Results 1 to 3 of 3

Thread: Can anyone help with this?

  1. 07-13-2005, 12:20 PM #1
    lukepreston
    Guest

    Can anyone help with this?

    Hi
    Can anyone advise: via one of my site's emails I am getting loads of 'return to sender' emails from the mailer-daemon and loads of emilas to myself from various non-existant email accounts - suggesting to me that there may be some rogue script on my server. Maybe put there via a php/chat/or message page?

    If I am to look through my files for some kind of mail spammer script what kind of file/page should I look for? At the moment I can't see anything there that looks odd, or is not recognisable.

    Just worried in case I am unwittingly sending out someone elses spam!

    Any ideas?

    Luke
    Ps. the site email is manswords.com for which there is only one ligitimate email address alan@manswords.com the ones I'm getting are from admin/services/memberships@... etc/
    Reply With Quote Reply With Quote

  2. 07-13-2005, 07:29 PM #2
    Chilihost
    Chilihost is offline
    virgin by request ;) Chilihost's Avatar
    Join Date
    Oct 2003
    Posts
    4,496
    Luke it sounds like you have been having a bugger of a time keeping your server secure. This could be a result of your recent hack, the server can be rooted. Have you reinstalled since getting hacked? have you locked the server down? have you changed all your passwords?

    For this problem, I would first look at the header info on one of the original emails that was supposedly sent from your account. It will show the originating IP and other info about the server. Is it correct? If it is not correct, then the spammers are sending out forged emails and you cannot do anything about this. But, if it is correct, this means they are accessing your server and using your account for spam. If this is the case, once again you should be chatting with your webhost and get them to comb through the access logs, error logs, secure logs, mail logs, etc, plus run the usual gamet of tests against your server to ensure it is secure and not rooted.

    cheers,
    Luke
    Reply With Quote Reply With Quote

  3. 07-14-2005, 12:57 AM #3
    lukepreston
    Guest

    thanks

    Hi
    thanks for that - I will talk to the hosts again and suggest those things to them, see what they say. Though last time they just suggested I look for scripts that I didn't put there and that was it. Maybe it's time to change servers/hosts?

    The contents of one of the emails is below including all headers (in case you fancy having a look - most of doesn't mean much to me!) The text\at the bottom 'thank you for contacting...etc.' is an automated response from my afh.php script I got from Cluxa.com - that goes out when someone has contacted the bookpuppy site. Could the problem be in this script do you think?

    The email content reads:

    From MAILER-DAEMON Wed Jul 13 13:31:52 2005
    Return-path: <>
    Envelope-to: edjames@chicago.bigwebspace.com
    Delivery-date: Wed, 13 Jul 2005 13:31:52 -0500
    Received: from mailnull by chicago.bigwebspace.com with local (Exim 4.51 (FreeBSD))
    id 1Dsm1Q-000Fhr-NJ
    for edjames@chicago.bigwebspace.com; Wed, 13 Jul 2005 13:31:52 -0500
    X-Failed-Recipients: ralxqknxyhnym@yahoo.com
    Auto-Submitted: auto-generated
    From: Mail Delivery System <Mailer-Daemon@chicago.bigwebspace.com>
    To: edjames@chicago.bigwebspace.com
    Subject: Mail delivery failed: returning message to sender
    Message-Id: <E1Dsm1Q-000Fhr-NJ@chicago.bigwebspace.com>
    Date: Wed, 13 Jul 2005 13:31:52 -0500
    Status: R

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    ralxqknxyhnym@yahoo.com
    SMTP error from remote mail server after end of data:
    host mx2.mail.yahoo.com [4.79.181.13]: 554 delivery error:
    dd This user doesn't have a yahoo.com account (ralxqknxyhnym@yahoo.com) [0] - mta174.mail.mud.yahoo.com

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <edjames@chicago.bigwebspace.com>
    Received: from edjames by chicago.bigwebspace.com with local (Exim 4.51 (FreeBSD))
    id 1Dsm1Q-000Fhj-2A
    for ralxqknxyhnym@yahoo.com; Wed, 13 Jul 2005 13:31:52 -0500
    To: Greg Parrish <ralxqknxyhnym@yahoo.com>
    X-Autorespond: Microcap St0ck Trading Idea For You [Wed, 13 Jul 2005 23:24:17 +0400]
    X-Loop: Greg Parrish <ralxqknxyhnym@yahoo.com>
    From: "Enquiries" <enquiries@bookpuppy.co.uk>
    Content-type: text/plain; charset=us-ascii
    Subject: Thank you for your enquiry
    Message-Id: <E1Dsm1Q-000Fhj-2A@chicago.bigwebspace.com>
    Date: Wed, 13 Jul 2005 13:31:52 -0500

    Thank you for contacting bookpuppy.co.uk
    We have your email and are dealing with your enquiry. We will get back to you shortly.
    bookpuppy


    Luke
    Reply With Quote Reply With Quote

« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules