News: September 21st, 2019, The Tinyportal team is pleased to announce the release of ~~ TinyPortal 1.6.4! GET IT NOW!!!

Login  |  Register
HTML5 Icon HTML5 Icon
TP on Social Media
Welcome, Guest. Please login or register.
Did you miss your activation email?

October 16, 2019, 09:41:59 AM

Login with username, password and session length

Recent

Members
  • Total Members: 3756
  • Latest: Ocean
Stats
  • Total Posts: 189087
  • Total Topics: 20763
  • Online Today: 57
  • Online Ever: 629
  • (November 08, 2018, 01:36:54 PM)
Users Online
Users: 0
Guests: 34
Total: 34

Author Topic: 150 000 mails  (Read 5431 times)

0 Members and 1 Guest are viewing this topic.

Arba

  • Guest
150 000 mails
« on: May 23, 2006, 07:01:50 AM »
Hello
As usual I need help again  ??? .I dont know what is going on but somehow from my server/mail acount  is send 150 000 mails and they was all returned back to my mail acount as a undelivered mail.Of course I did not send that mails.I dont know how is that posible and who hack/exploit my site .I have smf forum upgraded to last secure version,mambo manually upgraded too,copermine gallery upgraded to except the nevest upgrade (I did not know that I need to upgrade again because latest upgrade is done month ago) and flash chat,I dont know if flash chat need upgrading too??
My host block my mail and told me to fix that problem but I dont have a clue what I need to fix and where is the problem.
Corupted mail adres is mail what forum use for registration,notification...is not a mail adress which I use for sending mail.
Can someone help me,I am viling to pay without problem to anyone who can solve that issue,only problem is that I cant use paypall,he do not exist in my country  :( .
Does anyone heard before for similar problems/exploit?

gerrymo

  • Guest
Re: 150 000 mails
« Reply #1 on: May 23, 2006, 07:06:59 AM »
I'd go into your admin area and turn off notifications for PMs and new posts, replies etc by default and see if that makes a difference. Basically, stop your site sending mail untill you find the problem.

Offline IchBin™

  • Developer
  • *
  • Posts: 16228
    • My Website
Re: 150 000 mails
« Reply #2 on: May 23, 2006, 07:32:40 AM »
Arba, I think you have been a victim of email spoof. I run a mail server here at my work. I cannot tell you how many people try to use my mail server to spam other people each day. The latest "spam technology" is spoofing someone elses email when spamming others. It sounds to me (I could be wrong) like someone has done this to your account and the emails are bouncing back to your account because your email was spoofed (faked). Tell your host to look at the email headers and check to see if the emails were actually sent from your site. I would also do as gerrymo said and stop and turn off ALL email until this problem is fixed.

If you'd like you can forward one of the messages to me and I'll take a look. But I won't know for sure unless I get more info from your site so that I can tell if it was actually sent from your server or not.

gerrymo

  • Guest
Re: 150 000 mails
« Reply #3 on: May 23, 2006, 07:41:24 AM »
You could in the mean time, set up a temp e-mail addy for the site using a different e-mail address and e-mail company. (If you use hotmail, change the site to yahoo). That way you'll know quickly if it is the site. But I'd opt for Ichbin's explanation as to why it's happening.

Arba

  • Guest
Re: 150 000 mails
« Reply #4 on: May 23, 2006, 07:46:03 AM »
Gerrymo thank you for reply  :)
I'd go into your admin area and turn off notifications for PMs and new posts, replies etc by default
I cant find that in my smf admin??

see if that makes a difference. Basically, stop your site sending mail untill you find the problem.
Sorry because I do not explain issue much further,returned mails who block my e mail box are not from my forum or site.All mails in my mail box are: mail delivery failed:returning message to sender I suposedly send mail to some totaly unkoven person and mail are returned to my e mail box,150 000 times  :-\
If someone wont to go to my c panel and see what is going on that will be very helpfull,I just dont know how to explain that situation.I dont know how to delete thos e mails and configoure e mail again.
I think my site is hacked via that e mail adress.
Big part of the problem is that all scripts are installed by other people,for example smf 1.1 RC2 forum instaled IchBin  :) and I do not know where to look in my php files,what is normal file and what can be exploit .

