQaT-00042T-1B; Thu, 23 Feb 2006 18:13:35 -0600
    Received: from kinki-kids.com (ehlo portsevendomain.biz.info.gamanetwork.com [47.42.24.232])
    by mrg.com with SMTP id 9KCUC1BWRO
    for <accounting@xxxxxxxx.com>; Thu, 23 Feb 2006 19:13:10 -0500
    Received: from melodrama.fcta.com (HELO fcta.com.freeproblem.com [61.52.148.98])
    by qldsugar.com with SMTP id 6BR6K5WX2A
    for <accounting@xxxxxxxx.com>; Fri, 24 Feb 2006 05:08:10 +0500
    From: "Trevor Sullivan" <yutz@dbzmail.com>
    To: "Accounting" <accounting@xxxxxxxx.com>
    Subject: {Definitely Spam?} accounting@xxxxxxxx.com
    X-Accept-Language: en-us, en
    X-Mailer: MIME-tools 5.503 (Entity 5.501)
    X-Priority: 3 (Normal)
    MIME-Version: 1.0
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable
    X-BlogsAbout-MailScanner-Information: Please contact the ISP for more information
    X-BlogsAbout-MailScanner: Found to be clean
    X-BlogsAbout-MailScanner-SpamCheck: spam, SBL+XBL, spamcop.net
    X-BlogsAbout-MailScanner-SpamScore: ssssssssssssssssssss
    X-BlogsAbout-MailScanner-From: johnpreskot@uk2.net



    From Main Log
    2006-02-23 18:13:35 1FCQaT-00042T-1B <= johnpreskot@uk2.net H=(3FD41D78) [24.34.191.210] P=smtp S=6591
    2006-02-23 18:13:40 1FCQaT-00042T-1B == root@talis.xxxxxxxx.com <postmaster@xxxxxxxx.com> R=central_user_filter defer (-1): bad owner for /etc/vfilters/xxxxxxxx.com
    2006-02-23 18:13:40 1FCQaT-00042T-1B => fakehate <accounting@fakehate.com> R=localuser T=local_delivery
    2006-02-23 18:19:24 1FCQaT-00042T-1B == root@talis.xxxxxxxx.com <postmaster@xxxxxxxx.com> routing defer (-51): retry time not reached
    2006-02-23 19:17:50 1FCQaT-00042T-1B => serverinfo <postmaster@xxxxxxxx.com> R=virtual_user T=virtual_userdelivery
    2006-02-23 19:17:50 1FCQaT-00042T-1B Completed
     
    #9 WestBend, Feb 23, 2006
    Last edited: Feb 23, 2006
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    This is probably why you're seeing them, if I read what the problem is correctly:
    You're probably getting the postmaster emails for all domains because of the tweak we implement with /etc/myaliases. If you don't want that, remove the postmaster line from that file.
     
  11. fred123123

    fred123123 Well-Known Member

    Joined:
    Jul 23, 2005
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    I have the exact same problem...

    The mails comes from accounting@mydomain.com and are for accounting@mydomain.com ...
    but i also receives this kind of mails from/for a lot more mail address that aren't exists!!
    test@mydomain.com is another example...
    I don't have these mails address on my domain...

    i haven't had the time to look in my logs... but do you know so far why this is happening ?
     
  12. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Chirpy im sure your right on the postmaster@ issue

    the big issue however is how who or what is scaning the domains on the server and sending this out...

    its not a random thing i have seen domains from a to z on a server hit with this crap....
     
  13. Salman75

    Salman75 Well-Known Member

    Joined:
    Jan 20, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Yes, we are also seeing this across MANY of our servers. I have attached an image of the email, which is always the same on all servers.

    Really, do these guys have a life?
     

    Attached Files:

  14. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    is this if the domain does not have a :fail: in it?
    Because it looks like the emails are sent to accounting but are then getting routed from accounting to postmaster?
     
  15. morfargekko

    morfargekko Member

    Joined:
    Jul 3, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    The problem is huge on my server aswell, I realy need a fix for this.
    I have Chirpy's MailScanner installed but it does nothing for this kind of mail abuse. :confused:
     
  16. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    yeah, this seems to be spreading. I checked and all the domains have

    *: :fail:

    and the /etc/myalias has


    abuse: root
    postmaster: root
     
  17. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    This issue certainly does seemt ob e getting worse.

    Its like somehow they are able to send to all accounting@ on all domains on each of our servers despite the security we have in place

    and of course i get the bulk of the mail thru to me at our abuse and postmaster@ addys.

    I dont however want to remove abuse and postmaster@ from our exim aliases

    surely there must be a solution to stop this?
     
  18. salubrium

    salubrium Member

    Joined:
    Jun 11, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sydney
    cPanel Access Level:
    Root Administrator
    Among other issues, I was having this same problem, about the accounting one, these were from domains who didn't run fail - I had to work through that one manually. What I did notice though was this in my /etc/aliases file

    webmaster: root
    noc: root
    security: root
    hostmaster: root
    info: postmaster
    marketing: postmaster
    sales: postmaster
    support: postmaster


    I have now commented out the info, marketing, sales & support aliases. It took me a while to find where they were coming from though.

    Hope it helps

    Now if anyone can solve the problem:

    "if exists "postmaster@userdomain" then forward there else forward to "postmaster@admindomain.com" condition in the exim conf"

    I'd be most grateful.
     
Loading...

Share This Page