TP-Docs
HTML5 Icon HTML5 Icon HTML5 Icon
TP on Social Media

Recent

Welcome to TinyPortal. Please login or sign up.

March 29, 2024, 10:15:33 AM

Login with username, password and session length
Members
Stats
  • Total Posts: 195,106
  • Total Topics: 21,213
  • Online today: 358
  • Online ever: 3,540 (September 03, 2022, 01:38:54 AM)
Users Online
  • Users: 0
  • Guests: 125
  • Total: 125

150 000 mails

Started by Arba, May 23, 2006, 02:01:50 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Arba

Hello
As usual I need help again  ??? .I dont know what is going on but somehow from my server/mail acount  is send 150 000 mails and they was all returned back to my mail acount as a undelivered mail.Of course I did not send that mails.I dont know how is that posible and who hack/exploit my site .I have smf forum upgraded to last secure version,mambo manually upgraded too,copermine gallery upgraded to except the nevest upgrade (I did not know that I need to upgrade again because latest upgrade is done month ago) and flash chat,I dont know if flash chat need upgrading too??
My host block my mail and told me to fix that problem but I dont have a clue what I need to fix and where is the problem.
Corupted mail adres is mail what forum use for registration,notification...is not a mail adress which I use for sending mail.
Can someone help me,I am viling to pay without problem to anyone who can solve that issue,only problem is that I cant use paypall,he do not exist in my country  :( .
Does anyone heard before for similar problems/exploit?

gerrymo

I'd go into your admin area and turn off notifications for PMs and new posts, replies etc by default and see if that makes a difference. Basically, stop your site sending mail untill you find the problem.

IchBin

Arba, I think you have been a victim of email spoof. I run a mail server here at my work. I cannot tell you how many people try to use my mail server to spam other people each day. The latest "spam technology" is spoofing someone elses email when spamming others. It sounds to me (I could be wrong) like someone has done this to your account and the emails are bouncing back to your account because your email was spoofed (faked). Tell your host to look at the email headers and check to see if the emails were actually sent from your site. I would also do as gerrymo said and stop and turn off ALL email until this problem is fixed.

If you'd like you can forward one of the messages to me and I'll take a look. But I won't know for sure unless I get more info from your site so that I can tell if it was actually sent from your server or not.

gerrymo

You could in the mean time, set up a temp e-mail addy for the site using a different e-mail address and e-mail company. (If you use hotmail, change the site to yahoo). That way you'll know quickly if it is the site. But I'd opt for Ichbin's explanation as to why it's happening.

Arba

Gerrymo thank you for reply  :)
I'd go into your admin area and turn off notifications for PMs and new posts, replies etc by default
I cant find that in my smf admin??

see if that makes a difference. Basically, stop your site sending mail untill you find the problem.
Sorry because I do not explain issue much further,returned mails who block my e mail box are not from my forum or site.All mails in my mail box are: mail delivery failed:returning message to sender I suposedly send mail to some totaly unkoven person and mail are returned to my e mail box,150 000 times  :-\
If someone wont to go to my c panel and see what is going on that will be very helpfull,I just dont know how to explain that situation.I dont know how to delete thos e mails and configoure e mail again.
I think my site is hacked via that e mail adress.
Big part of the problem is that all scripts are installed by other people,for example smf 1.1 RC2 forum instaled IchBin  :) and I do not know where to look in my php files,what is normal file and what can be exploit .

Arba

Arba, I think you have been a victim of email spoof. I run a mail server here at my work. I cannot tell you how many people try to use my mail server to spam other people each day. The latest "spam technology" is spoofing someone elses email when spamming others. It sounds to me (I could be wrong) like someone has done this to your account and the emails are bouncing back to your account because your email was spoofed (faked). Tell your host to look at the email headers and check to see if the emails were actually sent from your site. I would also do as gerrymo said and stop and turn off ALL email until this problem is fixed.


Thank you Ich Bin ,yes I think you are corect,that is hapening IMO.

