Odd spam sneeking in.

webweave

Odd spam sneeking in.

« on: March 16, 2006, 09:06:16 PM »

Hi all,

I've started to get a bunch of new spams. The headers look very short compaired to my normal spam and the subject line always contains the name of one of my virtual web sites domain name.

I would apreciate any tips on discovering the source of this spam. I've been looking in the logs (using mc) trying to locate the source but I've yet to find it.

I'm wondering if someone has hacked qmail or webmail to send these.

THANKS,

Return-Path: <anonymous@my-work-domain.com>
Delivered-To: jordan@e-smith.my-work-domain.com
Received: (qmail 26089 invoked by alias); 13 Mar 2006 18:35:43 -0000
Delivered-To: alias-localdelivery-jordan@my-work-domain.com
Received: (qmail 26085 invoked by uid 100); 13 Mar 2006 18:35:43 -0000
Date: 13 Mar 2006 18:35:43 -0000
Message-ID: <20060313183543.26084.qmail@my-work-domain.com>
To: jordan@my-work-domain.com
Subject: one1908@my-virtual-domain.com
From: her@my-work-domain.com
Content-Type: multipart/alternative; boundary=3e3c0be6aba459bb2d364be7defb8b4d
MIME-Version: 1.0
Subject: to depend upon wind and tide for our dinner, suppose...

Return-Path: <anonymous@my-work-domain.com>
Delivered-To: jordan@e-smith.my-work-domain.com
Received: (qmail 25769 invoked by alias); 13 Mar 2006 18:11:24 -0000
Delivered-To: alias-localdelivery-jordan@my-work-domain.com
Received: (qmail 25765 invoked by uid 100); 13 Mar 2006 18:11:24 -0000
Date: 13 Mar 2006 18:11:24 -0000
Message-ID: <20060313181124.25764.qmail@my-work-domain.com>
To: jordan@my-work-domain.com
Subject: alternative2898@my-virtual-domain.com
From: with@my-work-domain.com
Content-Type: multipart/alternative; boundary=bfe08ec306359eac6f1ad129a946a121
MIME-Version: 1.0
Subject: was the foremost in...

Return-Path: <anonymous@my-work-domain.com>
Delivered-To: jordan@e-smith.my-work-domain.com
Received: (qmail 25703 invoked by alias); 13 Mar 2006 17:47:27 -0000
Delivered-To: alias-localdelivery-jordan@my-work-domain.com
Received: (qmail 25699 invoked by uid 100); 13 Mar 2006 17:47:27 -0000
Date: 13 Mar 2006 17:47:27 -0000
Message-ID: <20060313174727.25698.qmail@my-work-domain.com>
To: jordan@my-work-domain.com
Subject: to2275@my-virtual-domain.com
From: my@my-work-domain.com
Content-Type: multipart/alternative; boundary=e61ce82b18950fbf54882282b7e63032
MIME-Version: 1.0
Subject: off with his bull tarryer. e say he...

Return-Path: <anonymous@my-work-domain.com>
Delivered-To: jordan@e-smith.my-work-domain.com
Received: (qmail 25509 invoked by alias); 13 Mar 2006 17:23:54 -0000
Delivered-To: alias-localdelivery-jordan@my-work-domain.com
Received: (qmail 25505 invoked by uid 100); 13 Mar 2006 17:23:54 -0000
Date: 13 Mar 2006 17:23:54 -0000
Message-ID: <20060313172354.25504.qmail@my-work-domain.com>
To: jordan@my-work-domain.com
Subject: race3354@my-virtual-domain.com
From: always@my-work-domain.com
Content-Type: multipart/alternative; boundary=34ced426e99a83b15ca9752f1689c5a5
MIME-Version: 1.0
Subject: are, perhaps, the most...

Logged

webweave

Odd spam sneeking in.

« Reply #1 on: March 23, 2006, 07:31:49 PM »

Does anyone know how to read these headers?

How can I tell from where these emails come from?

Usually the headers include more info on the sending machine, local machines have the local IP number and external machines have a longer header. I'm perplexed, is my e-smith (6.0b3 final) sending spam?

Logged

CharlieBrady

6,918
+3/-0

Re: Odd spam sneeking in.

« Reply #2 on: March 24, 2006, 06:07:29 PM »

Quote from: "webweave"

I've started to get a bunch of new spams. The headers look very short compaired to my normal spam and the subject line always contains the name of one of my virtual web sites domain name.

I would apreciate any tips on discovering the source of this spam.

Those spams are being injected by your web server (uid 100). You have a web application which is being exploited. Do you have a form for sending mail?

Logged