Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
octet
Forum User
Posts: 64 Joined: Fri Dec 14, 2007 11:35 am
Unread post
by octet » Fri Jul 01, 2011 7:55 am
Hi guys,
In the last days I've notice this in the qmail log:
Code: Select all
Jul 1 12:48:45 zeus qmail: 1309520925.236292 starting delivery 2040: msg 4044760451 to remote dowjarrett@verizon.net
Jul 1 12:48:45 zeus qmail: 1309520925.236372 status: local 0/1000 remote 1/1000
Jul 1 12:48:45 zeus qmail-remote-handlers[5996]: Handlers Filter before-remote for qmail started ...
Jul 1 12:48:45 zeus qmail-remote-handlers[5996]: from=residualgroup@yahoo.com
Jul 1 12:48:45 zeus qmail-remote-handlers[5996]: to=dowjarrett@verizon.net
Jul 1 12:48:45 zeus qmail-remote-handlers[5996]: hook_dir = '/usr/local/psa/handlers/before-remote'
Jul 1 12:48:45 zeus qmail-remote-handlers[5996]: recipient[3] = 'dowjarrett@verizon.net'
Jul 1 12:48:45 zeus qmail-remote-handlers[5996]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/dowjarrett@verizon.net'
How can I find out and block this? 5062 emails from "
residualgroup@yahoo.com " been sent out so far...
Thanks for your help!
octet
Forum User
Posts: 64 Joined: Fri Dec 14, 2007 11:35 am
Unread post
by octet » Fri Jul 01, 2011 1:10 pm
Hi Michael,
Thanks for that!
That's what I'm getting:
Code: Select all
--------------
MESSAGE NUMBER 4044760497
--------------
Received: (qmail 13900 invoked by uid 10071); 30 Jun 2011 23:53:44 +0100
Received: from by zeus.serverpro.biz (envelope-from <residualgroup@yahoo.com>, uid 10047) with qmail-scanner-2.08st
(clamdscan: 0.97.1/13253. spamassassin: 3.3.1. perlscan: 2.08st.
Clear:RC:1(127.0.0.1):.
Processed in 0.899356 secs); 30 Jun 2011 22:53:44 -0000
Date: 30 Jun 2011 23:53:43 +0100
To: dnymease@verizon.net
Subject: Produs recomandat de Marlen Smith
MIME-Version: 1.0
From: Marlen Smith <orders@albinuta.co.uk>
X-Mailer: CubeCart Mailer
Reply-To: residualgroup@yahoo.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Message-ID: <lnmkxj.4g0uni@>
Draga dave measer,
We Already Calculated You Commission...
Click Link Below for The Details:
http://infiniteresidual.co.cc/1mw/page.php?un=dap1&e=dnymease@verizon.net
To your success,
Wealth Group
IM Wealth Builders Ltd.
25 Texas,USA
Code: Select all
[root@zeus ~]# grep 10071 /etc/passwd
qscand:x:10071:121:Qmail-Scanner Account:/var/spool/qscan:/bin/false
[root@zeus ~]#
What do you make of it?
I believe it's being done through this page:
Code: Select all
http://www.albinuta.co.uk/tellafriend/tell_969.html
according to the message headers:
Thanks!
scott
Atomicorp Staff - Site Admin
Posts: 8355 Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:
Unread post
by scott » Fri Jul 01, 2011 2:20 pm
Do you have cubecart installed on the system? It could be coming from something in that
octet
Forum User
Posts: 64 Joined: Fri Dec 14, 2007 11:35 am
Unread post
by octet » Sat Jul 02, 2011 2:23 am
Identified the IP as bellow:
Code: Select all
112.201.206.16 - - [02/Jul/2011:07:20:14 +0100] "GET /skins/albinuta-v1/php/ajaxCart.php?nocache=0.8260422461591068 HTTP/1.1" 200 528 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:15 +0100] "GET /index.php?_a=tellafriend&productId=720&catId=0 HTTP/1.1" 200 11485 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:17 +0100] "GET /magicslideshow/magicslideshow.css HTTP/1.1" 200 2312 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:17 +0100] "GET /skins/albinuta-v1/styleSheets/style.css HTTP/1.1" 200 28175 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:24 +0100] "GET /skins/albinuta-v1/styleSheets/fancy.css HTTP/1.1" 200 6228 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:25 +0100] "GET /skins/albinuta-v1/styleSheets/style-ro.css HTTP/1.1" 200 273 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
Banned! iptables loves him!