Results 1 to 4 of 4

Thread: someone using my user to send spam?

Hybrid View

  1. #1
    Join Date
    Apr 2007
    Posts
    23
    Rep Power
    8

    Unhappy someone using my server to send spam?

    i got this message sent to a distribution list which is info@MYDOMAIN.com

    message and headers below... im sooo confused



    Subject:
    **Message you sent blocked by our bulk email filter**
    From:
    Barracuda Spam Firewall <postmaster@webtego.com>
    Date:
    Fri, 18 May 2007 14:11:58 -0400 (EDT)
    To:
    <info@MYDOMAIN.com>
    Received:
    from localhost (localhost.localdomain [127.0.0.1]) by mail.MYDOMAIN.com (Postfix) with ESMTP id 073C612081D7; Fri, 18 May 2007 14:11:14 -0400 (EDT)
    X-Virus-Scanned:
    amavisd-new at
    X-Spam-Score:
    -2.24
    X-Spam-Status:
    No, score=-2.24 tagged_above=-10 required=6.6 tests=[BAYES_00=-2.599, FORGED_RCVD_HELO=0.135, MIME_BASE64_NO_NAME=0.224]
    Received:
    from mail.MYDOMAIN.com ([127.0.0.1]) by localhost (mail.MYDOMAIN.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B7YZOMbvJ0Zb; Fri, 18 May 2007 14:11:12 -0400 (EDT)
    Received:
    from spamfilter.webtego.com (unknown [66.94.73.4]) by mail.MYDOMAIN.com (Postfix) with ESMTP id 7D440120818E for <info@MYDOMAIN.com>; Fri, 18 May 2007 14:11:12 -0400 (EDT)
    MIME-Version:
    1.0
    Message-ID:
    <20070518-31223.224847.qmail@pc>
    Content-Type:
    multipart/report; report-type=delivery-status; charset=utf-8; boundary="----------=_1179511918-11923-29"

    Your message to: info@furniturewholesalers.com
    was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:

    Subject: Best OnlineHelp




    Reporting-MTA: dns; spamfilter.webtego.com
    Received-From-MTA: smtp; spamfilter.webtego.com ([127.0.0.1])
    Arrival-Date: Fri, 18 May 2007 14:11:58 -0400 (EDT)

    Final-Recipient: rfc822; info@furniturewholesalers.com
    Action: failed
    Status: 5.7.1
    Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=11923-01-27
    Last-Attempt-Date: Fri, 18 May 2007 14:11:58 -0400 (EDT)



    Received: from pc (unknown [12.206.184.229])
    by spamfilter.webtego.com (Spam Firewall) with SMTP id 5AC841515B
    for <info@furniturewholesalers.com>; Fri, 18 May 2007 14:11:57 -0400 (EDT)
    Delivered-To: <info@furniturewholesalers.com>
    Received: (qmail 224845 by uid 190); Fri, 18 May 2007 02:12:23 -0500
    Date: Fri, 18 May 2007 02:12:23 -0500
    Received: from pc (12.206.184.229)
    by pc with SMTP;
    Received: (qmail 224845 by uid 190); Fri, 18 May 2007 02:12:23 -0500
    Message-Id: <20070518-31223.224847.qmail@pc>
    To: <info@furniturewholesalers.com>
    Subject: Best OnlineHelp
    From: Cherie@viagraonline.com <info@furniturewholesalers.com>
    MIME-Version: 1.0
    Content-Type: text/html; charset="iso-8859-1"
    Content-Transfer-Encoding: 8bit

    Part 1.2

    Content-Description:
    Delivery error report
    Content-Type:
    message/delivery-status
    Content-Encoding:
    7bit

    Part 1.3

    Content-Description:
    Undelivered-message headers
    Content-Type:
    text/rfc822-headers
    Content-Encoding:
    7bit
    Last edited by gsilver; 05-18-2007 at 12:24 PM. Reason: incorrect title of post

  2. #2
    Join Date
    Apr 2007
    Posts
    23
    Rep Power
    8

    Default

    zimbra@mail:~$ zmmsgtrace -i 20070518-31223.224847.qmail@pc
    Tracing messages
    ID 20070518-31223.224847.qmail@pc