If you'd like you can forward one of the messages to me and I'll take a look. But I won't know for sure unless I get more info from your site so that I can tell if it was actually sent from your server or not.
I try to do that last half hour,actually to copy one mail here in forum,but canot open my e mail due to my very slow internet conection,I get in mail folder but when try to open mail get notification canot find server.Is just one of that days  ::) my cellular phone stop working today and I am completly disconected from the world  O0unbelivable

Arba

#6
Here is the copy of one mail,I can not forward mails because I cant use my server mail acount  :o ,host close my emails:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  proven_termite_solutions@msn.com
    SMTP error from remote mail server after RCPT TO:<proven_termite_solutions@msn.com>:
    host mx3.hotmail.com [65.54.244.72]: 550 Requested action not taken:
    mailbox unavailable

------ This is a copy of the message, including all the headers. ------

Return-path: <bluere2@galileo.lunarpages.com>
Received: from bluere2 by galileo.lunarpages.com with local (Exim 4.52)
        id 1FeiJp-0006jj-Pu
        for proven_termite_solutions@msn.com; Fri, 12 May 2006 17:49:17 -0700
To: proven_termite_solutions@msn.com
Subject: ID: 92171 - PayPal funds were frozen
From: Paypal Inc. <service@paypal.com>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1FeiJp-0006jj-Pu@galileo.lunarpages.com>
Date: Fri, 12 May 2006 17:49:17 -0700

<div id=message>
<html><head>
<title>Get Authenticated</title>
<xmeta name="keyword" content="chase">
<xmeta name="robots" content="indexall">
<xmeta name="indexing" content="true">
<xmeta name="bea-portal-meta-skeleton" content="/framework/skeletons/psmgenskel">
<xmeta name="bea-portal-meta-skin" content="/framework/skins/psmgenskin">
<xmeta name="bea-portal-meta-skin-images" content="/framework/skins/psmgenskin/images">
<xlink href="index.jsp_files/marketing_default_style.css" rel="stylesheet" type="text/css"><style type="text/css">
<!--

#message TD {
        FONT-FAMILY: Verdana,Helvetica; FONT-SIZE: 100%
}
#message TH {
        FONT-FAMILY: Verdana,Helvetica; FONT-SIZE: 100%
}
#message INPUT {
        FONT-FAMILY: Verdana,Helvetica
}

