store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Jul 23, 2014 3:39 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Spam through my server
Unread postPosted: Fri Jul 01, 2011 7:55 am 
Offline
Forum User
Forum User

Joined: Fri Dec 14, 2007 11:35 am
Posts: 49
Hi guys,

In the last days I've notice this in the qmail log:

Code:
Jul  1 12:48:45 zeus qmail: 1309520925.236292 starting delivery 2040: msg 4044760451 to remote dowjarrett@verizon.net
Jul  1 12:48:45 zeus qmail: 1309520925.236372 status: local 0/1000 remote 1/1000
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: Handlers Filter before-remote for qmail started ...
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: from=residualgroup@yahoo.com
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: to=dowjarrett@verizon.net
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: hook_dir = '/usr/local/psa/handlers/before-remote'
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: recipient[3] = 'dowjarrett@verizon.net'
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/dowjarrett@verizon.net'


How can I find out and block this? 5062 emails from "residualgroup@yahoo.com" been sent out so far...

Thanks for your help!


Top
 Profile  
 
 Post subject: Re: Spam through my server
Unread postPosted: Fri Jul 01, 2011 11:42 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3600
Location: Chantilly, VA
https://www.atomicorp.com/wiki/index.php/Spam

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Spam through my server
Unread postPosted: Fri Jul 01, 2011 1:10 pm 
Offline
Forum User
Forum User

Joined: Fri Dec 14, 2007 11:35 am
Posts: 49
Hi Michael,

Thanks for that!

That's what I'm getting:

Code:
 --------------
MESSAGE NUMBER 4044760497
 --------------
Received: (qmail 13900 invoked by uid 10071); 30 Jun 2011 23:53:44 +0100
Received: from  by zeus.serverpro.biz (envelope-from <residualgroup@yahoo.com>, uid 10047) with qmail-scanner-2.08st
 (clamdscan: 0.97.1/13253. spamassassin: 3.3.1. perlscan: 2.08st. 
 Clear:RC:1(127.0.0.1):.
 Processed in 0.899356 secs); 30 Jun 2011 22:53:44 -0000
Date: 30 Jun 2011 23:53:43 +0100
To: dnymease@verizon.net
Subject: Produs recomandat de Marlen Smith
MIME-Version: 1.0
From: Marlen Smith <orders@albinuta.co.uk>
X-Mailer: CubeCart Mailer
Reply-To: residualgroup@yahoo.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Message-ID: <lnmkxj.4g0uni@>

Draga dave measer,


We Already Calculated You Commission...


Click Link Below for The Details:


http://infiniteresidual.co.cc/1mw/page.php?un=dap1&e=dnymease@verizon.net



To your success,
 
Wealth Group
IM Wealth Builders Ltd.
25 Texas,USA




Code:
[root@zeus ~]# grep 10071 /etc/passwd
qscand:x:10071:121:Qmail-Scanner Account:/var/spool/qscan:/bin/false
[root@zeus ~]#


What do you make of it?

I believe it's being done through this page:

Code:
http://www.albinuta.co.uk/tellafriend/tell_969.html

according to the message headers:

Code:
X-Mailer: CubeCart Mailer

Thanks!


Top
 Profile  
 
 Post subject: Re: Spam through my server
Unread postPosted: Fri Jul 01, 2011 2:20 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7861
Location: earth
Do you have cubecart installed on the system? It could be coming from something in that


Top
 Profile  
 
 Post subject: Re: Spam through my server
Unread postPosted: Fri Jul 01, 2011 2:26 pm 
Offline
Forum User
Forum User

Joined: Fri Dec 14, 2007 11:35 am
Posts: 49
Hi Scot,

Yes, that is one of the websites / businesses I own. It will be upgraded this month to a different / read safer/better system.

Found more details here:

http://www.cubecartforums.org/index.php?showtopic=9430

Thanks,
Adrian


Top
 Profile  
 
 Post subject: Re: Spam through my server
Unread postPosted: Sat Jul 02, 2011 2:23 am 
Offline
Forum User
Forum User

Joined: Fri Dec 14, 2007 11:35 am
Posts: 49
Identified the IP as bellow:

Code:
112.201.206.16 - - [02/Jul/2011:07:20:14 +0100] "GET /skins/albinuta-v1/php/ajaxCart.php?nocache=0.8260422461591068 HTTP/1.1" 200 528 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:15 +0100] "GET /index.php?_a=tellafriend&productId=720&catId=0 HTTP/1.1" 200 11485 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:17 +0100] "GET /magicslideshow/magicslideshow.css HTTP/1.1" 200 2312 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:17 +0100] "GET /skins/albinuta-v1/styleSheets/style.css HTTP/1.1" 200 28175 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:24 +0100] "GET /skins/albinuta-v1/styleSheets/fancy.css HTTP/1.1" 200 6228 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:25 +0100] "GET /skins/albinuta-v1/styleSheets/style-ro.css HTTP/1.1" 200 273 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"


Banned! iptables loves him!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group