    Message ID 20070518-31223.224847.qmail@pc
    postmaster -->
    archiveall@mail.MYDOMAIN.com
    gsilver@MYDOMAIN.com
    maraiz@MYDOMAIN.com
    mlowlicht@MYDOMAIN.com
    rvialva@MYDOMAIN.com
    Recipient archiveall@mail.MYDOMAIN.com
    2007-05-18 14:11:12 - unknown (66.94.73.4) --> mail
    2007-05-18 14:11:14 - mail --> 127.0.0.1 (127.0.0.1) status sent
    2007-05-18 14:11:14 Passed by amavisd on mail (CLEAN) HITS: -2.24 in 1409 ms
    2007-05-18 14:11:14 - localhost.localdomain (127.0.0.1) --> mail
    2007-05-18 14:11:14 - mail --> mail.MYDOMAIN.com (MY.IP.ADDRESS) status sent
    Recipient gsilver@MYDOMAIN.com
    2007-05-18 14:11:12 - unknown (66.94.73.4) --> mail
    2007-05-18 14:11:14 - mail --> 127.0.0.1 (127.0.0.1) status sent
    2007-05-18 14:11:14 Passed by amavisd on mail (CLEAN) HITS: -2.24 in 1409 ms
    2007-05-18 14:11:14 - localhost.localdomain (127.0.0.1) --> mail
    2007-05-18 14:11:14 - mail --> mail.MYDOMAIN.com (MY.IP.ADDRESS) status sent
    Recipient maraiz@MYDOMAIN.com
    2007-05-18 14:11:12 - unknown (66.94.73.4) --> mail
    2007-05-18 14:11:14 - mail --> 127.0.0.1 (127.0.0.1) status sent
    2007-05-18 14:11:14 Passed by amavisd on mail (CLEAN) HITS: -2.24 in 1409 ms
    2007-05-18 14:11:14 - localhost.localdomain (127.0.0.1) --> mail
    2007-05-18 14:11:14 - mail --> mail.MYDOMAIN.com (MY.IP.ADDRESS) status sent
    Recipient mlowlicht@MYDOMAIN.com
    2007-05-18 14:11:12 - unknown (66.94.73.4) --> mail
    2007-05-18 14:11:14 - mail --> 127.0.0.1 (127.0.0.1) status sent
    2007-05-18 14:11:14 Passed by amavisd on mail (CLEAN) HITS: -2.24 in 1409 ms
    2007-05-18 14:11:14 - localhost.localdomain (127.0.0.1) --> mail
    2007-05-18 14:11:14 - mail --> mail.MYDOMAIN.com (MY.IP.ADDRESS) status sent
    Recipient rvialva@MYDOMAIN.com
    2007-05-18 14:11:12 - unknown (66.94.73.4) --> mail
    2007-05-18 14:11:14 - mail --> 127.0.0.1 (127.0.0.1) status sent
    2007-05-18 14:11:14 Passed by amavisd on mail (CLEAN) HITS: -2.24 in 1409 ms
    2007-05-18 14:11:14 - localhost.localdomain (127.0.0.1) --> mail
    2007-05-18 14:11:14 - mail --> mail.MYDOMAIN.com (MY.IP.ADDRESS) status sent

    1 messages found

    zimbra@mail:~$
    Last edited by gsilver; 05-18-2007 at 01:01 PM.

  3. #3
    Join Date
    Aug 2006
    Posts
    122
    Rep Power
    9

    Default read some of these results to gain a better understanding.


  4. #4
    Join Date
    Mar 2007
    Posts
    44
    Rep Power
    8

    Default

    The biggest thing to look for some spam, or from a suspected spam message is the the "received by" option in the header.

    Looking at yours the recipient of the spam received the spam message from:

    12.206.184.229

    Which actually resolves to Mediacom Communications Corp NET-12-206-128-0-1 according to a whoi lokup to arin.

    SO unless you are media com it would not come from your server.

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  3. Getting problems in FC4 while instalation
    By kitty_bhoo in forum Installation
    Replies: 13
    Last Post: 09-12-2006, 11:34 PM
  4. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 10:19 AM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •