Total Mail Newbie but potentialy serious problem

HLFusion

Member
Apr 21, 2006
11
0
151
Lately, my root account has had a lot of emails bounced back to it because there were some sort of errors. This has gotten really out of control, as now I get about 200-300 new emails a day, that I do not recognize as being sent from this server. Here are some examples:

Code:
Your message

  To:      [email protected]
  Subject: Hello from Russia.
  Sent:    Fri, 5 Jan 2007 01:41:01 +0100

did not reach the following recipient(s):

[email protected] on Thu, 4 Jan 2007 21:44:22 +0100
    The recipient name is not recognized
	The MTS-ID of the original message is: c=us;a=
;p=aashima;l=NL-010701042044C2AM3SB9
    MSEXCH:IMS:Aashima:NL:NL-01 0 (000C05A6) Unknown Recipient





Subject:
Hello from Russia.
From:
Ekaterina <[email protected]>
Date:
Fri, 5 Jan 2007 01:41:01 +0100
To:
[email protected]

Hello!!!

How are you? My name is Ekaterina. I am 26 years old. I live in Russia,
city Youshkar-Ola. I am cheerful woman, and like to do many things as
sport, camping, go to the cinema, theatre etc. In a word I like to do
all what like all people. I work in marketing structure on sale of
cosmetics. My dream this travel abroad. I know the english language
well enough.. I began to study english language approximately one year
ago. I wish tell to you history which have pushed me write to you. 8
months ago I have got acquainted with the man from other country by
name Justin. During this time we had good relations. We have
understood that our relations become serious and we have decided to
meet in his country. I wrote the application for reception the visa. I
waited reception of the visa approximately half of year. All time I
kept in touch with Justin through the internet and often called to
each other. I and Justin waited reception of the visa to our meeting.
I have received the invitation from the ambassador for reception of
the visa. My director has given me long-term holiday from work and I
have gone to Moscow to receive the visa. I informed good news to
Patrick, but he has answered, that does not want our meeting. He
played with me. He has informed that has the wife with two children
and at all has no plans to meet me. I was not ready to such turn of
events. I could not think what even after 8 months of acquaintance he
can so unscrupulously act with me. Now I am in Moscow trip to Moscow
and reception of visa. I do not want that all was gone for nothing and
will be glad if my visa will be useful to our meeting. I could arrive
already through 4-5 days, but a problem in that that now I have no man
which would like my arrival. Probable it will silly sound but if you
will be interested in a meeting with the good woman I shall like to
meet you sometime soon! As Justin was dishonest with me I have
decided to find the man which is interested to meet the woman from
Russia. I do not know your ideas about my letter, but it would be fine
if we could meet and have some weeks or months together. On my trip I
want to receive rest from my work and a life in Russia. Also the basic
purpose for the future it is search good men for serious attitudes
which go to a marriage. I have no children, but I want to have
children in the future. I am the mature woman and ready to creation of
family with good man. I do not know what you really search in the
future but if we could meet I shall be happy to discuss with you more
about our meeting. What are you going to do this time? It would be
fine if we could meet, do friendship or more than simply friendship. I
shall be happy if you also have a free time and we could meet soon. I
do not know your interests, but anyhow write to me back and I shall
tell to you more about myself. Write to me all that you want. Maybe we
have similar plans and it will be interesting to us together.

You can write all that you want. Ask any questions which interest you.
Write to me back and I shall tell more about myself and send more my
photos.

Please, write to me back on my regular e-mail: [email protected]
Have a good day,

Ekaterina.
That definately seems like it's mass spam or a virus.

Here's another:

Code:
This report relates to a message you sent with the following header fields:

  Return-path: <[email protected]>
  Received: from tcpinami-daemon.mailrelaypr.smals-mvm.be by
   mailrelaypr.smals-mvm.be (Thiziz_a_mailserver)
   id <[email protected]>
   (original mail from [email protected]); Thu,
   4 Jan 2007 21:38:45 +0100 (CET)
  Received: from mailgateabis.smals-mvm.be (localhost [127.0.0.1])
   by mailrelaypr.smals-mvm.be (Thiziz_a_mailserver)
   with ESMTP id <[email protected]> for [email protected];
   Thu, 04 Jan 2007 21:38:45 +0100 (CET)
  Received: from mailgateabis.smals-mvm.be (localhost.localdomain [127.0.0.1])
   by localhost (Postfix) with SMTP id AD9A377DC676	for <[email protected]>; Thu,
   04 Jan 2007 21:38:50 +0100 (CET)
  Received: from dowragv (unknown [88.241.9.163])	by mailgateabis.smals-mvm.be
   (Postfix) with SMTP id 5287D77DC660	for <[email protected]>; Thu,
   04 Jan 2007 21:38:46 +0100 (CET)
  Received: from ndoe ([138.132.151.80]) by dowragv with Microsoft
   SMTPSVC(5.0.2195.6713); Thu, 04 Jan 2007 22:38:35 +0200
  Date: Thu, 04 Jan 2007 22:38:35 +0200
  From: either <[email protected]>
  Subject: [Scanned by Extranet - SPAM] BLOWING SNOW ADVISORY HAS BEEN CANCELED
   FOR THOMPSON PASS.
  To: [email protected]
  Message-id: <[email protected]>
  MIME-version: 1.0
  Content-type: multipart/related; boundary=------------070505000604010208000408
  User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
  X-PMX-Spam: Probability=96%

