-   Linux - Server (
-   -   Is someone sending emails through my sendmail server?? (

oscargim 06-19-2012 02:31 PM

Is someone sending emails through my sendmail server??
Hi Im receiving some spam emails from my account on my hotmail inbox and when I check the email source code I guess that emails are being sended from my server, but Im not sure.

The worst of this is that the email passes the sender ID auth.

This is my server IP

This is my server hostname:

And here is the emails source code:


Authentication-Results:; sender-id=pass (sender IP is; dkim=none; x-hmca=pass
X-DKIM-Result: None
X-Message-Status: n:0:n
X-SID-Result: Pass
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0yO1NDTD0w
X-Message-Info: HY0JcSSCx0qdcQieKQEEJ96icece/ADXeT+EdM20O3KXArKunQxIslQa4axE6/ABqzrKJLr6CVjKCyeAYKRhvgrIq0AxaM4tlqpOvvJpMwhd/aQF8JxxI4Pvgu/bYTz0UlRssJn9E0RRCgCPM/7uOA==
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.4900);
        Tue, 19 Jun 2012 12:09:05 -0700
Received: from ( [])
        by (8.13.8/8.13.8) with ESMTP id q5JHAJk1003683
        for <>; Tue, 19 Jun 2012 14:10:21 -0300
Received: from apache by with local (Exim 4.67)
        (envelope-from <<>>)
        id 4XFUJR-IP13VN-SY
        for <>; Tue, 19 Jun 2012 20:09:03 +0100
To: <>
Subject: Learn how people in your profession can earn a 30% increase!
X-PHP-Script: for
From: <>
X-Sender: <>
X-Mailer: PHP
X-Priority: 1
Content-Type: text/plain; charset="us-ascii"
Message-Id: <>
Date: Tue, 19 Jun 2012 20:09:03 +0100
X-OriginalArrivalTime: 19 Jun 2012 19:09:05.0517 (UTC) FILETIME=[FEF001D0:01CD4E4E]

We invite you to work in the remote assistant position.

This work takes 2-3 hours per week and requires absolutely no investment.
The essence of this work for incoming client requests in your city.
The starting salary is about 2500 EUR per month + bonuses.

You get paid your salary every 2 weeks and your bonuses after fulfilling each task!

We guarantee work for everyone. But we accept applications this week only!
Therefore, you should write a request right now. And you will start earning money, starting from next week.

Please indicate in the request:
Your name:
Your email address:
City of residence:

Please send the request to my email,and I will answer you personally as soon as possible

Mel Tyler

Any help please, thanks!

Kustom42 06-19-2012 03:20 PM

All of the email headers with the x- prefix are cpanel/exim config specific and in all honesty I never paid any attention to them. The real gritty stuff is the recieved by headers. These look to indicate the email IS being generated from the server itself and looks to be coming from Apache.

The first thing you should do is disable any contact or mail forms on your website to see if that resolves the issue. If it does you know where your problem lies and can start looking at sanitizing the form inputs to prevent people from compromising the site.

You can compare the timestamp of Tue, 19 Jun 2012 20:09:03 +0100 with your apache access logs, /var/log/httpd/access.log.

Once you find the IP of the guy who is abusing the form add an IPtable drop rule to drop his IPs connection.

Kustom42 06-19-2012 03:22 PM

After looking at your site, its wordpress... Very notorious for compromise of this fashion. Take a look at, customers of mine at the web host company I worked for have used it and have reported alot of success in protecting their contact forms.

All times are GMT -5. The time now is 01:28 AM.