Arba

  • Guest
Re: 150 000 mails
« Reply #5 on: May 23, 2006, 07:50:51 AM »
Arba, I think you have been a victim of email spoof. I run a mail server here at my work. I cannot tell you how many people try to use my mail server to spam other people each day. The latest "spam technology" is spoofing someone elses email when spamming others. It sounds to me (I could be wrong) like someone has done this to your account and the emails are bouncing back to your account because your email was spoofed (faked). Tell your host to look at the email headers and check to see if the emails were actually sent from your site. I would also do as gerrymo said and stop and turn off ALL email until this problem is fixed.


Thank you Ich Bin ,yes I think you are corect,that is hapening IMO.

If you'd like you can forward one of the messages to me and I'll take a look. But I won't know for sure unless I get more info from your site so that I can tell if it was actually sent from your server or not.
I try to do that last half hour,actually to copy one mail here in forum,but canot open my e mail due to my very slow internet conection,I get in mail folder but when try to open mail get notification canot find server.Is just one of that days  ::) my cellular phone stop working today and I am completly disconected from the world  O0unbelivable

Arba

  • Guest
Re: 150 000 mails
« Reply #6 on: May 23, 2006, 09:33:37 AM »
Here is the copy of one mail,I can not forward mails because I cant use my server mail acount  :o ,host close my emails:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  proven_termite_solutions@msn.com
    SMTP error from remote mail server after RCPT TO:<proven_termite_solutions@msn.com>:
    host mx3.hotmail.com [65.54.244.72]: 550 Requested action not taken:
    mailbox unavailable

------ This is a copy of the message, including all the headers. ------

Return-path: <bluere2@galileo.lunarpages.com>
Received: from bluere2 by galileo.lunarpages.com with local (Exim 4.52)
        id 1FeiJp-0006jj-Pu
        for proven_termite_solutions@msn.com; Fri, 12 May 2006 17:49:17 -0700
To: proven_termite_solutions@msn.com
Subject: ID: 92171 - PayPal funds were frozen
From: Paypal Inc. <service@paypal.com>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1FeiJp-0006jj-Pu@galileo.lunarpages.com>
Date: Fri, 12 May 2006 17:49:17 -0700

<div id=message>
<html><head>
<title>Get Authenticated</title>
<xmeta name="keyword" content="chase">
<xmeta name="robots" content="indexall">
<xmeta name="indexing" content="true">
<xmeta name="bea-portal-meta-skeleton" content="/framework/skeletons/psmgenskel">
<xmeta name="bea-portal-meta-skin" content="/framework/skins/psmgenskin">
<xmeta name="bea-portal-meta-skin-images" content="/framework/skins/psmgenskin/images">
<xlink href="index.jsp_files/marketing_default_style.css" rel="stylesheet" type="text/css"><style type="text/css">
<!--

#message TD {
        FONT-FAMILY: Verdana,Helvetica; FONT-SIZE: 100%
}
#message TH {
        FONT-FAMILY: Verdana,Helvetica; FONT-SIZE: 100%
}
#message INPUT {
        FONT-FAMILY: Verdana,Helvetica
}