Your message cannot be delivered to the following recipients:

  Recipient address: [email protected]
  Reason: Remote SMTP server has rejected address
  Diagnostic code: smtp;550 No such recipient
  Remote system: dns;mail.inami.be (mail.riziv.be GroupWise Internet Agent 7.0.1  Copyright [c] 1993-2006 Novell, Inc.  All rights reserved. Ready)




Reporting-MTA: dns;mailrelaypr.smals-mvm.be (tcpinami-daemon)

Original-recipient: rfc822;[email protected]
Final-recipient: rfc822;[email protected]
Action: failed
Status: 5.0.0 (Remote SMTP server has rejected address)
Remote-MTA: dns;mail.inami.be
 (mail.riziv.be GroupWise Internet Agent 7.0.1  Copyright [c] 1993-2006 Novell,
 Inc.  All rights reserved. Ready)
Diagnostic-code: smtp;550 No such recipient



Return-path: <[email protected]>
Received: from tcpinami-daemon.mailrelaypr.smals-mvm.be by
 mailrelaypr.smals-mvm.be (Thiziz_a_mailserver)
 id <[email protected]>
 (original mail from [email protected]); Thu,
 4 Jan 2007 21:38:45 +0100 (CET)
Received: from mailgateabis.smals-mvm.be (localhost [127.0.0.1])
 by mailrelaypr.smals-mvm.be (Thiziz_a_mailserver)
 with ESMTP id <[email protected]> for [email protected];
 Thu, 04 Jan 2007 21:38:45 +0100 (CET)
Received: from mailgateabis.smals-mvm.be (localhost.localdomain [127.0.0.1])
 by localhost (Postfix) with SMTP id AD9A377DC676	for <[email protected]>; Thu,
 04 Jan 2007 21:38:50 +0100 (CET)
Received: from dowragv (unknown [88.241.9.163])	by mailgateabis.smals-mvm.be
 (Postfix) with SMTP id 5287D77DC660	for <[email protected]>; Thu,
 04 Jan 2007 21:38:46 +0100 (CET)
Received: from ndoe ([138.132.151.80]) by dowragv with Microsoft
 SMTPSVC(5.0.2195.6713); Thu, 04 Jan 2007 22:38:35 +0200
Date: Thu, 04 Jan 2007 22:38:35 +0200
From: either <[email protected]>
Subject: [Scanned by Extranet - SPAM] BLOWING SNOW ADVISORY HAS BEEN CANCELED
 FOR THOMPSON PASS.
To: [email protected]
Message-id: <[email protected]>
MIME-version: 1.0
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
X-PMX-Spam: Probability=96%
I think almost all of these are just spam, but how do I stop this from happening? Thanks.
 

adept2003

Well-Known Member
Aug 11, 2003
281
0
166
~ "/(extra|special)/data"
Since your server hostname/ip address doesn't appear in the message headers, it seems safe to assume that the spammer is simply spoofing your email address.

If you have a "catchall" account, disable it and set messages to bounce. The only emails you should be receiving should be to real email addresses you have setup on your server.

If you know how to (search the forums), setup an SPF record in your DNS entries. This will help to reduce bounces from organisations that use SPF.

Incidentally, as a separate issue, your nameservers will do recursive lookups (http://www.dnsreport.com/tools/dnsreport.ch?domain=core-fusion.net) - you should disable this (search the forum for how to do that). :)
 

dlennon

Member
PartnerNOC
May 17, 2006
9
0
151
Better to set the messages to :fail: so that the server simply drops the connection instead of wasting your resources sending out a bounce.
Is there a way for a cpanel system admin to prevent users from modifying the default user to anything other than :fail:? If not, I guess this would be a feature request.