LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-19-2012, 02:31 PM   #1
oscargim
LQ Newbie
 
Registered: Mar 2011
Location: Argentina
Distribution: CentOS 5.8 32 Bits
Posts: 27

Rep: Reputation: 0
Is someone sending emails through my sendmail server??


Hi Im receiving some spam emails from my account info@levelagency.com on my hotmail inbox and when I check the email source code I guess that emails are being sended from my server, but Im not sure.

The worst of this is that the email passes the sender ID auth.


This is my server IP 190.120.238.235

This is my server hostname: levelagency.com


And here is the emails source code:

Code:
x-store-info:7YsnRco0gQJ3EyekdHv0zgpxljZUE8Iw3If/ixue86IVYibP1TdXUBhx3cj+qo2yx3Tbc1WJ85e0cYr9zdxUfdSgAUxHy8eqaRPyyqkS9M4RLdoI+Yf7/9yHXoKTWR3cu2Gu6bDWVcDER/hCwjIB7Q==
Authentication-Results: hotmail.com; sender-id=pass (sender IP is 190.120.238.235) header.from=info@levelagency.com; dkim=none header.d=levelagency.com; x-hmca=pass
X-SID-PRA: info@levelagency.com
X-DKIM-Result: None
X-Message-Status: n:0:n
X-SID-Result: Pass
X-AUTH-Result: PASS
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0yO1NDTD0w
X-Message-Info: HY0JcSSCx0qdcQieKQEEJ96icece/ADXeT+EdM20O3KXArKunQxIslQa4axE6/ABqzrKJLr6CVjKCyeAYKRhvgrIq0AxaM4tlqpOvvJpMwhd/aQF8JxxI4Pvgu/bYTz0UlRssJn9E0RRCgCPM/7uOA==
Received: from levelagency.com ([190.120.238.235]) by SNT0-MC3-F30.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Tue, 19 Jun 2012 12:09:05 -0700
Received: from mnhm-4d01b809.pool.mediaWays.net (mnhm-4d01b809.pool.mediaWays.net [77.1.184.9])
	by levelagency.com (8.13.8/8.13.8) with ESMTP id q5JHAJk1003683
	for <info@levelagency.com>; Tue, 19 Jun 2012 14:10:21 -0300
Received: from apache by qbsnsgdafdjsfkab.mthai.com with local (Exim 4.67)
	(envelope-from <<info@levelagency.com>>)
	id 4XFUJR-IP13VN-SY
	for <info@levelagency.com>; Tue, 19 Jun 2012 20:09:03 +0100
To: <info@levelagency.com>
Subject: Learn how people in your profession can earn a 30% increase!
X-PHP-Script: qbsnsgdafdjsfkab.atayatirim.com.tr/sendmail.php for 77.1.184.9
From: <info@levelagency.com>
X-Sender: <info@levelagency.com>
X-Mailer: PHP
X-Priority: 1
Content-Type: text/plain; charset="us-ascii"
Message-Id: <SU0BB6-688W5H-KY@qbsnsgdafdjsfkab.dilos.com>
Date: Tue, 19 Jun 2012 20:09:03 +0100
Return-Path: pompom132@cascade.oostrozebeke.com
X-OriginalArrivalTime: 19 Jun 2012 19:09:05.0517 (UTC) FILETIME=[FEF001D0:01CD4E4E]

We invite you to work in the remote assistant position.

This work takes 2-3 hours per week and requires absolutely no investment.
The essence of this work for incoming client requests in your city.
The starting salary is about 2500 EUR per month + bonuses.

You get paid your salary every 2 weeks and your bonuses after fulfilling each task!

We guarantee work for everyone. But we accept applications this week only!
Therefore, you should write a request right now. And you will start earning money, starting from next week.

Please indicate in the request:
Your name:
Your email address:
City of residence:

Please send the request to my email Mel@workineurop.com,and I will answer you personally as soon as possible

Sincerely,
Mel Tyler

Any help please, thanks!
 
Old 06-19-2012, 03:20 PM   #2
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,588

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
All of the email headers with the x- prefix are cpanel/exim config specific and in all honesty I never paid any attention to them. The real gritty stuff is the recieved by headers. These look to indicate the email IS being generated from the server itself and looks to be coming from Apache.

The first thing you should do is disable any contact or mail forms on your website to see if that resolves the issue. If it does you know where your problem lies and can start looking at sanitizing the form inputs to prevent people from compromising the site.

You can compare the timestamp of Tue, 19 Jun 2012 20:09:03 +0100 with your apache access logs, /var/log/httpd/access.log.

Once you find the IP of the guy who is abusing the form add an IPtable drop rule to drop his IPs connection.
 
1 members found this post helpful.
Old 06-19-2012, 03:22 PM   #3
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,588

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
After looking at your site, its wordpress... Very notorious for compromise of this fashion. Take a look at wordpress.org/extend/plugins/email-spam-protection/, customers of mine at the web host company I worked for have used it and have reported alot of success in protecting their contact forms.
 
  


Reply

Tags
email, sendmail


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sendmail - Sending emails from the machine with name of the HOSTNAME Oz. Linux - Server 6 03-20-2012 03:36 AM
[SOLVED] sendmail sometimes sending emails and sometimes not Majed17 Linux - Server 24 11-08-2011 05:24 AM
Sendmail: sending emails to Yahoo problem mikeressan Linux - Server 5 04-11-2011 08:54 PM
sending/recieving emails with sendmail xushi Slackware 2 02-25-2004 04:44 PM
Sendmail not sending emails, errorlog hydro Linux - Software 8 06-20-2003 05:48 PM


All times are GMT -5. The time now is 11:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration