Knowledgebase

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Comporomised server or spoofed headers? need advice


Comporomised server or spoofed headers? need advice




Posted by webpaladin, 04-11-2012, 05:57 PM
Am getting HUNDREDS of emails title "Mail Delivery Failed" They all contain spam here is an example of one of them: ----------------------------------------- *******@bellsouth.net SMTP error from remote mail server after RCPT TO:<*******@bellsouth.net>: host gateway-f1.isp.att.net [204.127.217.16]: 551 not our customer ------ This is a copy of the message, including all the headers. ------ Return-path: Received: from [175.139.148.25] (port=1310 helo=MYSERVER.com) by host.MYSERVER.COM with esmtpa (Exim 4.77) (envelope-from ) id 1SI5KC-0003VO-R7 for *******@bellsouth.net; Wed, 11 Apr 2012 17:43:38 -0400 From: "Yakov Semenov" Subject: Hi, Button! Beauty for four buds, will you escort me? To: ********@bellsouth.net Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" Reply-To: "Yakov Semenov" Date: Thu, 12 Apr 2012 00:43:51 +0300 --------------------------------------------- In the example above I've replaced the intended recipient's address with asterisks, my email address with "MYEMAIL@MYSERVER.COM" and my server address with "MYSERVER.COM" I guess it's either a hijack, or someone spoofing the headers (I read about backscatter spam etc). How can I tell which case it is? I changed my pwd twice and also checked my system for malware, but the spam still continues. So my questions are: 1) How do I know if this is a spoof or compromised headers? 2) What can I do to stop this?
Posted by FIAHOST, 04-11-2012, 06:00 PM
Hi Tell us more please? What kind of server is it? Are you using Exim? Which version? Is it a webhosting server? Can you give us more details? if exim is installed, from the ssh run this command: exim -bp
Posted by Ash, 04-11-2012, 06:01 PM
Is that your IP? (175.139.148.25 ) it's from Kuala Lumpur so my first guess is no, in which case .. spoof
Posted by webpaladin, 04-11-2012, 06:01 PM
its a managed dedicated server have opened a ticket with host but want to get advice here too
Posted by webpaladin, 04-11-2012, 06:02 PM
no I'm in the USA lol So does that mean for sure that it's spoof? how did they know my server name (which actually starts with "host2" and that's how it shows up in the headers and what can I do about this
Posted by Ash, 04-11-2012, 06:05 PM
It's being received by your server name, not being sent from it. Last edited by Ash; 04-11-2012 at 06:09 PM. Reason: confusing edit, removed
Posted by rcs, 04-11-2012, 06:16 PM
it's more likely that someone hacked your mail password and is sending the emails from your account. Replace the password and see if you still recieve the bounces.
Posted by FIAHOST, 04-11-2012, 06:25 PM
If you think that your machine is spamming, you can use these commands to see what Exim is doing: exim -bp | exiqsumm #Print summary of the messages in the queue exiwhat #show what exim is doing right now exim -bpc #show number of messages in the queue exim -bp #print list of messages in the queue
Posted by MikeZavatta, 04-11-2012, 06:32 PM
You can check here to test your server for an open relay. If this test shows you have an open relay you can run the following commands using SSH to fix it if you are using exim: /scripts/fixrelayd /etc/rc.d/init.d/antirelayd restart service exim restart
Posted by webpaladin, 04-11-2012, 06:43 PM
Exim BP with summ gives me: -------------------------------------- 28h 789 1SHgHr-0001SJ-Cb ********@cvtel.net 27h 787 1SHgug-0002eO-6i ********@demo.de 26h 731 1SHi9p-0004lg-Sz ********@edm-mobile.cn 6h 2.0K 1SI0OX-0002N1-Av ********7@vp.pl 4h 721 1SI2WL-0006gS-KW ********@patmedia.net 2h 774 1SI4hd-0002N4-HE ********@picard.sbcc.cc.ca.us 88m 763 1SI4mZ-0002SP-PK ********@pillendienst.at 77m 762 1SI4xW-0002tF-32 ********@mailorderservice.com 72m 740 1SI52G-0002yR-LB ********@erizon.net 12m 860 1SI5xs-0004k5-Fg ********@jolasite.com 9m 760 1SI616-0004nw-Vw ********@adtekjobs.com ------------------------------------------ exim -bp | exiqsumm gives me: 1 760 8m 8m adtekjobs.com 1 789 28h 28h cvtel.net 1 787 27h 27h demo.de 1 731 26h 26h edm-mobile.cn 1 740 71m 71m erizon.net 1 860 11m 11m jolasite.com 1 762 76m 76m mailorderservice.com 1 721 4h 4h patmedia.net 1 774 2h 2h picard.sbcc.cc.ca.us 1 763 87m 87m pillendienst.at 1 2048 6h 6h vp.pl ------------------------------------------------- exiwhat gives me: 19781 handling incoming connection from [41.200.85.245]:4525 I=[MY IP WAS HERE]:25 21609 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4) ---------------------------------------- what does the above tell me? Last edited by webpaladin; 04-11-2012 at 06:54 PM.
