Help! Hackers Using My Domain For E-mail Spam!

ssperte · September 14th, 2003, 6:33 PM

:pleasehelp: Starting today, someone has begun to use my domain to send SPAM and now my mailbox is jammed with returned mail and anti-spam messages, and email from irrate recipients. How could someone have done this, how do I stop them, and how do I prevent it from happening again?

HELP! I have over 600 emails in my box in the past 1/2 hour!

**patrickb** · September 14th, 2003, 6:58 PM

More than likely someone isn't really using your domain, they are just sending out emails from their own mail servers and making it LOOK like you are the one sending it. Quite easy to do really, and a lot of virii floating around do that same thing. 600 emails in a half hour is not good at all. I would begin looking at the original message headers and finding out where the emails really came from, and then start emailing ISPs with the information so hopefully they can close down the offenders. Not an elegant or easy solution, but I believe it is your only recourse.

ssperte · September 14th, 2003, 7:33 PM

How, then, can I be getting all the responses to the spam they are sending out, using an email that says it's from my domain? I can't trace who is using an email address from my domain because I didn't get any of the emails. I am only getting emails from the RECIPIENTS. So, how can I trace who sent the original spam?

ssperte · September 14th, 2003, 7:37 PM

Here is an example of one of the message headers. It shows who GOT the spam and the email of who sent it. The send address says betty

sperte.com. There is no such person and no such address, but all of the replies to betty

sperte.com are coming to ME. I need to know how to stop this and prevent it from happening again.

From: postmaster

mail.hotmail.com
Date: Sun Sep 14, 2003 1:06:33 PM US/Pacific
To: betty

sperte.com
Subject: Delivery Status Notification (Failure)

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

anthony_dasaro

hotmail.com

Reporting-MTA: dns;mc9-f12.hotmail.com
Received-From-MTA: dns;mail.bigfoot.com
Arrival-Date: Sun, 14 Sep 2003 13:05:56 -0700

Original-Recipient:
Final-Recipient: rfc822;anthony_dasaro

hotmail.com
Action: failed
Status: 5.0.0
Diagnostic-Code: smtp;550 Requested action not taken: mailbox unavailable

From: betty <betty

sperte.com>
Date: Sun Sep 14, 2003 1:23:25 PM US/Pacific
To: <!endyjo2

bigfoot.com>
Subject: Someone Cares About You!

**patrickb** · September 14th, 2003, 8:13 PM

Well, if there is no betty

sperte.com, then I am assuming that your email address is the main account for your webhosting. IE: the username that you login to Cpanel with.

Accounts are setup with a "catch-all" that automatically grabs any email sent to a user at your domain who can't be found. This can be fixed if you like, and I will elaborate if you want to know how to disable that "catch-all" or send it to another email address in your account.

As for the message example you sent. Yes, it doesn't truly say who sent the email, but hotmail.com received the email from mail.bigfoot.com. You could forward the returned message to the appropiate bigfoot.com reporting address and inform them of the spam and maybe they can track who sent the original message using the recipient fields or another of the few included fields in the returned message (though I doubt it)

As far as stopping the emails from appearing to come to from your domain, I am afraid that is impossible.

**Kayla** · September 14th, 2003, 8:48 PM

Also, please send a report of this to support

surpasshosting.com so your account can be fully checked out for anything suspicious. Sounds like you may have received a virus, though.

ssperte · September 14th, 2003, 8:56 PM

I sent an urgent message to support and got a ticket number. I hope someone works this out. I doubt I got a virus because I use a MAC and update my signatures weekly and because these messages are definitely spam. They are selling different products or services, all of which have live phone numbers attached to them, but you can only leave a message. How do I disable the emails betty

sperte.com, bettye

sperte.com, and bettyann

sperte.com, since all of these are being used?

Thanks so much for your help!