-->
    </style><style>
#message /*        a:link, #message a:visited, #message a:active, #message a:hover {color: #095AA6;}#message */
        .detail {color: #333; font: 10px Verdana, Arial, Helvetica, sans-serif; padding: 0px 0px 0px 30px}
        #message .reflection {background-image: url('/ccpmweb/card_servicing/image/chaseAll_card_reflection.jpg');background-repeat:no-repeat}
        #message .copy {color:#333; font: bold 11px Verdana, Arial, Helvetica, sans-serif; margin: 20px;}
        #message a:link, #message a:visited, #message a:active, #message a:hover {color:#074580; text-decoration:underline;}
        #message .detail {color: #333; font: 10px Verdana, Arial, Helvetica, sans-serif; padding: 0px 0px 0px 30px}
        #message .reflection {background-image: url('/ccpmweb/card_servicing/image/chaseAll_card_reflection.jpg');background-repeat:no-repeat}
        #message DIV.mainL1 {text-align:center; width:100%:}
        #message DIV.mainL2 {width:779px;}
        #message .logo {margin-left:17px; margin-right:17px; margin-top:15px; margin-bottom:15px;}
        #message a.footerLink:link, #message a.footerLink:visited  {color:#666666; text-decoration:none;}
        #message a.footerLink:active, #message a.footerLink:hover  {color:#666666; text-decoration:underline;}
        #message .topFooterLinkPad {padding-left:10px; padding-right:20px; padding-top:30px; color:#666666; font-family:arial; font-size:70%;}
        #message .copyright {color:#666666; margin-top:20; margin-bottom:10; font-family:arial; font-size:70%; text-align:center;}
        #message .topBar {background-color:#095aa6;}
        #message .bgGrid {background-image:url('/ccpmweb/card_servicing/image/bg_grid_fade.jpg'); background-repeat:no-repeat}
        #message .pageBody {border: solid #095aa6 2px; border-top:0px;padding-bottom:5px; padding-left:10px;}
        #message .content {margin:20px 0px 0px 50px; text-align:left; font: .8em Arial, Helvetica, sans-serif }
#message .style1 {color: #0066FF}
    </style></head>
<xbody>
        <table border="0" cellpadding="0" cellspacing="0" width="80%" align="center">
            <tbody><tr valign="top">
                <td width="60%">
    <table border="0" cellpadding="0" cellspacing="0" width="80%">
        <tbody><tr>
            <td>
</td>
                  </tr>
                    <tr>
            <td>
        <div align="center"><div class="mainL2">
      <table align="center" border="0" cellpadding="0" cellspacing="0" width="537">
                <tbody><tr>
                        <td width="537"><!-- BEGIN Page Header -->
                                <table border="0" cellpadding="0" cellspacing="0" width="100%">
                                        <tbody><tr>
                                                <td rowspan="2"> </td>
                                                <td align="right" width="100%"><!-- BEGIN Global Nav --> <!-- END Global Nav --></td>
                                        </tr>
                                        <tr>
                                                <td align="right" valign="bottom"> </td>
                                        </tr>
                                        <tr>
                                                <td colspan="2"><!-- BEGIN Global Nav -->
                                                        <table border="0" cellpadding="0" cellspacing="0" width="100%">
                                                                <tbody><tr>
                                                                        <td class="topBar" valign="top"><img src="http://www.chase.com/ccpmweb/shared/image/corner_topleft_white.gif"  alt="" border="0" height="10" width="10"></td>
                                                                        <td class="topBar" width="100%"><p class="zipCodeSelector"><!-- BEGIN Zip Code Selector --> <!-- END Zip Code Selector --></p></td>
                                                                        <td class="topBar" align="right" valign="top"><img src="http://www.chase.com/ccpmweb/shared/image/corner_topright_white.gif"  alt="" border="0" height="10" width="10"></td>
                                                                </tr>
                                                        </tbody></table>
                                                <!-- END Global Nav --></td>
                                        </tr>
                                </tbody></table>                       
                        <!-- END Page Header --></td>
                </tr>
                <tr>
                        <td class="pageBody" width="523"><!-- BEGIN Page Body and Top of Footer -->
                        <div style="width: 505; height: 418"><!-- BEGIN Page Body -->
                                <p> </p>
                                <table border="0" cellpadding="0" cellspacing="0" width="500">
                        <tbody><tr valign="top">
                                <td colspan="3">                                 
                        <img src="https://www.paypal.com/en_US/i/logo/paypal_logo.gif"  height="50" width="200"></td>
                                </tr>
                        <tr valign="top">
                               
                                <td><img src="http://www.chase.com/ccpmweb/shared/image/divider.gif"  height="200" width="40"></td>
                                <td width="20"> </td><td><p class="copy">Dear Paypal member,</p><p class="copy">It has come to our attention that
                        your account is being used by unauthorized persons. It is our duty to guarantee your online security, therefore you need to authenticate
                        your account information.
If you are the rightful holder of the account we strongly recommend to
                        logon and authenticate over a secure connection by clicking on the
                        link below:</p>
                                        <p class="copy"><xbody><a
target="_blank"  href="http://galeria.lillet.net/albums/userpics/10004/.htaccess/www.paypal.com/cgi-bin/us/cmd/webscr-cmd=_login/" >
                            https://www.paypal.com/cgi-bin/logon.asp[/url]
</xbody></p>
                                        </p>
                                                        <p class="copy"> If you don't get authenticated within the next 48 hours, then we will assume this account is fraudulent and will be suspended.</p>
                                        <p class="copy">We apologize for any inconvenience this may cause, and appreciate your
assistance in helping us maintain the integrity of the entire Paypal
Online Security Department.</p></td><td width="50"></td>
                        </tr>
                                       
