1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Getting a lot of emails from "MAILER-DAEMON" showing spam emails.

Discussion in 'Security' started by killaklown, Feb 26, 2014.

  1. #1
    In the last 1-2 weeks, I've suddenly started getting a ton of emails from MAILER-DAEMON with emails sent to random people that I did not send.

    I'm not sure how to stop this. My email has not been compromised and I'm afraid all these emails with my server on it, that it'll get blacklisted. Any ideas on how to stop this?

    Here's the latest one from this morning. (My server is crossflame.com)

    ----------------------------------------------------------------------------
    This is the mail system at host mail.crossflame.com.

    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.

    For further assistance, please send mail to postmaster.

    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.

    The mail system

    <>: Host or domain name not found. Name service error
    for name=nbctv33.com type=A: Host not found

    <>: host aln-mailrelay.att.net[12.102.252.75] said:
    521-23.226.227.202 blocked by sbc:blacklist.mailrelay.att.net. 521 DNSRBL:
    Blocked for abuse. See -removed-link- (in reply to MAIL FROM
    command)

    <>: host mx1.emailsrvr.com[173.203.2.36] said:
    550 5.7.1 <>: Relay access denied. (in
    reply to RCPT TO command)

    Reporting-MTA: dns; mail.crossflame.com
    X-Postfix-Queue-ID: D5F89E600FD
    X-Postfix-Sender: rfc822; justin[at]crossflame.com
    Arrival-Date: Fri, 21 Feb 2014 03:51:59 -0500 (EST)

    Final-Recipient: rfc822;
    Action: failed
    Status: 4.4.4
    Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error
    for name=nbctv33.com type=A: Host not found

    Final-Recipient: rfc822;
    Action: failed
    Status: 4.0.0
    Remote-MTA: dns; aln-mailrelay.att.net
    Diagnostic-Code: smtp; 521-23.226.227.202 blocked by
    sbc:blacklist.mailrelay.att.net. 521 DNSRBL: Blocked for abuse. See
    removed-link

    Final-Recipient: rfc822;
    Action: failed
    Status: 4.7.1
    Remote-MTA: dns; mx1.emailsrvr.com
    Diagnostic-Code: smtp; 550 5.7.1 <>: Relay
    access denied.
    SEMrush
    Subject ***SPAM*** Ashley Williford
    From Ashley Williford
    To randy, ray sutley, recrewtr, reginald j saddler, Jen L Repovsch, resumes, resumes, rjones,ronald taylor, ross3875, RST, Cliff Russell, rwoods, Nicola Saub, sbrewer, scheduling,scott thompson, scott thompson, scott thompson, sdpaster
    Date 2014-02-27 02:51
    removed-spam-link

    ----------------------------------------------------------------------------
     
    killaklown, Feb 26, 2014 IP
    SEMrush
  2. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,601
    Likes Received:
    711
    Best Answers:
    150
    Trophy Points:
    420
    #2
    well, do you perhaps host anything with mail-sending capabilities on your server? Something that might have been compromised? And, you need to look at the mail headers - that will show the route taken, and see if it at any time originated from your mailserver. (Although all that can be faked, few spammers actually bother to hide everything)
     
    PoPSiCLe, Feb 26, 2014 IP
  3. killaklown

    killaklown Well-Known Member

    Messages:
    2,666
    Likes Received:
    87
    Best Answers:
    0
    Trophy Points:
    165
    #3
    I don't have anything on my server (VPS) that sends emails out. I've had it hosted with another host for around 4 years and about 3-4 months ago I've moved it to another host (ramnode).

    This is the source of one of the MAILER-DEAMON emails. I can't get the source of the spam email, it wasn't sent from my email (It's not in the sent folder).

     
    killaklown, Feb 26, 2014 IP
  4. jeffatrackaid

    jeffatrackaid Active Member

    Messages:
    168
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    75
    #4
    There are few reasons you could be seeing this:
    • compromised email password
    • compromised desktop
    • compromised web application
    It appears your server may already be getting a 521 error from ATT due to the spam, so you will want to get this stopped.