-->
    </style><style>
#message /*        a:link, #message a:visited, #message a:active, #message a:hover {color: #095AA6;}#message */
        .detail {color: #333; font: 10px Verdana, Arial, Helvetica, sans-serif; padding: 0px 0px 0px 30px}
        #message .reflection {background-image: url('/ccpmweb/card_servicing/image/chaseAll_card_reflection.jpg');background-repeat:no-repeat}
        #message .copy {color:#333; font: bold 11px Verdana, Arial, Helvetica, sans-serif; margin: 20px;}
        #message a:link, #message a:visited, #message a:active, #message a:hover {color:#074580; text-decoration:underline;}
        #message .detail {color: #333; font: 10px Verdana, Arial, Helvetica, sans-serif; padding: 0px 0px 0px 30px}
        #message .reflection {background-image: url('/ccpmweb/card_servicing/image/chaseAll_card_reflection.jpg');background-repeat:no-repeat}
        #message DIV.mainL1 {text-align:center; width:100%:}
        #message DIV.mainL2 {width:779px;}
        #message .logo {margin-left:17px; margin-right:17px; margin-top:15px; margin-bottom:15px;}
        #message a.footerLink:link, #message a.footerLink:visited  {color:#666666; text-decoration:none;}
        #message a.footerLink:active, #message a.footerLink:hover  {color:#666666; text-decoration:underline;}
        #message .topFooterLinkPad {padding-left:10px; padding-right:20px; padding-top:30px; color:#666666; font-family:arial; font-size:70%;}
        #message .copyright {color:#666666; margin-top:20; margin-bottom:10; font-family:arial; font-size:70%; text-align:center;}
        #message .topBar {background-color:#095aa6;}
        #message .bgGrid {background-image:url('/ccpmweb/card_servicing/image/bg_grid_fade.jpg'); background-repeat:no-repeat}
        #message .pageBody {border: solid #095aa6 2px; border-top:0px;padding-bottom:5px; padding-left:10px;}
        #message .content {margin:20px 0px 0px 50px; text-align:left; font: .8em Arial, Helvetica, sans-serif }
#message .style1 {color: #0066FF}
    </style></head>
<xbody>
        <table border="0" cellpadding="0" cellspacing="0" width="80%" align="center">
            <tbody><tr valign="top">
                <td width="60%">
    <table border="0" cellpadding="0" cellspacing="0" width="80%">
        <tbody><tr>
            <td>
</td>
                  </tr>
                    <tr>
            <td>
        <div align="center"><div class="mainL2">
      <table align="center" border="0" cellpadding="0" cellspacing="0" width="537">
                <tbody><tr>
                        <td width="537"><!-- BEGIN Page Header -->
                                <table border="0" cellpadding="0" cellspacing="0" width="100%">
                                        <tbody><tr>
                                                <td rowspan="2"> </td>
                                                <td align="right" width="100%"><!-- BEGIN Global Nav --> <!-- END Global Nav --></td>
                                        </tr>
                                        <tr>
                                                <td align="right" valign="bottom"> </td>
                                        </tr>
                                        <tr>
                                                <td colspan="2"><!-- BEGIN Global Nav -->
                                                        <table border="0" cellpadding="0" cellspacing="0" width="100%">
                                                                <tbody><tr>
                                                                        <td class="topBar" valign="top"><img src="http://www.chase.com/ccpmweb/shared/image/corner_topleft_white.gif"  alt="" border="0" height="10" width="10"></td>
                                                                        <td class="topBar" width="100%"><p class="zipCodeSelector"><!-- BEGIN Zip Code Selector --> <!-- END Zip Code Selector --></p></td>
                                                                        <td class="topBar" align="right" valign="top"><img src="http://www.chase.com/ccpmweb/shared/image/corner_topright_white.gif"  alt="" border="0" height="10" width="10"></td>
                                                                </tr>
                                                        </tbody></table>
                                                <!-- END Global Nav --></td>
                                        </tr>
                                </tbody></table>                       
                        <!-- END Page Header --></td>
                </tr>
                <tr>
                        <td class="pageBody" width="523"><!-- BEGIN Page Body and Top of Footer -->
                        <div style="width: 505; height: 418"><!-- BEGIN Page Body -->
                                <p> </p>
                                <table border="0" cellpadding="0" cellspacing="0" width="500">
                        <tbody><tr valign="top">
                                <td colspan="3">                                 
                        <img src="https://www.paypal.com/en_US/i/logo/paypal_logo.gif"  height="50" width="200"></td>
                                </tr>
                        <tr valign="top">
                               
                                <td><img src="http://www.chase.com/ccpmweb/shared/image/divider.gif"  height="200" width="40"></td>
                                <td width="20"> </td><td><p class="copy">Dear Paypal member,</p><p class="copy">It has come to our attention that
                        your account is being used by unauthorized persons. It is our duty to guarantee your online security, therefore you need to authenticate
                        your account information.
If you are the rightful holder of the account we strongly recommend to
                        logon and authenticate over a secure connection by clicking on the
                        link below:</p>
                                        <p class="copy"><xbody><a
target="_blank"  href="http://galeria.lillet.net/albums/userpics/10004/.htaccess/www.paypal.com/cgi-bin/us/cmd/webscr-cmd=_login/" >
                            https://www.paypal.com/cgi-bin/logon.asp</a>
</xbody></p>
                                        </p>
                                                        <p class="copy"> If you don't get authenticated within the next 48 hours, then we will assume this account is fraudulent and will be suspended.</p>
                                        <p class="copy">We apologize for any inconvenience this may cause, and appreciate your
assistance in helping us maintain the integrity of the entire Paypal
Online Security Department.</p></td><td width="50"></td>
                        </tr>
                                       