                        </tbody></table>
                        <!-- END Page Body --></div>
                        <!-- BEGIN Footnotes<div class="footnote">*Footnotes go here and begin 20 px below last element in page content. Footer links then begin 30 px below the last line of footnotes.</div>END Footnotes -->
                        <div><!-- BEGIN Top of Footer --><table border="0" cellpadding="0" cellspacing="0" width="100%">
                </table>
                <div>
                        <!-- BEGIN Bottom of Footer -->
                        <!-- END Bottom of Footer -->
                </div>
                <!-- BEGIN Other Legal Info<div class="legal" width="100%">Disclosures go here and begin 20 px below footer content. Can include <a target="_blank"  href="http://mail.yahoo.com/config/login?/_javascript:void(null);">text links[/url].</div>END Other Legal Info -->
        <div class="copyright"><!-- BEGIN Copyright -->?2006 Paypal</div>
        </div></div>
    <map name="buttons"><area target="_blank"  shape="rect" coords="3,45,154,71" href="http://mail.yahoo.com/config/login?/_javascript:void(null);"><area target="_blank"  shape="rect" coords="179,45,330,71" href="http://mail.yahoo.com/config/login?/_javascript:void(null);">
</map>
</td>
                  </tr>
                    <tr>
            <td width="537">
</td>
                  </tr>
                    <tr>
            <td width="537">
</td>
        </tr>
    </tbody></table>
                </td>
            </tr>
        </tbody></table>
</xbody></html>
</table>
</div>
« Last Edit: May 23, 2006, 09:37:08 AM by Arba »

Offline G6Cad

  • Friends
  • *
  • Posts: 12643
    • FamiljeGodis
Re: 150 000 mails
« Reply #7 on: May 23, 2006, 09:45:42 AM »
Seems like someone or you are trying to make some sort of payment through paypal  ???

bd2003

  • Guest
Re: 150 000 mails
« Reply #8 on: May 23, 2006, 09:54:30 AM »
This is a phishing expedition. lillet.net has nothing to do with paypal.

Looks like someone is spoofing the headers in their spam to look like it's coming from your domain. Have you checked with your host to see if they actually had all those emails coming from your domain? They should be able to tell through bandwidth or email logs if the emails were actually being sent out through you.

Just cuz they say they're from you, doesn't mean they really are.

Arba

  • Guest
Re: 150 000 mails
« Reply #9 on: May 23, 2006, 10:02:38 AM »
I checked some of the mails,is not posiblle to check all 150 000 mails :o ,in first pages most of them come from paypall services but in the last pages some are from diferent sources,not paypall,who knows what is in betwen  ::)
I really dont understend from this example mail who send this mail (me-bluere2 or proven_termite)to which adress ( service@paypall)??? All I know is that they come back to my mail acount.
That adress,bluere2 I never use for sending or reading mails,her main functions is sending notification and registration for forum and copermine gallery.

Looks like someone is spoofing the headers in their spam to look like it's coming from your domain. Have you checked with your host to see if they actually had all those emails coming from your domain? They should be able to tell through bandwidth or email logs if the emails were actually being sent out through you.

Just cuz they say they're from you, doesn't mean they really are

Thank you bd2003,here is host first notification,I guess they prove that those e mails come from my domain??

Hi,

Your account is sending over our email limits of 800 emails per hour. 
When
this happens that you go over the allowed emails per hour, the message
bounces
back to your administrative account, creating a loop of messages
attempting to
send then constantly bouncing back.  An example in exim_mainlog showing
the
emails per hour rate had been exceeded is the following (this is just a
small
sample of the large number of lines occurring repeatedly there):

2006-05-22 05:07:42 1Fi9CI-0002Yu-85 failed to expand condition
"${perl{checkspam}}" for lookuphost router: Domain elegancereef.com has
exceeded the max emails per hour. Message discarded.

2006-05-22 05:07:43 1Fi9CH-0002Yb-Fy failed to expand condition
"${perl{checkspam}}" for literal router: Domain elegancereef.com has
exceeded
the max emails per hour. Message discarded.

2006-05-22 05:07:43 1Fi9CH-0002Yi-Pc failed to expand condition
"${perl{checkspam}}" for literal router: Domain elegancereef.com has
exceeded
the max emails per hour. Message discarded.

