helpdesk spam/virus problem?

bro

Perch
I've been getting mail delivery failure messages from resellerdesk.jodohost.com and helpdesk.jodohost.com to various unconnected accounts. Most of them use email addresses that exist on the servers in some form, but have never been used publicly.

Here's a full example source of what I've received.
If I recall correctly, the address used has only ever been used in a test mail form by myself and JH support staff:

*****************************************
From - Wed Jun 07 06:37:46 2006
X-Account-Key: account2
X-UIDL: 1149676214.3168.mail3.m****here.biz,S=2006
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <>
Delivered-To: [email protected]
Received: (qmail 3165 invoked by uid 399); 7 Jun 2006 10:30:14 -0000
Message-ID: <[email protected]****here.biz>
Delivered-To: [email protected]
Received: (qmail 3146 invoked by uid 399); 7 Jun 2006 10:30:14 -0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on localhost
X-Spam-Level:
X-Spam-Status: No, score=-0.9 required=4.0 tests=ALL_TRUSTED,NO_REAL_NAME
autolearn=disabled version=3.1.1
X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses);
Wed, 07 Jun 2006 06:30:14 -0400
Received: from mail.m****here.biz (204.14.107.1)
by mail3.m****here.biz with SMTP; 7 Jun 2006 10:30:14 -0000
Received: (qmail 9873 invoked for bounce); 7 Jun 2006 10:30:14 -0000
Date: 7 Jun 2006 10:30:14 -0000
From: [email protected]****here.biz
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1149676213mail.m****here.biz228971"
Subject: failure notice

--1149676213mail.m****here.biz228971

Hi. This is the qmail-send program at mail.m****here.biz.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
204.14.107.1 does not like recipient.
Remote host said: 550 sorry, no mailbox here by that name (#5.1.1)
Giving up on 204.14.107.1.

--- Enclosed are the original headers of the message.

--1149676213mail.m****here.biz228971
Content-Type: message/rfc822

Return-Path: <[email protected]>
Received: (qmail 9764 invoked by uid 399); 7 Jun 2006 10:30:10 -0000
Received: from unknown (HELO helpdesk.jodohost.com) (203.92.44.82)
by mail.m****here.biz with SMTP; 7 Jun 2006 10:30:10 -0000
From: [email protected]
To: [email protected]
Subject: Re: website
Date: Wed, 7 Jun 2006 16:00:25 +0530
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal

(Body supressed)

--1149676213mail.m****here.biz228971--

*****************************************



More than one appears to originate from 203.92.44.82
//
Received: from unknown (HELO helpdesk.jodohost.com) (203.92.44.82)
by mail.m****here.biz with SMTP; 7 Jun 2006 08:57:40 -0000
//


A client also received one from 203.92.44.82 with a virus 'message.scr' still attached although the virus scanner is set on this account. It was recognised as a virus when they attempted to forward it to me.

Can someone investigate this please.
 
FYI. The latest one had the Netsky virus attached in a zip file. It as recognised by my local virus checker after download.
 
We are actually getting flooded with them AT the support desk, seems to be returning some funky things. I am not sure if the cerberus parser is overloaded or what is happening at the moment, but we are checking into it.
 
Back
Top