LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Is someone sending emails through my sendmail server?? (http://www.linuxquestions.org/questions/linux-server-73/is-someone-sending-emails-through-my-sendmail-server-4175412320/)

oscargim 06-19-2012 02:31 PM

Is someone sending emails through my sendmail server??
 
Hi Im receiving some spam emails from my account info@levelagency.com on my hotmail inbox and when I check the email source code I guess that emails are being sended from my server, but Im not sure.

The worst of this is that the email passes the sender ID auth.


This is my server IP 190.120.238.235

This is my server hostname: levelagency.com


And here is the emails source code:

Code:

x-store-info:7YsnRco0gQJ3EyekdHv0zgpxljZUE8Iw3If/ixue86IVYibP1TdXUBhx3cj+qo2yx3Tbc1WJ85e0cYr9zdxUfdSgAUxHy8eqaRPyyqkS9M4RLdoI+Yf7/9yHXoKTWR3cu2Gu6bDWVcDER/hCwjIB7Q==
Authentication-Results: hotmail.com; sender-id=pass (sender IP is 190.120.238.235) header.from=info@levelagency.com; dkim=none header.d=levelagency.com; x-hmca=pass
X-SID-PRA: info@levelagency.com
X-DKIM-Result: None
X-Message-Status: n:0:n
X-SID-Result: Pass
X-AUTH-Result: PASS
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0yO1NDTD0w
X-Message-Info: HY0JcSSCx0qdcQieKQEEJ96icece/ADXeT+EdM20O3KXArKunQxIslQa4axE6/ABqzrKJLr6CVjKCyeAYKRhvgrIq0AxaM4tlqpOvvJpMwhd/aQF8JxxI4Pvgu/bYTz0UlRssJn9E0RRCgCPM/7uOA==
Received: from levelagency.com ([190.120.238.235]) by SNT0-MC3-F30.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
        Tue, 19 Jun 2012 12:09:05 -0700
Received: from mnhm-4d01b809.pool.mediaWays.net (mnhm-4d01b809.pool.mediaWays.net [77.1.184.9])
        by levelagency.com (8.13.8/8.13.8) with ESMTP id q5JHAJk1003683
        for <info@levelagency.com>; Tue, 19 Jun 2012 14:10:21 -0300
Received: from apache by qbsnsgdafdjsfkab.mthai.com with local (Exim 4.67)
        (envelope-from <<info@levelagency.com>>)
        id 4XFUJR-IP13VN-SY
        for <info@levelagency.com>; Tue, 19 Jun 2012 20:09:03 +0100
To: <info@levelagency.com>
Subject: Learn how people in your profession can earn a 30% increase!
X-PHP-Script: qbsnsgdafdjsfkab.atayatirim.com.tr/sendmail.php for 77.1.184.9
From: <info@levelagency.com>
X-Sender: <info@levelagency.com>
X-Mailer: PHP
X-Priority: 1
Content-Type: text/plain; charset="us-ascii"
Message-Id: <SU0BB6-688W5H-KY@qbsnsgdafdjsfkab.dilos.com>
Date: Tue, 19 Jun 2012 20:09:03 +0100
Return-Path: pompom132@cascade.oostrozebeke.com
X-OriginalArrivalTime: 19 Jun 2012 19:09:05.0517 (UTC) FILETIME=[FEF001D0:01CD4E4E]

We invite you to work in the remote assistant position.

This work takes 2-3 hours per week and requires absolutely no investment.
The essence of this work for incoming client requests in your city.
The starting salary is about 2500 EUR per month + bonuses.

You get paid your salary every 2 weeks and your bonuses after fulfilling each task!

We guarantee work for everyone. But we accept applications this week only!
Therefore, you should write a request right now. And you will start earning money, starting from next week.

Please indicate in the request:
Your name:
Your email address:
City of residence:

Please send the request to my email Mel@workineurop.com,and I will answer you personally as soon as possible

Sincerely,
Mel Tyler


Any help please, thanks!

Kustom42 06-19-2012 03:20 PM

All of the email headers with the x- prefix are cpanel/exim config specific and in all honesty I never paid any attention to them. The real gritty stuff is the recieved by headers. These look to indicate the email IS being generated from the server itself and looks to be coming from Apache.

The first thing you should do is disable any contact or mail forms on your website to see if that resolves the issue. If it does you know where your problem lies and can start looking at sanitizing the form inputs to prevent people from compromising the site.

You can compare the timestamp of Tue, 19 Jun 2012 20:09:03 +0100 with your apache access logs, /var/log/httpd/access.log.

Once you find the IP of the guy who is abusing the form add an IPtable drop rule to drop his IPs connection.

Kustom42 06-19-2012 03:22 PM

After looking at your site, its wordpress... Very notorious for compromise of this fashion. Take a look at wordpress.org/extend/plugins/email-spam-protection/, customers of mine at the web host company I worked for have used it and have reported alot of success in protecting their contact forms.


All times are GMT -5. The time now is 09:03 PM.