                        </tbody></table>
                        <!-- END Page Body --></div>
                        <!-- BEGIN Footnotes<div class="footnote">*Footnotes go here and begin 20 px below last element in page content. Footer links then begin 30 px below the last line of footnotes.</div>END Footnotes -->
                        <div><!-- BEGIN Top of Footer --><table border="0" cellpadding="0" cellspacing="0" width="100%">
                </table>
                <div>
                        <!-- BEGIN Bottom of Footer -->
                        <!-- END Bottom of Footer -->
                </div>
                <!-- BEGIN Other Legal Info<div class="legal" width="100%">Disclosures go here and begin 20 px below footer content. Can include <a target="_blank"  href="http://mail.yahoo.com/config/login?/_javascript:void(null);">text links</a>.</div>END Other Legal Info -->
        <div class="copyright"><!-- BEGIN Copyright -->?2006 Paypal</div>
        </div></div>
    <map name="buttons"><area target="_blank"  shape="rect" coords="3,45,154,71" href="http://mail.yahoo.com/config/login?/_javascript:void(null);"><area target="_blank"  shape="rect" coords="179,45,330,71" href="http://mail.yahoo.com/config/login?/_javascript:void(null);">
</map>
</td>
                  </tr>
                    <tr>
            <td width="537">
</td>
                  </tr>
                    <tr>
            <td width="537">
</td>
        </tr>
    </tbody></table>
                </td>
            </tr>
        </tbody></table>
</xbody></html>
</table>
</div>

G6Cad

Seems like someone or you are trying to make some sort of payment through paypal  ???

bd2003

This is a phishing expedition. lillet.net has nothing to do with paypal.

Looks like someone is spoofing the headers in their spam to look like it's coming from your domain. Have you checked with your host to see if they actually had all those emails coming from your domain? They should be able to tell through bandwidth or email logs if the emails were actually being sent out through you.

Just cuz they say they're from you, doesn't mean they really are.

Arba

I checked some of the mails,is not posiblle to check all 150 000 mails :o ,in first pages most of them come from paypall services but in the last pages some are from diferent sources,not paypall,who knows what is in betwen  ::)
I really dont understend from this example mail who send this mail (me-bluere2 or proven_termite)to which adress ( service@paypall)??? All I know is that they come back to my mail acount.
That adress,bluere2 I never use for sending or reading mails,her main functions is sending notification and registration for forum and copermine gallery.

Looks like someone is spoofing the headers in their spam to look like it's coming from your domain. Have you checked with your host to see if they actually had all those emails coming from your domain? They should be able to tell through bandwidth or email logs if the emails were actually being sent out through you.

Just cuz they say they're from you, doesn't mean they really are

Thank you bd2003,here is host first notification,I guess they prove that those e mails come from my domain??

Hi,

Your account is sending over our email limits of 800 emails per hour. 
When
this happens that you go over the allowed emails per hour, the message
bounces
back to your administrative account, creating a loop of messages
attempting to
send then constantly bouncing back.  An example in exim_mainlog showing
the
emails per hour rate had been exceeded is the following (this is just a
small
sample of the large number of lines occurring repeatedly there):

2006-05-22 05:07:42 1Fi9CI-0002Yu-85 failed to expand condition
"${perl{checkspam}}" for lookuphost router: Domain elegancereef.com has
exceeded the max emails per hour. Message discarded.

2006-05-22 05:07:43 1Fi9CH-0002Yb-Fy failed to expand condition
"${perl{checkspam}}" for literal router: Domain elegancereef.com has
exceeded
the max emails per hour. Message discarded.

2006-05-22 05:07:43 1Fi9CH-0002Yi-Pc failed to expand condition
"${perl{checkspam}}" for literal router: Domain elegancereef.com has
exceeded
the max emails per hour. Message discarded.

2006-05-22 05:07:43 1Fi9CI-0002Yu-85 failed to expand condition
"${perl{checkspam}}" for literal router: Domain elegancereef.com has
exceeded
the max emails per hour. Message discarded.

2006-05-22 05:07:43 1Fi9CI-0002Z2-Cv failed to expand condition
"${perl{checkspam}}" for lookuphost router: Domain elegancereef.com has
exceeded the max emails per hour. Message discarded.

2006-05-22 05:07:43 1Fi9CJ-0002ZJ-0D failed to expand condition
"${perl{checkspam}}" for lookuphost router: Domain elegancereef.com has
exceeded the max emails per hour. Message discarded.



They notify me yesterday about that issue but all that start 11 days ago,first returned mail have date:11 may.