SPAM PROBLEM

Blek

Guppy
Hello,
We have a spam problem, someone is using our server to send spam mail. We blocked the localhost from sending at this point (but Webmail in the meantime will not be able to send emails). Here is an example of spam trying to use the server:
#Software: MailEnable SMTP Server Version 1.0a
#Version: 1.0
#Date: 12/05/12 23:49:37
#Fields: date time c-ip agent account s-ip s-port cs-method cs-uristem cs-uriquery s-computername sc-bytes cs-bytes cs-username
2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 644 HELO HELO+VPSxxxx 250+Requested+mail+action+okay,+completed VPSxxxx 43 14
2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 644 MAIL MAIL+FROM:<[email protected]> 250+Requested+mail+action+okay,+completed VPSxxxx 43 40
2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 644 RCPT RCPT+TO:<[email protected]> 503+This+mail+server+requires+authentication+when+attempting+to+send+to+a+non-local+e-mail+address.+Please+check+your+mail+client+settings+or+contact+your+administrator+to+verify+that+the+domain+or+address+is+defined+for+this+server. VPSxxxx 235 37
2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 644 QUIT QUIT 221+Service+closing+transmission+channel VPSxxxx 42 6
2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 660 HELO HELO+VPSxxxx 250+Requested+mail+action+okay,+completed VPSxxxx 43 14
2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 660 MAIL MAIL+FROM:<[email protected]> 250+Requested+mail+action+okay,+completed VPSxxxx 43 36
2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 660 RCPT RCPT+TO:<[email protected]> 503+This+mail+server+requires+authentication+when+attempting+to+send+to+a+non-local+e-mail+address.+Please+check+your+mail+client+settings+or+contact+your+administrator+to+verify+that+the+domain+or+address+is+defined+for+this+server. VPSxxxx 235 43
2012-12-05 23:49:38 127.0.0.1 SMTP-IN 127.0.0.1 660 QUIT QUIT 221+Service+closing+transmission+channel VPSxxxx 42 6

Any help please to identify the source???

BR,
Hassan
 
This looks to be using either a comprised mail form or a hijacked FTP user/password combo that has uploaded a rather common now php mail bounce tool, I just had to stop and cleanup several thousands such on a web server today for the same type of deal.
 
Thanks Stephen for the input. I have detected the hosted domain which is infected, as soon as deactivate the domain, the spam stops, as soon as activated again the spams start to try to use the mailserver (but localhost is deactivated so far).
Could you please help in locating and removing the infecting file(s)?
 
I am currently working (waiting for a long time) to delete the items you removed from the queue, which you ticketed...it is taking a long time due to so many files.

I will check the other part as soon as this is done, just as a future note for you or anyone you can skip the recycle bin by selecting files you wish to delete and then doing a hold of SHIFT and pushing delete, this will do a direct delete no recycle bin.
 
Back
Top