my Server is suddenly being used for unauthorised SPAM

Discussion in 'Installation/Configuration' started by pawan, Aug 19, 2010.

  1. pawan

    pawan New Member

    Dear all,
    what step should I take to stop this as there are number of mails like this I received today all of a sudden. I donot have any such user like ebihoegac2233 on my server. but the returning mail shows X-postifix-Sender:rfc822; ----@mywebsolutions.co.in.

    How I can stop this? what measures should I take?


    Code:
    Reporting-MTA: dns; dns1s24dcb.secure-24.net
    X-Postfix-Queue-ID: 91A658C9C70
    X-Postfix-Sender: rfc822; ebihoegac2233@mywebsolutions.co.in
    Arrival-Date: Thu, 19 Aug 2010 10:19:07 -0400 (EDT)
    
    Final-Recipient: rfc822; larue@unitedroad.com
    Original-Recipient: rfc822;larue@unitedroad.com
    Action: failed
    Status: 5.1.1
    Remote-MTA: dns; a.mx.secure-24.net
    Diagnostic-Code: smtp; 550 5.1.1 <larue@unitedroad.com>: Recipient address
        rejected: User unknown in relay recipient table
     
  2. HyperAtom

    HyperAtom New Member

    I think its just spammers spoofing a mailbox which doesnt exist on your domain. Im not entirely sure, but have you tried setting up an SPF record in your DNS?
     
  3. pawan

    pawan New Member

    Yes I am using SPF.

    LIKE - v=spf1 mx ~all

    can I make it more stringent.

    Here I am giving another contents of a returned mail, which even mentions my IP address i.e. 59.90144.48

    Hi. This is the qmail-send program at mail.bsa-romania.com.
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    <geeageneral@bsa-romania.com>:
    Sorry, no mailbox here by that name. (#5.1.1)

    --- Below this line is a copy of the message.

    Return-Path: <emisyu4996@mywebsolutions.co.in>
    Received: (qmail 27607 invoked by uid 507); 19 Aug 2010 16:23:00 +0300
    Received: from mywebsolutions.co.in (59.90.144.48)
    by mail.bsa-romania.com with SMTP; 19 Aug 2010 16:23:00 +0300
    From: <emisyu4996@mywebsolutions.co.in>
    To: geeageneral@bsa-romania.com
    Date: Thu, 19 Aug 2010 18:53:02 +0530
    Subject: Don't be a killjoy when the lights go off
    Reply-To: <emisyu4996@mywebsolutions.co.in>
    MIME-Version: 1.0
    Content-Type: text/plain; charset="ISO-8859-1"
    Content-Transfer-Encoding: 8bit

    Check out our latest packages on traditional medical cures
    http://www.hammerlabs.ru/
     
    Last edited: Aug 19, 2010
  4. HyperAtom

    HyperAtom New Member

    Im pretty sure its nothing to worry about, the fact your IP is listed in the header is just the recipients mailserver resolving your domain which has been spoofed anyway.

    I take it your receiving these failed delivery reports from the admin account of your mailserver?
     
  5. pawan

    pawan New Member

    I am much worried and needs a solutions asap as my ip is also figured after these mails in PBL & CBL database as blacklist and there it is mentioned that

    Code:
    This IP is infected (or NATting for a computer that is infected) with the rustock spambot.
    So Dear HyperAtom and all Senior Members please help me take some measures to resolve it.
     
  6. HyperAtom

    HyperAtom New Member

    This may be more serious than I thought, it seems the mail is really coming from your server. Best thing I can think of temporarily is to use OpenDNS servers which block botnets until some of the other members come up with something.

    Check your clamav logs + rkhunter for any warnings
     

Share This Page