Posted by FIAHOST, 04-11-2012, 06:55 PM
Exim is handling connexions from an IP in Africa. Is that expected. whois 41.200.85.245 % This is the AfriNIC Whois server. % Note: this output has been filtered. % Information related to '41.200.0.0 - 41.200.255.255' inetnum: 41.200.0.0 - 41.200.255.255 netname: ANIS-ADSL descr: ADSL ANIS-nouveau produit DJAWEB country: DZ admin-c: SD6-AFRINIC tech-c: SD6-AFRINIC status: ASSIGNED PA mnt-by: DJAWEB-MNT source: AFRINIC # Filtered parent: 41.200.0.0 - 41.201.255.255 person: Security Departement address: Alger phone: +21321922004 fax-no: +21321922004 e-mail: security@djaweb.dz nic-hdl: SD6-AFRINIC source: AFRINIC # Filtered Do you see any suspicious outgoing mails on the above. Do this please for the IP above: /var/log/exim/mainlog | grep 41.200.85.245 and see if the IP logged succesfully
Posted by webpaladin, 04-11-2012, 06:59 PM
Thanks, trying to figure out where my logs are its not finding in this directory also what do the other exim bp output I posted mean?
Posted by FIAHOST, 04-11-2012, 07:04 PM
exim -bp shows the list of emails waiting to be sent. Typically, when you have a spammer in a server, it shows thousands of emails waiting in this queue. If you see only a few emails there, it's a good news.
Posted by webpaladin, 04-11-2012, 07:07 PM
ok thanks, so you are saying the output above means most likely that my server is not spamming? also assuming it's a spoof, what can I do to stop this? It's annoying because I am getting hundreds of those messages
Posted by FIAHOST, 04-11-2012, 07:12 PM
Yeah, that's the problem. Anyone in the world can send spam and give anyone's email address as return address. The return address is just a parameter they can set in their emailing software. It doesn't have to be a valid email address or an address under their control. However, for most people, the IP is not something easy to spoof and here clearly the IP is not yours. You can go ahead and raise a ticket with your provider. It's important to let them know so they can handle any complaint. Filter out the returned emails you are getting and make sure to answer quickly any abuse complaint your may receive. You can try to raise a ticket with Telekom Malaysia because their IP is used to spam.
Posted by webpaladin, 04-11-2012, 08:13 PM
found the log, what does this mean when I do the TAIL on it: SMTP connection from [181.64.112.202]:22903 I=[MY-IP]:25 (TCP/IP connection count = 2) 2012-04-11 20:10:40 [32555] no host name found for IP address 181.64.112.202 2012-04-11 20:10:40 [32555] list matching forced to fail: failed to find host name for 181.64.112.202 2012-04-11 20:10:40 [32555] list matching forced to fail: failed to find host name for 181.64.112.202 is this "smtp connection" entry standard for receiving email or something, or does it mean someone connected to my server?
Posted by webpaladin, 04-11-2012, 08:43 PM
what about this entry from the log: 2012-04-11 20:40:28 [4157] 1SI85K-000153-WC <= MYEMAIL@MYSERVER.COM H=(MYSERVER.COM) [187.141.74.98]:63421 I=[MY-IP]:25 P=esmtpa A=courier_login:MY_USERNAME S=778 T="HI, Honeybunch! Have a Rangers tickets for one more guy, wanna join?" from for ********@extreme-usa.com does it confirm that my server is being used from spam??
Posted by webpaladin, 04-11-2012, 08:50 PM
the above address ******@extreme-usa.com is also one I saw in exim -bp
Posted by foobic, 04-11-2012, 10:26 PM
It doesn't look good. The '<=' indicates an incoming message. Try to find the corresponding '=>' entry where your server sends this message out. This should find all log entries related to that certain message. And Did you already change the password for MY_USERNAME as suggested earlier?
Posted by webpaladin, 04-12-2012, 01:30 AM
thanks, this is resolved now. I had changed the password several times, but turns out I did not change it everywhere. I had changed if for MY_USERNAME@MYSERVER.COM via webmail, but not for the main MY_USERNAME acct. Once I changed it for the MY_USERNAME acct the spam stopped. thanks for all who helped!


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
echo-inc (Views: 773)
How to reduce OpenVZ memory usage by >50% (Views: 775)
ssh mysql process command? (Views: 771)
Touch Support - Life Savers x 2 (Views: 822)
how install phpmyadmin on server? (Views: 782)


Language:

LoadingRetrieving latest tweet...

Client Navigation
Useful Pages
Support Center
About 02link

02link provides enterprise hosting and server services at an amazing price. Don't see something that suits your needs? Get a free custom quote from one of our hosting experts.

Back to Top Copyright © 2018 DC International LLC. - All Rights Reserved.