The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Targeted email spam & Mailnull

Discussion in 'E-mail Discussions' started by slinky, May 14, 2008.

  1. slinky

    slinky Well-Known Member

    Joined:
    Jul 26, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    One of my clients believes someone is trying to get revenge on him. His email box is being filled with bounced messages (around 6-8 per minute) primarily from one geographic location (Korea.) He doesn't really have any Korean clients. Looking at the headers it's difficult to tell whether there is a script on his site that is being used for mass emailing but it doesn't seem like it since a good deal of WHM doesn't show it and many of the return messages are lucy1@domain.com, lucy2@domain.com, etc. so they are autogenerated. But a huge number are all to hisname@hisdomain.com so that there is no mistake that his email address is either the target or on some script that I can't find being triggered.

    What do you check to see which shared account is doing mass sends? This guy insists that no scripts on his domain are doing the sending and that it's routed to his email address, e.g. revenge but WHM doesn't always specify (it seems) which account is actually doing the sending - mailnull doesn't tell me which account is triggering it (or domain). Any way to separate this better? Also, if he's right, what do you do about it? Right now he's got all the bounces going to his junk mail. I was hoping to either bounce email from certain countries, containing a type of message, etc.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,449
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    In his cPanel, under the Default Address icon, what does he have that set to? It should be:

    Send all unrouted e-mail for: hisdomain.com Current Setting :fail:
     
  3. slinky

    slinky Well-Known Member

    Joined:
    Jul 26, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    That's not the main problem although it solves the brute force attack on the domain. His email address is myemail@mydomain.com. He's getting thousands of bounce messages sent just to that specific email address. So that means either he's got a script that notifies him at that email that is used to send spam elsewhere or someone is sending spam but just using his email as the from (spoofing) and he's getting all the bounces.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,449
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well you've got several options as I see it. Dig thru these forums for topics on mail spoofing for tips on what to do, kill that email account, or call in a professional for assistance.

    I (as do many others) highly recommend this friendly fella:
    http://www.configserver.com/cp/exploit.html
     
Loading...

Share This Page