**patrickb** · September 14th, 2003, 11:18 PM

Well, actually disabling the email addresses isn't possible. You could try setting up email filters to drop those incoming emails, or better yet, disable the "catch-all" of your account. Goto your Cpanel > Mail > Default Address. Chose 'Set Default Address' and then change it to ":fail:" (without the quotes) and that will disable the "catch-all" and bounce every msg addressed to an invalid email at your domain back to the sender. Be aware however, that for every email that comes in to one of those bad addresses, you will send another one out, and this could eat up your bandwidth. The other option, email filtering would just drop the emails when they come in and not reply back to them. Probably the best choice... Setting them up is fairly easy, just follow the prompts under Cpanel > Mail > E-mail Filtering.

kcuf.us · September 15th, 2003, 2:09 AM

I remember I had this same problem a couple of days ago, just not 600 emails, but rather, 2 emails sent from my primary email on my domain? I then tried emailing a friend on aol and got this error:

SMTP error from remote mailer after initial connection:
host mailin-01.mx.aol.com [64.12.138.57]: 554-(RLY:B1) The information presently available to AOL indicates this
554-server is generating high volumes of member complaints from AOL's
554-member base. Based on AOL's Unsolicited Bulk E-mail policy at
554-http://www.aol.com/info/bulkemail.html AOL may not accept further
554-e-mail transactions from this server or domain. For more information,
554 please visit http://postmaster.info.aol.com.

Umm, I hardly send out emails? Is there a way to track what emails were sent from your domain or anything?

September 14th, 2003, 6:58 PM	#2 (permalink)
patrickb the one who was Super #1 Joined in Jul 2003 Lives in Memphis 1,967 posts Gave thanks: 0 Thanked 3 times	More than likely someone isn't really using your domain, they are just sending out emails from their own mail servers and making it LOOK like you are the one sending it. Quite easy to do really, and a lot of virii floating around do that same thing. 600 emails in a half hour is not good at all. I would begin looking at the original message headers and finding out where the emails really came from, and then start emailing ISPs with the information so hopefully they can close down the offenders. Not an elegant or easy solution, but I believe it is your only recourse. __________________ Patrick Warnings: The program(s) might crash unexpectedly or behave otherwise strangely. (But of course, so do many commercial programs on Windows.) --www.gimp.org

September 14th, 2003, 7:37 PM	#4 (permalink)
ssperte Registered User Fresh Surpasser Joined in Sep 2003 6 posts Gave thanks: 0 Thanked 0 times	Here is an example of one of the message headers. It shows who GOT the spam and the email of who sent it. The send address says bettysperte.com. There is no such person and no such address, but all of the replies to bettysperte.com are coming to ME. I need to know how to stop this and prevent it from happening again. From: postmastermail.hotmail.com Date: Sun Sep 14, 2003 1:06:33 PM US/Pacific To: bettysperte.com Subject: Delivery Status Notification (Failure) This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. anthony_dasarohotmail.com Reporting-MTA: dns;mc9-f12.hotmail.com Received-From-MTA: dns;mail.bigfoot.com Arrival-Date: Sun, 14 Sep 2003 13:05:56 -0700 Original-Recipient: Final-Recipient: rfc822;anthony_dasarohotmail.com Action: failed Status: 5.0.0 Diagnostic-Code: smtp;550 Requested action not taken: mailbox unavailable From: betty <bettysperte.com> Date: Sun Sep 14, 2003 1:23:25 PM US/Pacific To: <!endyjo2bigfoot.com> Subject: Someone Cares About You!

September 14th, 2003, 8:13 PM	#5 (permalink)
patrickb the one who was Super #1 Joined in Jul 2003 Lives in Memphis 1,967 posts Gave thanks: 0 Thanked 3 times	Well, if there is no bettysperte.com, then I am assuming that your email address is the main account for your webhosting. IE: the username that you login to Cpanel with. Accounts are setup with a "catch-all" that automatically grabs any email sent to a user at your domain who can't be found. This can be fixed if you like, and I will elaborate if you want to know how to disable that "catch-all" or send it to another email address in your account. As for the message example you sent. Yes, it doesn't truly say who sent the email, but hotmail.com received the email from mail.bigfoot.com. You could forward the returned message to the appropiate bigfoot.com reporting address and inform them of the spam and maybe they can track who sent the original message using the recipient fields or another of the few included fields in the returned message (though I doubt it) As far as stopping the emails from appearing to come to from your domain, I am afraid that is impossible. __________________ Patrick Warnings: The program(s) might crash unexpectedly or behave otherwise strangely. (But of course, so do many commercial programs on Windows.) --www.gimp.org