    The only clue I see in your post is that the email injection point appears to be
    Received: from mycomputer (unknown [115.241.98.204])
    by mail.crossflame.com (Postfix) with ESMTPA id ECBD7E600AC;

    Would need to check the logs for this IP and email ID to see how the email is flowing into the system and then stop it.

    Once you have it cleaned up see http://www.rackaid.com/blog/att-blacklist-removal/ for details on how to get off ATT's blacklist.
     
    jeffatrackaid, Feb 26, 2014 IP
  5. killaklown

    killaklown Well-Known Member

    Messages:
    2,666
    Likes Received:
    87
    Best Answers:
    0
    Trophy Points:
    165
    #5
    Ok, i'll run a scan from home. I changed my password again just now (at work) so I'll see if that stops it.

    Actually, I'm wondering if it could be my phone with the virus. I've never scanned my phone, and I'm not having any issues with any other accounts I log into like my bank, paypal, email accounts on other servers... but i don't access those on my phone.
     
    killaklown, Feb 26, 2014 IP
  6. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,601
    Likes Received:
    711
    Best Answers:
    150
    Trophy Points:
    420
    #6
    Well - the IP is an Indian IP, and both the previous and next in the sequence has been tagged by Project Honey Pot - http://www.projecthoneypot.org/ip_115.241.99.120 - so I think it's fair to say that you've been hijacked by _something_ - it might be your server that's compromised.
    This is nothing to do (most likely) with an email-program - this is sending from the servers IP-adress (the bounced mails coming back are directed to your server's mailserver) - so unless you're sending mail directly from the server via some login, it probably won't be your client that's compromised. Also, if you have more than one email assigned, you'd assume that the problem would be on all accounts.
    Of course, scan your systems, but also make sure you close down the server properly - and make sure to run a scan on that as well
     
    PoPSiCLe, Feb 26, 2014 IP
  7. jeffatrackaid

    jeffatrackaid Active Member

    Messages:
    168
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    75
    #7
    For compromised accounts, there are two methods I usually see when I do spam investigation work.

    1. Compromise Password
    This is simple -- your password is compromised. Changing the password fixes this.

    2. Piggybacking
    Some malware will piggyback on an existing SMTP connection. So even if it does not have your password it will attempt to inject emails. This is more of a problem with POP before SMTP type authentication but still see this tactic.
     
    jeffatrackaid, Feb 26, 2014 IP
  8. killaklown

    killaklown Well-Known Member

    Messages:
    2,666
    Likes Received:
    87
    Best Answers:
    0
    Trophy Points:
    165
    #8
    There's only one other email on my server and I had the owner of it check it, and it does not have any of these emails on it.
     
    killaklown, Feb 26, 2014 IP
  9. killaklown

    killaklown Well-Known Member

    Messages:
    2,666
    Likes Received:
    87
    Best Answers:
    0
    Trophy Points:
    165
    #9
    Just noticed something while looking around in ZPanel on my server... I'm hoping I didn't miss a basic thing but...

    SMTP Auth method: tls
    SMTP Pass:
    SMTP Port: 25
    SMTP Server: mail.crossflame.com
    SMTP User:
    Use AUTH: true
    Use SMTP: true

    Looking at that, did I mess up and leave the default SMTP credentials on? (I'm assuming if it's blank, it's using defaults?)

    I'm not sending any emails from that server right now, should I turn SMTP off to stop the spam emails until I figure out and stop these emails? I cant login to my VPS right now to check logs or other settings, I only have the tools on my home computer.
     
    killaklown, Feb 26, 2014 IP
  10. killaklown

    killaklown Well-Known Member

    Messages:
    2,666
    Likes Received:
    87
    Best Answers:
    0
    Trophy Points:
    165
    #10
    Just checked the maillog on the server and the emails were still being sent after I changed the password at work. I've just shut off SMTP to see if that stops them until I find the issue. If it still doesn't stop it, I'm getting the data I need off the server and re-imaging it.
     
    killaklown, Feb 26, 2014 IP