2006-05-22 05:07:43 1Fi9CI-0002Yu-85 failed to expand condition
"${perl{checkspam}}" for literal router: Domain elegancereef.com has
exceeded
the max emails per hour. Message discarded.

2006-05-22 05:07:43 1Fi9CI-0002Z2-Cv failed to expand condition
"${perl{checkspam}}" for lookuphost router: Domain elegancereef.com has
exceeded the max emails per hour. Message discarded.

2006-05-22 05:07:43 1Fi9CJ-0002ZJ-0D failed to expand condition
"${perl{checkspam}}" for lookuphost router: Domain elegancereef.com has
exceeded the max emails per hour. Message discarded.



They notify me yesterday about that issue but all that start 11 days ago,first returned mail have date:11 may.

Offline G6Cad

  • Friends
  • *
  • Posts: 12643
    • FamiljeGodis
Re: 150 000 mails
« Reply #10 on: May 23, 2006, 10:10:27 AM »
This seems to be more about a host issue than a SMF issue.
The mail handling in the forum are a SMF support question.
But as far as i know and can see, you have to talk to your host and tell them it´s them that have to see this through and fix their mail handling on their mailservers.

bd2003

  • Guest
Re: 150 000 mails
« Reply #11 on: May 23, 2006, 10:13:15 AM »
I agree.
You can't really tell whether the email is being routed through an exploit in your stuff, or an exploit in the email software on the server itself.
But I really don't think it's an SMF issue.

gerrymo

  • Guest
Re: 150 000 mails
« Reply #12 on: May 23, 2006, 10:56:07 AM »
It looks very like a paypal phishing email as mentioned above. It has this in it: http:// galeria.lillet.net/albums/userpics/10004/.htaccess/www.paypal.com/cgi-bin/us/cmd/webscr-cmd=_login/ which makes me suspious of an image on someone's gallery.

gerrymo

  • Guest
Re: 150 000 mails
« Reply #13 on: May 23, 2006, 10:58:58 AM »
In the mean time, I'd suggest using a Yahoo e-mail addy for your site. They have a sysytem to limit the number of e-mails per hour sent for a certain period of time. Use the smtp setting for it, rather than the php way. You can get the required info when you set up the account at Yahoo.

Offline IchBin™

  • Developer
  • *
  • Posts: 16228
    • My Website
Re: 150 000 mails
« Reply #14 on: May 23, 2006, 12:14:13 PM »
I think that maybe your forum is the culprit for your email limit. If you have a few hundred users subscribing to posts/threads/boards and you're forum is farely active, you certainly can reach your email limit if everyone is getting email notifications from them. I would turn email notification off and see if that is your problem. If you want, PM the details and I will turn it off for you for the time being.

Arba

  • Guest
Re: 150 000 mails
« Reply #15 on: May 23, 2006, 03:22:37 PM »
No,my forum is small comunity,10 people daily  O0 .
I just get mail from host,my site is hacked throu copermine galery exploit http://coppermine-gallery.net/forum/index.php?topic=31671.0 ,I do try to upgrade all my scripts when a get aware of vulnerability and was completly unaware about new exploit,but even this notification from Copermine gallery will not help because notification come out 4 days ago and my gallery is hacked 12 days ago.I hope I will not lose my gallery,she have  loot of pictures uploaded last 2 years  :'( .

Offline IchBin™

  • Developer
  • *
  • Posts: 16228
    • My Website
Re: 150 000 mails
« Reply #16 on: May 23, 2006, 07:12:17 PM »
I will see if I can look at this tonight Arba.

Arba

  • Guest
Re: 150 000 mails
« Reply #17 on: May 28, 2006, 12:15:12 PM »
Good man IchBin fix everything  :) ....in 20 minutes  8) ,thank you  :up:
I do try to post this reply before few days but get some error notification- my timesesion expired..-( or something like that  :coolsmiley:) and was unable to post or send pm.
Thanks again IchBin ,is really apreciated  :)

Offline IchBin™

  • Developer
  • *
  • Posts: 16228
    • My Website
Re: 150 000 mails
« Reply #18 on: May 28, 2006, 08:47:45 PM »
Yeah we had some server issues for TinyPortal.net. The host went pretty far out of his way to fix it. Everything should be good now. I'm glad your site is working as it should. :)