September 14th, 2003, 8:48 PM	#6 (permalink)
Kayla Marketing Maven Surpass Staff Joined in May 2003 Lives in Orlando 24,748 posts Gave thanks: 946 Thanked 806 times	Also, please send a report of this to supportsurpasshosting.com so your account can be fully checked out for anything suspicious. Sounds like you may have received a virus, though. __________________ Follow Surpass on Twitter and Facebook Check out the Surpass Blog

September 14th, 2003, 8:56 PM	#7 (permalink)
ssperte Registered User Fresh Surpasser Joined in Sep 2003 6 posts Gave thanks: 0 Thanked 0 times	I sent an urgent message to support and got a ticket number. I hope someone works this out. I doubt I got a virus because I use a MAC and update my signatures weekly and because these messages are definitely spam. They are selling different products or services, all of which have live phone numbers attached to them, but you can only leave a message. How do I disable the emails bettysperte.com, bettyesperte.com, and bettyannsperte.com, since all of these are being used? Thanks so much for your help!

September 14th, 2003, 6:33 PM	#1 (permalink)
ssperte Registered User Fresh Surpasser Joined in Sep 2003 6 posts Gave thanks: 0 Thanked 0 times	:pleasehelp: Starting today, someone has begun to use my domain to send SPAM and now my mailbox is jammed with returned mail and anti-spam messages, and email from irrate recipients. How could someone have done this, how do I stop them, and how do I prevent it from happening again? HELP! I have over 600 emails in my box in the past 1/2 hour!

September 14th, 2003, 7:33 PM	#3 (permalink)
ssperte Registered User Fresh Surpasser Joined in Sep 2003 6 posts Gave thanks: 0 Thanked 0 times	How, then, can I be getting all the responses to the spam they are sending out, using an email that says it's from my domain? I can't trace who is using an email address from my domain because I didn't get any of the emails. I am only getting emails from the RECIPIENTS. So, how can I trace who sent the original spam?

September 14th, 2003, 11:18 PM	#8 (permalink)
patrickb the one who was Super #1 Joined in Jul 2003 Lives in Memphis 1,967 posts Gave thanks: 0 Thanked 3 times	Well, actually disabling the email addresses isn't possible. You could try setting up email filters to drop those incoming emails, or better yet, disable the "catch-all" of your account. Goto your Cpanel > Mail > Default Address. Chose 'Set Default Address' and then change it to ":fail:" (without the quotes) and that will disable the "catch-all" and bounce every msg addressed to an invalid email at your domain back to the sender. Be aware however, that for every email that comes in to one of those bad addresses, you will send another one out, and this could eat up your bandwidth. The other option, email filtering would just drop the emails when they come in and not reply back to them. Probably the best choice... Setting them up is fairly easy, just follow the prompts under Cpanel > Mail > E-mail Filtering. __________________ Patrick Warnings: The program(s) might crash unexpectedly or behave otherwise strangely. (But of course, so do many commercial programs on Windows.) --www.gimp.org

September 15th, 2003, 2:09 AM	#9 (permalink)
kcuf.us Registered User Seasoned Poster Joined in May 2003 34 posts Gave thanks: 0 Thanked 0 times	I remember I had this same problem a couple of days ago, just not 600 emails, but rather, 2 emails sent from my primary email on my domain? I then tried emailing a friend on aol and got this error: SMTP error from remote mailer after initial connection: host mailin-01.mx.aol.com [64.12.138.57]: 554-(RLY:B1) The information presently available to AOL indicates this 554-server is generating high volumes of member complaints from AOL's 554-member base. Based on AOL's Unsolicited Bulk E-mail policy at 554-http://www.aol.com/info/bulkemail.html AOL may not accept further 554-e-mail transactions from this server or domain. For more information, 554 please visit http://postmaster.info.aol.com. Umm, I hardly send out emails? Is there a way to track what emails were sent from your domain or anything?

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread: