Facebook
Twitter
V
visionburst
Guest
Someone seems to have found a way to use webmail on my server as a spam relay. Below is a header from one of many similar messages:
Note: ns1.porpanx.com is my server name; hardequity.biz is one of the domains I host.
Return-Path: <[email protected]>
Received: from rly-yc02.mail.aol.com (rly-yc02.mail.aol.com [172.18.205.145]) by air-yc04.mail.aol.com (v113.6) with ESMTP id MAILINYC44-1ba454c4e28204; Sat, 04 Nov 2006 03:24:27 -0500
Received: from ns1.porpanx.com (ns1.porpanx.com [67.15.88.32]) by rly-yc02.mail.aol.com (v113.6) with ESMTP id MAILRELAYINYC22-1ba454c4e28204; Sat, 04 Nov 2006 03:24:08 -0500
Received: (qmail 10963 invoked from network); 4 Nov 2006 03:24:08 -0500
Received: from localhost (127.0.0.1)
by localhost with SMTP; 4 Nov 2006 03:24:08 -0500
Received: from 196.3.62.3 ([196.3.62.3]) by webmail.hardequity.biz (Horde
MIME library) with HTTP; Sat, 4 Nov 2006 03:24:07 -0500
Message-ID: <[email protected]>
Date: Sat, 4 Nov 2006 03:24:07 -0500
From: "Dr.Haley Bryce" <[email protected]>
Reply-to: [email protected]
To:
Subject: Yours faithfully,
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.1)
X-AOL-IP: 67.15.88.32
X-Mailer: Unknown (No Version)
I opened a trouble ticket with my host and they said:
At this time I have examined your server and found nothing to indicate that the mail server is insecure, however it is acting as a relay for spam. The only possibilities that I can suggest is that there is a php or perl script on a domain on your server that is being exploited, or perhaps a remote mail server has been set up to relay mail through your system using a legitimate password for your system. You may want to audit the scripting on your server to verify that this is not a source of the relay, and perhaps also test with denying relaying altogether on the server instead of allowing it with authentication.
Does anyone have any suggestions as to where I might go from here?
Note: ns1.porpanx.com is my server name; hardequity.biz is one of the domains I host.
Return-Path: <[email protected]>
Received: from rly-yc02.mail.aol.com (rly-yc02.mail.aol.com [172.18.205.145]) by air-yc04.mail.aol.com (v113.6) with ESMTP id MAILINYC44-1ba454c4e28204; Sat, 04 Nov 2006 03:24:27 -0500
Received: from ns1.porpanx.com (ns1.porpanx.com [67.15.88.32]) by rly-yc02.mail.aol.com (v113.6) with ESMTP id MAILRELAYINYC22-1ba454c4e28204; Sat, 04 Nov 2006 03:24:08 -0500
Received: (qmail 10963 invoked from network); 4 Nov 2006 03:24:08 -0500
Received: from localhost (127.0.0.1)
by localhost with SMTP; 4 Nov 2006 03:24:08 -0500
Received: from 196.3.62.3 ([196.3.62.3]) by webmail.hardequity.biz (Horde
MIME library) with HTTP; Sat, 4 Nov 2006 03:24:07 -0500
Message-ID: <[email protected]>
Date: Sat, 4 Nov 2006 03:24:07 -0500
From: "Dr.Haley Bryce" <[email protected]>
Reply-to: [email protected]
To:
Subject: Yours faithfully,
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.1)
X-AOL-IP: 67.15.88.32
X-Mailer: Unknown (No Version)
I opened a trouble ticket with my host and they said:
At this time I have examined your server and found nothing to indicate that the mail server is insecure, however it is acting as a relay for spam. The only possibilities that I can suggest is that there is a php or perl script on a domain on your server that is being exploited, or perhaps a remote mail server has been set up to relay mail through your system using a legitimate password for your system. You may want to audit the scripting on your server to verify that this is not a source of the relay, and perhaps also test with denying relaying altogether on the server instead of allowing it with authentication.
Does anyone have any suggestions as to where I might go from here?
