SPAM PROBLEM

Discussion in 'Virtuozzo Windows VPS Hosting' started by Blek, Dec 6, 2012.

  1. Blek

    Blek Guppy

    Hello,
    We have a spam problem, someone is using our server to send spam mail. We blocked the localhost from sending at this point (but Webmail in the meantime will not be able to send emails). Here is an example of spam trying to use the server:
    #Software: MailEnable SMTP Server Version 1.0a
    #Version: 1.0
    #Date: 12/05/12 23:49:37
    #Fields: date time c-ip agent account s-ip s-port cs-method cs-uristem cs-uriquery s-computername sc-bytes cs-bytes cs-username
    2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 644 HELO HELO+VPSxxxx 250+Requested+mail+action+okay,+completed VPSxxxx 43 14
    2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 644 MAIL MAIL+FROM:<ahlmeier@caddoelectric.com> 250+Requested+mail+action+okay,+completed VPSxxxx 43 40
    2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 644 RCPT RCPT+TO:<hjames@growth-capital.com> 503+This+mail+server+requires+authentication+when+attempting+to+send+to+a+non-local+e-mail+address.+Please+check+your+mail+client+settings+or+contact+your+administrator+to+verify+that+the+domain+or+address+is+defined+for+this+server. VPSxxxx 235 37
    2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 644 QUIT QUIT 221+Service+closing+transmission+channel VPSxxxx 42 6
    2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 660 HELO HELO+VPSxxxx 250+Requested+mail+action+okay,+completed VPSxxxx 43 14
    2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 660 MAIL MAIL+FROM:<jdecker1@fms.treas.gov> 250+Requested+mail+action+okay,+completed VPSxxxx 43 36
    2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 660 RCPT RCPT+TO:<supreme-entd@carbotrade-spa.com> 503+This+mail+server+requires+authentication+when+attempting+to+send+to+a+non-local+e-mail+address.+Please+check+your+mail+client+settings+or+contact+your+administrator+to+verify+that+the+domain+or+address+is+defined+for+this+server. VPSxxxx 235 43
    2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 660 QUIT QUIT 221+Service+closing+transmission+channel VPSxxxx 42 6

    Any help please to identify the source???

    BR,
    Hassan
  2. Stephen

    Stephen US Operations Staff Member

    This looks to be using either a comprised mail form or a hijacked FTP user/password combo that has uploaded a rather common now php mail bounce tool, I just had to stop and cleanup several thousands such on a web server today for the same type of deal.
  3. Blek

    Blek Guppy

    Thanks Stephen for the input. I have detected the hosted domain which is infected, as soon as deactivate the domain, the spam stops, as soon as activated again the spams start to try to use the mailserver (but localhost is deactivated so far).
    Could you please help in locating and removing the infecting file(s)?
  4. Stephen

    Stephen US Operations Staff Member

    I am currently working (waiting for a long time) to delete the items you removed from the queue, which you ticketed...it is taking a long time due to so many files.

    I will check the other part as soon as this is done, just as a future note for you or anyone you can skip the recycle bin by selecting files you wish to delete and then doing a hold of SHIFT and pushing delete, this will do a direct delete no recycle bin.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services