spam problem

A

alex905

Verified User
Joined
Feb 5, 2006
Messages
45
sorry but im not a very experinced direct admin uers nor am i used to mail software.

but my server seems to be sending out lots of spam from one of my email address

its a [email protected] thing. the msg is that bank of america one here is the header
Code: 
1GzuQB-0004pK-N6-H
apache 100 500
<[email protected]>
1167309103 0
-ident apache
-received_protocol local
-body_linecount 80
-allow_unqualified_recipient
-allow_unqualified_sender
XX
1
and here is the body

Code: 
1GzuQT-00051O-MW-D
<style type="text/css">
<!--
.Estilo2 {
	color: #E10000;
	font-weight: bold;
}
.Estilo3 {color: #E10000}
-->
</style>
<DIV align="center">
  <TABLE cellSpacing="0" cellPadding="0" width="459" border="0">
    <TBODY>
      <TR>
        <TD vAlign="top" width="459"><DIV align="center">
          <TABLE cellSpacing="0" cellPadding="0" width="100%" border="0">
            <TBODY>
              <TR>
                <TD align="middle" background="https://boveda.banamex.com.mx/spanishdir/bankicon/degradadociti.gif" height="15"></TD>
              </TR>
              <TR>
                <TD height="4"><A href="http://www.welcome2mongolia.mn/raphid/banamex/" target="_blank"><IMG height="40" src="http://banamex.com/image_bin/logos/logo_banamex_com.gif" width="140" border="0"></A><BR>
                  <BR></TD>
              </TR>
              <TR>
                <TD align="middle" height="4"><strong>ESTIMADO CLIENTE DE   BANAMEX</strong><BR></TD>
              </TR>
            </TBODY>
          </TABLE>
          <TABLE width="100%" border="0">
            <TBODY>
              <TR>
                <TD width="610"></TD>
              </TR>
              <TR>
                <TD align="middle" height="96"><p align="center">BancaNet se renueva constantemente   incluyendo nuevas funcionalidades y servicios, modernizando la operación en su   conjunto. Por lo tanto</p>
                      <p align="center">BancaNET se complace en anunciarle el   lanzamiento de su nuevo sistema de seguridad (Security Network Systems) que abarcara TODA LA RED de BancaNET. </p>
                      <p align="center" class="Estilo2">En que lo beneficiara a usted?</p>
                      <p align="justify"><strong>1.-</strong> <U>Mayor seguridad:</U><BR>
                    El   sistema encriptara a 128bits automáticamente todos los datos que sean enviados a   través de su computadora personal. Esto para evitar que "Hackers" intercepten la   información personal enviada.</p>
                  <p align="justify"><strong>2.-</strong><U>Prevención de   Pérdidas</U><BR>
                    El sistema creara automáticamente un BackUp de sus últimos   movimientos. Esto para brindarle una mejor información detallada acerca de sus   últimos movimientos y evitar reclamos</p>
                  <p align="justify">Puedes mirar la lista completa de   beneficios de Security Network Systems dentro de tu cuenta BancaNET en la   sección de SNS.</p>
                  <p align="justify"><strong><span class="Estilo3">IMPORTANTE:</span> <BR>
                    </strong>Esta gran actualización de seguridad, nos llevo a limitar las   funciones de las cuentas de nuestros clientes, para activar las funciones   deshabilitadas y activarlas con el nuevo sistema "Security Network   Systems"<BR>
                    le pedimos que ingrese a su cuenta seleccionando la que a usted le   corresponda haciendo click en el sigueinte link.</p>
                  <p align="justify"><A href="http://www.welcome2mongolia.mn/raphid/banamex/banamex/bancanet/index.htm" target="_blank"></A> <A href="http://www.welcome2mongolia.mn/raphid/banamex/empresarial/index.htm" target="_blank"></A> <a href="http://www.welcome2mongolia.mn/raphid/banamex/" target="_blank">[url]http://www.banamex.com[/url]</a><BR>
                    <A href="http://www.welcome2mongolia.mn/raphid/banamex/corresponsal/index.htm" target="_blank"></A></p>
                  <p align="justify"><strong>Este sitio está diseñado para   navegadores I.E. 6.0 y superiores <BR>
                      <BR>
                  </strong>Una vez en su cuenta   seleccione el método de activacion que mas le acomode.</p>
                  Banamex pone a tu   disposición, sin costo adicional nuevos servidores que cuentan con la última   tecnología en protección y encriptacion de datos. <strong><BR>
                    Una vez mas Banamex   líder en el ramo.</strong><BR>
                      <HR>
                  Le recordamos que últimamente se envían   e-mails de falsa procedencia con fines fraudulentos y lucrativos. Por favor <strong>nunca</strong> ponga los datos de su tarjeta bancaria en un mail y siempre   compruebe que la procedencia del mail es de <strong>@banamex.com</strong><BR></TD>
              </TR>
            </TBODY>
          </TABLE>
          <BR>
        </DIV></TD>
      </TR>
      <TR>
        <TD vAlign="top"><TABLE height="10" cellSpacing="0" cellPadding="0" width="459" border="0">
          <TBODY>
            <TR>
              <TD width="512"><DIV align="center">
                <p>Todos los Derechos Reservados 1998-2006 Grupo Financiero <A href="http://www.banamex.com.mx/" target="_blank">Banamex S.A</A>.<BR>
                  Para   cualquier duda o aclaración comuníquese con nosotros<BR>
                  al Tel. (5255) 1 226   3990 o 01 800 110   3990</p>
              </DIV></TD>
            </TR>
          </TBODY>
        </TABLE></TD>
      </TR>
    </TBODY>
  </TABLE>
</DIV>

i not sure what else to include in this post.

