takabanana

We have been getting a LOT of email spam...
problem is, it is stating that it came from us (webmasterrubyforest.com)
it is obvious a spam bot that is using a mail server to pretend like us.
What's worse is it is doing this every night, and every email has a virus as an attachment.

I am trying to figure out where/how it is being done.

Could someone help by breaking apart the headers quoted below?

Tell me what is the mail server it is using (rubyforest.com or rubyforest.net?) and HOW it is doing it. I originally thought it was through our webform, but it does not seem to be that way. How can I find out the source of how/where they are sending these mass emails from? I need to stop it, very soon. Thanks for any help.

-Taka

__________________
Server:
simplemedia.com
XX.XX.74.115 (Reseller)
DNS:
ns770.dizinc.com
ns771.dizinc.com
Sites:
www.simplemedia.com
www.southernbloom.com
www.torimoto.net
www.rubyforest.net

Skipdawg

Well the IP there 68.19.46.172 is in the BellSouth block of IP's

So for starters do you have copies of these spoofed emails? If so forward them to abuse[at]bellsouth.net and let them know what is going on. they will know more about the header stuff too.

__________________

schupp

Isn't that a common practice of spammers to take a return name that matches the destination? The spam machine does this automaticaly. I would be more worried if the destination was a different domain and they pretended to be from me. Even worse if they still used my server to send them. But that is much harder to do.

A few things to do:
. Never have a a default destination in your mail control. Blackhole any mail that doesn't match a real name.
. Change all common names. i.e. "jerry" is going to be hit with the dictionary attack spams. PITA to do if a user has a lot of legit mail. But an alias placed online for a period of time until senders get used to the new address is a way to ween off the old.

__________________
Pass16
Pass39

schupp

Speaking of spam. I get very little spam but moments after I posted this I got one and it was addressed to an address alias that I use for Surpass. Somewhere they are getting the address and that is a bad sign. No worries yet, this is the 1st one and when it gets bad I simply dump that alias and create a new one.

Point is I know where the spammer got the address and is easily corrected.

__________________
Pass16
Pass39

wap3

One way I stopped a lot of that crap is to go into CPanel>Mail>Email Filtering
add "helo=yourdomain" and also "ehlo=yourdomain"
replacing your domain in this case with rubyforest.com and no quotes
YMMV - I work behind Mercury32 [www.pmail.com] Mail Server locally so there is absolutely no way I can send mail to myself via "mydomain.com", so if you direct connect this might be an issue

Also do helo/ehlo for know IPs you have no business with.
example - helo=211. [this is country and our office is a u.s. gov]
but be carefull of this [using 68.19. from above] as you will kill off a big chunk of BellSouth.

Just my $0.0175

__________________
--wap3

If we removed all of the "Oxygen Thiefs" [tm] from politics, maybe the earth would not have a Greenhouse Gas problem.

wap3.com on ChopChop