LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Slightly OT: Spam being sent from my domain or just backscatter? (http://www.linuxquestions.org/questions/slackware-14/slightly-ot-spam-being-sent-from-my-domain-or-just-backscatter-4175497984/)

sombragris 03-12-2014 06:01 PM

Slightly OT: Spam being sent from my domain or just backscatter?
 
Hi folks,

Bear with me this OT issue. I share the issue here because I trust most of the regular people here.

THE ISSUE:
Starting this morning, I began to get thousands of bounce messages.
Apparently, spam was being sent from my domain.

I understand that most of these issues are just backscatter, but judging from the headers of the bounce messages I cannot be sure.

Thus, my question: can you tell if this is just backscatter or if my domain account was hijacked? Thanks in advance.

Below there is an anonymized bounce message.
Key: myhosting.com = my hosting provider
mydomain.org = my domain name

Code:

Return-path: <>
Envelope-to: sombrag@myhosting.com
Delivery-date: Wed, 12 Mar 2014 17:44:13 -0500
Received: from mailnull by myhosting.com with local (Exim 4.82)
        id 1WNrsj-00062X-29
        for sombrag@myhosting.com; Wed, 12 Mar 2014 17:44:13 -0500
X-Failed-Recipients: someone@att.net
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@myhosting.com>
To: sombrag@myhosting.com
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1WNrsj-00062X-29@myhosting.com>
Date: Wed, 12 Mar 2014 17:44:13 -0500

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  someone@att.net
    SMTP error from remote mail server after RCPT TO:<someone@att.net>:
    host scc-mailrelay.att.net [204.127.208.75]: 551 not our customer

------ This is a copy of the message, including all the headers. ------

Return-path: <sombrag@myhosting.com>
Received: from sombrag by myhosting.com with local (Exim 4.82)
        (envelope-from <sombrag@myhosting.com>)
        id 1WNrsY-00061L-S6
        for someone@att.net; Wed, 12 Mar 2014 17:44:02 -0500
To: someone@att.net
Subject: Voice Message Notification
From: "WhatsApp Messaging Service" <service@mydomain.org>
X-Mailer: JustMeCollection
Reply-To: "WhatsApp Messaging Service" <service@mydomain.org>
Mime-Version: 1.0
Content-Type: multipart/alternative;boundary="----------13946642425320E332D02A9"
Message-Id: <E1WNrsY-00061L-S6@myhosting.com>
Date: Wed, 12 Mar 2014 17:44:02 -0500

------------13946642425320E332D02A9
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

(some spam here)


ReaperX7 03-12-2014 10:47 PM

Try to pinpoint which IP address they are originating from first.

jtsn 03-13-2014 05:53 AM

Quote:

Originally Posted by sombragris (Post 5133560)
Below there is an anonymized bounce message.

That's not very useful.

General tips:

Set SPF records on your domain to reduce abuse by spammers as a MAIL FROM.
Use DNSBLs like backscatterer.org and reject mails with empty MAIL FROM from these servers.

sombragris 03-17-2014 02:57 PM

Thanks for all the answers. Spam was being set indeed from my hosting site. The issue: a very old WordPress theme. So, do not only check you WordPress install proper; check also your themes and plugins. Marking thread as solved.


All times are GMT -5. The time now is 06:55 PM.