Hi Ive been receiving multiple sending failures by the server to numerous random email addresses.
SMES 8 with all updates/used as an email and web server hosting 5 domains. 20 users. POP and IMAP services enabled. SMTP relay enabled with authentication.
I examined the report email and suspected that a user account was compromised.
--- Below this line is a copy of the message.
Return-Path: <john@ber.net.nz>
Received: (qmail 21688 invoked by uid 453); 14 Aug 2014 14:06:45 -0000
Received: from Unknown (HELO ber.net.nz) (77.125.11.69)
(smtp-auth username john@ber.net.nz, mechanism plain)
by ber.net.nz (qpsmtpd/0.84) with ESMTPA; Fri, 15 Aug 2014 02:06:45 +1200
Message-ID: <0a18f91d71c3$74a1da51$32b3df2e$@ber.net.nz>
From: Keith Blackwell <john@ber.net.nz>
To: "Mary Walsh" <mwalsh@accuquote.com>, "mary katherine mkl" <mary.katherine.mkl@gmail.com>, "melissa" <davis@ccbcu.com>, "Micah Rouse" <jonesrou@gmail.com>, "Michael Cohen" <cokeslinger39@yahoo.com>, "Michael Oglesby" <MichaelOglesby@oglesbytaxservice.com>, "michelle cook" <dalefan8cook@aol.com>, "mike" <bell@ccbcu.com>, "mike" <jones@ccbcu.com>, "Nikoles Geraci" <margarita.geraci@gmail.com>, "nutis press" <lrobertson@nutispress.com>, "Parker Chance" <chancetraceyl@johndeere.com>, "phillip" <usry@ccbcu.com>, "randy" <johnson@ccbcu.com>, "riccrawford" <riccrawford@ccbcu.com>, "ROBIN RAWLS" <rrawls5372@aol.com>, "rodney stalls" <r.stalls@comcast.net>, "ron oliver" <ron.oliver@herrs.com>, "russcon" <russcon@hotmail.com>, "rwatford2" <rwatford2@rr.sc.com>
Subject: from Keith Blackwell
Date: Wed, 14 Aug 2014 03:06:32 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_FA5B_38EF1251.7D8BF5D5"
X-Mailer: iPhone Mail (11D201)
X-Virus-Checked: Checked by ClamAV on ber.net.nz
This is a multi-part message in MIME format.
------=_NextPart_000_FA5B_38EF1251.7D8BF5D5
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi!
News: http://om-construction.in/vm/changed.php?bze
Keith Blackwell
------=_NextPart_000_FA5B_38EF1251.7D8BF5D5
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
<html>
<head></head>
<body>
Hi!<br>
<br>
News: <a href=3D"http://om-construction.in/vm/changed.php?bze">http://om-construction.in/vm/changed.php?bze</a><br>
<br>
Keith Blackwell<br>
</body>
</html>
------=_NextPart_000_FA5B_38EF1251.7D8BF5D5--
Thread-Index: AUn/t3ITzzhhaThsemwxMmJmMTM1bw== By my observations the hack is through the imap software horde and the user account used is: john@ber.net.nz. (my account)- this I'm not certain of??
The source of the hack is: 77.125.11.69 (Israel)
The spam floods out at roughly the same time each night. 3-4am. This has been occurring for the last four nights.
My assumption was that my account was hacked and so i changed my password; i also changed my admin/root password as well (more complex) just to be sure. The next night there was a new flood of failed sent emails. So my assumptions could be wrong.
Ive looked into the qmail logs around the time of the spam and nothing i can see where I can identify the user account that is issueing the spam. It simply reports emails being processed but no info on the user??
Is there anywhere else that I can check to best ascertain which account is compromised, or am i "barking up the wrong tree?"
7 Replies
2897 Views