The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spammer using server to send? Getting tons of bounces to catch-all

Discussion in 'General Discussion' started by ryno267, Dec 13, 2005.

  1. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    I got a few hundred emails through our catch-all (I think they all went to hc9w74dm4bq@mydomain.com) and all were random crap like bounced messages from other domains and emails that I THINK were originally sent using our domain as the sender - explaining why all the unknown emails bounced back to us...

    The subjects ranged from:

    Delivery Status Notification (Failure)
    Undelivered Mail Returned to Sender
    Unable to deliver your message
    Returned mail: see transcript for details

    etc etc - the list goes on....


    I noticed most of them included the original message (below) sent from that hc9w74dm4bq@mydomain.com:

    Now when I check out my cPanel mail stats this is what I see....
    Now I've already made our catch-all goto :fail: for now at least, but I want to make sure that nobody is using our server or a webform or anything to send this crap. How do I know how they did this and how do I elimiate this from happening again?
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Although this problem was covered hundreds of times in these formus, you need to find out the script used to send out SPAM throughout your server. Clean up, and then you can apply several security patches that can be found in these forums as well.
     
  3. wipl

    wipl Active Member

    Joined:
    Oct 12, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    0
    I would also suggest you to install CHIRPY's Dictionary Attack script from the page : http://www.configserver.com/free/eximdeny.html

    This would blacklist the sender IP's from sending over the mails to your non existant email addresses.
     
  4. bullethost696

    bullethost696 Well-Known Member

    Joined:
    Nov 23, 2003
    Messages:
    133
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    does it attach the original message, if yes what is in the headers?
     
Loading...

Share This Page