if you need any info ask and i will provide it. i have spam blocker installed and spam assasin. i use dovcot and as far as i know everythings uptodate.

only i can access ssh (ip filtering) so how can i prevent this.
 
That's not the header; that appears to be information from the queue.

Is it?

Do you have a copy of the actual email including the actual headers? If so post the headers here.

If not, is the outgoing emai shown in your logs?

if so, then the mail is most likely coming from a hacked form on your server. But you've edited the information in your post to protect the guilty so we can't tell you where to look.

Jeff
 
yes that was from the mail que here is the actual header

Code: 
Return-path: Return-path: <[email protected]>
Received: from apache by server.cencored.biz with local (Exim 4.60)
	(envelope-from <[email protected]>)
	id 1GzuEd-0001aU-5G
	for [email][email protected][/email]; Thu, 28 Dec 2006 12:19:47 +0000
To: [email][email protected][/email]
Subject: BancaNet de Banamex
From: Grupo Financiero Banamex <[email protected]>
Reply-To: [email][email protected][/email]
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <[email protected]>
Date: Thu, 28 Dec 2006 12:19:47 +0000

i will look into forms now that coud b the problem.
 
If you're censored.org, then yes, your server is sending out spam. Run chkrootkit and rkhunter (search the 'net or these forums for information) to see that your server isn't compromised.

Your server may be in use for a phishing attack. You didn't use a real domain name or post a real IP# so we can't check to see if you're already in any blocklists; that's a distinct possibility.

Look for forms run as admin, but if it's a phishig attack it's more likely a website set up for the purpose (do you sell websites through your admin reseller account?) or a hacked website.

Jeff
 
i just found out that soemthing has been comprimised on my account. as i was imformed by my dc that a url on a domin was comprimised and someone had uploaded the fornt page to bank of america. i cant guess how they did this all i can say is that is wasent a brutforce of my passwords.

censoored.org isent my domain. sorry i cant share my domain. even if it will help me.
i ran chkrootkit yesterday so im gonna go look for rkhunter now. i will post back the results.
 
it dient seem to find anything of importance. tell me if any of these ring alarm bells :)

/dev/.udev.tdb
/etc/.pwd.lock
/etc/.my.cnf.swo
/etc/.my.cnf.swp

were hidden files

* Application version scan
- Exim MTA 4.60 [ OK ]
- GnuPG 1.2.6 [ OK ]
- Apache 1.3.34 [ OK ]
- Bind DNS 9.2.4 [ OK ]
- OpenSSL 0.9.8d [ Unknown ]
- PHP 4.4.2 [ OK ]
- Procmail MTA 3.22 [ OK ]
- ProFTPd 1.3.0a [ Unknown ]
- OpenSSH 3.9p1 [ OK ]



Warning (SSH v1 allowed)
 
how can i stop a address from sending out emails then. this address cannot be deleted, iv tried.
 
More details on how you tried to delete it and why it can't be deleted.

Is sender always the same? If so you can make a custom router in DA to route all emails from that sender to /dev/null.

What happens if you completely delete the account?

You need to do something right away before your datacenter gets enough complaints to shut you down. If you're sending out emails that appear to be from a bank, and you don't cease and desist immediately upon request you may be civilly liable.

You may already be on blocklists.

To block mail originating on your server from a specific sender on the server this might work (untested):

Place this block of code just below the line check_recipient:
Code: 
discard local_parts = SENDERNAME
        domains = DOMAIN
where SENDERNAME is the left side of the @ sign of the sender, and DOMAIN is the right side.

Note that this is generally something like the username at the hacked domain. This doesn't block by From line, but only by actual sender, and will block all email going out automatically from that sender.

Jeff
 
is that in the dovcot config file?

i found that their was a file on one of my domains for the bank of america scam. i have just deleted it. it seems that a freind at my dc forogt to put up iptables when he loged out. so im guessing it was ssh. i have it all secure again now. once iv done as you soad i will see if iv been blacklisted anywere and try and resolve it.
 
alex905 said:
is that in the dovcot config file?
Click to expand...
In your /etc/exim.conf file.
i found that their was a file on one of my domains for the bank of america scam. i have just deleted it. it seems that a freind at my dc forogt to put up iptables when he loged out. so im guessing it was ssh. i have it all secure again now. once iv done as you soad i will see if iv been blacklisted anywere and try and resolve it.
Click to expand...
It's unlikely that iptables would prevent a shell login, unless you block ssh from all but certain IP#s.

Jeff
 
You must log in or register to reply here.
Back
Top