Spam through my server

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
octet
Forum User
Forum User
Posts: 64
Joined: Fri Dec 14, 2007 11:35 am

Spam through my server

Unread post by octet »

Hi guys,

In the last days I've notice this in the qmail log:

Code: Select all

Jul  1 12:48:45 zeus qmail: 1309520925.236292 starting delivery 2040: msg 4044760451 to remote dowjarrett@verizon.net
Jul  1 12:48:45 zeus qmail: 1309520925.236372 status: local 0/1000 remote 1/1000
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: Handlers Filter before-remote for qmail started ...
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: from=residualgroup@yahoo.com
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: to=dowjarrett@verizon.net
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: hook_dir = '/usr/local/psa/handlers/before-remote'
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: recipient[3] = 'dowjarrett@verizon.net'
Jul  1 12:48:45 zeus qmail-remote-handlers[5996]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/dowjarrett@verizon.net'
How can I find out and block this? 5062 emails from "residualgroup@yahoo.com" been sent out so far...

Thanks for your help!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Spam through my server

Unread post by mikeshinn »

octet
Forum User
Forum User
Posts: 64
Joined: Fri Dec 14, 2007 11:35 am

Re: Spam through my server

Unread post by octet »

Hi Michael,

Thanks for that!

That's what I'm getting:

Code: Select all

 --------------
MESSAGE NUMBER 4044760497 
 --------------
Received: (qmail 13900 invoked by uid 10071); 30 Jun 2011 23:53:44 +0100
Received: from  by zeus.serverpro.biz (envelope-from <residualgroup@yahoo.com>, uid 10047) with qmail-scanner-2.08st 
 (clamdscan: 0.97.1/13253. spamassassin: 3.3.1. perlscan: 2.08st.  
 Clear:RC:1(127.0.0.1):. 
 Processed in 0.899356 secs); 30 Jun 2011 22:53:44 -0000
Date: 30 Jun 2011 23:53:43 +0100
To: dnymease@verizon.net
Subject: Produs recomandat de Marlen Smith
MIME-Version: 1.0
From: Marlen Smith <orders@albinuta.co.uk>
X-Mailer: CubeCart Mailer
Reply-To: residualgroup@yahoo.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Message-ID: <lnmkxj.4g0uni@>

Draga dave measer,


We Already Calculated You Commission...


Click Link Below for The Details:


http://infiniteresidual.co.cc/1mw/page.php?un=dap1&e=dnymease@verizon.net



To your success,
 
Wealth Group
IM Wealth Builders Ltd.
25 Texas,USA

Code: Select all

[root@zeus ~]# grep 10071 /etc/passwd
qscand:x:10071:121:Qmail-Scanner Account:/var/spool/qscan:/bin/false
[root@zeus ~]# 
What do you make of it?

I believe it's being done through this page:

Code: Select all

http://www.albinuta.co.uk/tellafriend/tell_969.html
according to the message headers:

Code: Select all

X-Mailer: CubeCart Mailer
Thanks!
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Spam through my server

Unread post by scott »

Do you have cubecart installed on the system? It could be coming from something in that
octet
Forum User
Forum User
Posts: 64
Joined: Fri Dec 14, 2007 11:35 am

Re: Spam through my server

Unread post by octet »

Hi Scot,

Yes, that is one of the websites / businesses I own. It will be upgraded this month to a different / read safer/better system.

Found more details here:

http://www.cubecartforums.org/index.php?showtopic=9430

Thanks,
Adrian
octet
Forum User
Forum User
Posts: 64
Joined: Fri Dec 14, 2007 11:35 am

Re: Spam through my server

Unread post by octet »

Identified the IP as bellow:

Code: Select all

112.201.206.16 - - [02/Jul/2011:07:20:14 +0100] "GET /skins/albinuta-v1/php/ajaxCart.php?nocache=0.8260422461591068 HTTP/1.1" 200 528 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:15 +0100] "GET /index.php?_a=tellafriend&productId=720&catId=0 HTTP/1.1" 200 11485 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:17 +0100] "GET /magicslideshow/magicslideshow.css HTTP/1.1" 200 2312 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:17 +0100] "GET /skins/albinuta-v1/styleSheets/style.css HTTP/1.1" 200 28175 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:24 +0100] "GET /skins/albinuta-v1/styleSheets/fancy.css HTTP/1.1" 200 6228 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
112.201.206.16 - - [02/Jul/2011:07:20:25 +0100] "GET /skins/albinuta-v1/styleSheets/style-ro.css HTTP/1.1" 200 273 "http://www.albinuta.co.uk/index.php?_a=tellafriend&productId=720&catId=0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
Banned! iptables loves him!
Post Reply