ThomasK
Verified User
Hi,
I have detected abuse from my directadmin servers. (multiple)
Somehow it seems possible to send emails from an account, but i'm unable to detect how they are doing this. I can find the sent mails in the email usage statistics, but it doesn't show me any details.
From the abuse messages I get i can see that they use the HELO domain name to authenticate:
Would this mean the spammers somehow got my userlist from my servers? Because it looks like they are able to authenticate successfully on the domain.
The only way they could have gotten this is by an exploit in directadmin, but i'm unaware of any.
Thomas.
I have detected abuse from my directadmin servers. (multiple)
Somehow it seems possible to send emails from an account, but i'm unable to detect how they are doing this. I can find the sent mails in the email usage statistics, but it doesn't show me any details.
From the abuse messages I get i can see that they use the HELO domain name to authenticate:
Code:
Return-Path: <[email protected]>
Received: from srv03.b-c-s.nl (srv03.b-c-s.nl [88.198.65.175])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mtaig-mac06.mx.aol.com (Internet Inbound) with ESMTPS id 23F537000008F;
Wed, 12 Mar 2014 06:24:19 -0400 (EDT)
Received: from 225.222.broadband13.iol.cz ([90.180.222.225] helo=directadminuserdomain)
by srv03.b-c-s.nl with esmtpa (Exim 4.69)
(envelope-from <[email protected]>)
id 1WNgKc-0005Uk-4N; Wed, 12 Mar 2014 11:24:17 +0100
From: "Mr. Judson" <[email protected]>Would this mean the spammers somehow got my userlist from my servers? Because it looks like they are able to authenticate successfully on the domain.
The only way they could have gotten this is by an exploit in directadmin, but i'm unaware of any.
Thomas.
