Huge amount of mail is sent from domains added as domain pointers

[dardarlt]

There is huge ammount of email messages sent from email accounts, which are not on my server, only these domains are added as domain pointers. There was about 3 million messages in exim spool.

How could this happen?

This is sample message:

root@server193:/usr/local/directadmin/scripts# exim -Mvb 1WFrvM-0004hC-K7
1WFrvM-0004hC-K7-D
http://movigi.fr/videos.htm?kiq



------------------------------------------------------------------------------------------------------------------------------------------------------------- 13:39:18
root@server193:/usr/local/directadmin/scripts# exim -Mvh 1WFrvM-0004hC-K7
1WFrvM-0004hC-K7-H
mail 8 12
<[email protected]>
1392757792 0
-helo_name lrfpmgm®ç
-host_address 5.77.172.64.5377
-host_auth login
-interface_address xxx.xxx.xxx..xxx
-received_protocol esmtpa
-body_linecount 4
-max_received_linelength 106
-auth_id [email protected]
-deliver_firsttime
-host_lookup_failed
XX
4
[email protected]
[email protected]
[email protected]
[email protected]

187P Received: from [5.77.172.64] (helo=lrfpmgm)
	by MYSERVER.COM with esmtpa (Exim 4.76)
	(envelope-from <[email protected]>)
	id 1WFrvM-0004hC-K7; Tue, 18 Feb 2014 23:09:53 +0200
107T To: <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>
038  Date: Tue, 18 Feb 2014 21:54:51 -0700
011  Subject:
042F From: "Pfyra Wcuw" <[email protected]>
018  Mime-Version: 1.0
045  Content-Type: text/plain; charset=iso-8859-3

 

[zEitEr]

Hello,

Either your user account is compromised and you've got malware there which is sending out spam, or somebody's spoofing your domains.

 

[Richard G]

We got this with 2 customers too but discovered it very fast.

-host_auth login

This tells you that there was an authenticated login, so it's no spoofing. In my customers case it was spy/malware on their computers.

P.s. You should install a firewall like CSF/LFD which would warn you if there would be (for example) more the 500 emails from 1 user.
However, these malware guys are smart and don't use email spamming this way. Nowadays they write 1 email with f.e. 100 CC adresses in them or something like that, so they only need 50 emails to reach 500 email adresses.

 

[nobaloney]

This tends to work really well for us, simply because most spammers send to a lot AOL users, and AOL users are very fast to report emails to AOL as spam.

http://postmaster.aol.com/Postmaster.FeedbackLoop.php

Once you create a feedback loop with AOL they'll send you a notice very time one of their clients reports your IP# as sending spam. Many of them are false alarms, but you don't need to read them all.

Just use an email rule to move them all to a special folder, and check the folder once a day or so to see if there are lots of complaints from your sever. As a rule, unless we get at least five, we don't even bother, but remember it could take days for AOL users to read and report spam. So you may continue to get them even after you've found and resolved the problem.

And since AOL doesn't show you their customer's email address, you'll need to search your logs by something else; we find a search by subject useful.

Signing up for a feedback loop is simple once you understand how they verify you. You can skip everything they've written on the subject if you control [email protected] when EXAMPLE.com is the domain that's part of your servername. Just use the abuse address for all, and then the only problem you may have is with the sometimes hard-to-use Google captcha they use.

Works well for us.

Jeff