Spam Problem on Server30

We got following spam mail report from Server Provider.

Return-Path: info@blossombuilders.com
Received: from reszmta-po-02v.sys.comcast.net (LHLO
reszmta-po-02v.sys.comcast.net) (96.114.154.194) by
resmail-ch2-287v.sys.comcast.net with LMTP; Thu, 20 Nov 2014 07:55:45 +0000
(UTC)
Received: from resimta-po-14v.sys.comcast.net ([96.114.154.142]) by
reszmta-po-02v.sys.comcast.net with comcast id Hjvi1p00r34cKaw01jvln9; Thu,
20 Nov 2014 07:55:45 +0000
Received: from server30.hosthat.com ([67.228.226.102]) by
resimta-po-14v.sys.comcast.net with comcast id Hjvk1p03N2DBQtP01jvloQ; Thu,
20 Nov 2014 07:55:45 +0000
X-CAA-SPAM: 00000
X-Authority-Analysis: v=2.1 cv=CukxcxID c=1 sm=1 tr=0
a=s/av8W7acCFA6q/YwbCSOw==:117 a=s/av8W7acCFA6q/YwbCSOw==:17
a=Abf0ADQjAAAA:8 a=C_IRinGWAAAA:8 a=GGcpBh7Jt_oA:10 a=3odyDY6uAAAA:8
a=5y4faFyK3SkA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=9iDbn-4jx3cA:10
a=cKsnjEOsciEA:10 a=WXto5488AAAA:20 a=cZWJtNJzVU_oY7CqQoIA:9
a=wPNLvfGTeEIA:10 a=P3ty5E8_3doA:10 a=hUVfm6KHxBQA:10 a=ifZI0m6gjFQA:10
a=wnrW-6vP_FgA:10 a=Ahpsf-YbZnIA:10 a=5Zoq-eewZGEA:10 a=RXoOObf_fF8A:10
a=eX_elxXcS04A:10 a=DlAU1eU3ghEA:10 a=oq6hVMENWk0A:10
a=ArAILVVYiOEvffbNCOoA:9 a=_W_S_7VecoQA:10 a=JuEPOEAF6ccA:10
a=UF909vspFEgA:10 a=UBz-Jv_xNXcA:10 a=gjil3rkLKHILPLaKUsAK:22
Received: from ([127.0.0.1]) with MailEnable ESMTP; Thu, 20 Nov 2014 07:55:36
+0000
Message-ID: <405FAD792EDE996AF30EBCA34521EE64@qamymywy>
From: lufyv <info@blossombuilders.com>
Subject: Hello! Sherif Kamal! I'm Info:)
Date: Thu, 20 Nov 2014 09:50:30 -0700
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0048_01CF93CE.780AD820"
To: <0cec113b2c19aa25eab6b74d53a55e63@riverswater.net>

I checked mail queue and disbaled blossombuilders.com’s mail box.

Again we got same issue with some other domains and fixed by disabling mailbox. Before activating these account i have reseted Control Panel, FTP and mail account passwords.

While checking outbound mailqueue (Connection>SMTP>Queues>Outbound) i found large number of mails.

See example below.

Received: from ([127.0.0.1]) with MailEnable ESMTP; Wed, 3 Dec 2014 07:10:10 +0000
Reply-To: <fd2sl3@admin.in.th>
From: "Mr. Robert Macaulay."<cclinard@ec.rr.com>
Subject: Compensation.
Date: Tue, 2 Dec 2014 23:10:08 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <B5590D806EE14D14968DD486379AA362.MAI@server30.hosthat.com>

Dear Sir,

I am Mr. Robert Macaulay, I am a Business Manager of one of the biggest banks in the World with a branch in London, United Kingdom. I have an urgent and very confidential business proposition for you.

On the 20th of august 2008, a very rich Chinese customer of mine died with his wife in a plane crash. (Names withheld). Before his death, he confided in me and made a deposit in the sum of US$33,500,000 (Thirty Three Million, Five Hundred Thousand Dollars) in a suspense account in my bank for transfer to an account abroad. It is now over three years since their death and nobody has come forward to claim this money. The man had disclosed to me that he is the only surviving member of their family.  All my attempts to trace his next of kin were all fruitless.
 
Consequently, my proposal is that I will like you as a foreigner to stand in as the next of kin to this man so that the fruits of this man's labor will not get into the hands of some corrupt directors of the bank. You will not need to come to the bank before this transaction is concluded. I will arrange all the necessary documentations in your name which will prove that you are the next of kin. This is simple, I will like you to provide immediately your full names, address and telephone numbers so that I can prepare the necessary documents and affidavits which will put you in place as the next of kin. Upon the conclusion of this transaction, the money will be shared in the ratio of 60% for me and 40% for you.

There is no risk at all as all the paperwork for this transaction will be done by me and in my capacity as the Business Manager; I guarantee the successful execution of this transaction. If you are interested, please reply immediately via the private email address:(fd2sl3@admin.in.th) or fax no: + 44 20818 16677. Upon your response, I shall provide you with the relevant information to confirm the existence of this US$33,500,000 in our bank.

Awaiting your urgent reply via my contact details.

Thanks and regards.
 
Mr. Robert Macaulay.
Tel: +44 7831 926488

I stopped SMTP connector, then i removed the queues (C:\Program Files\MailEnable\Queues).

I can see that the incoming messages are coming from 127.0.0.1

mailenable 2

I checked SMTP relay settings and removed the 127.0.0.1 from the “Allow privileged IP’s to relay” list.

By defauly MailEnable will allow sending out via 127.0.0.1 without any authenthication (relay). The most probably cause of this would be a compromised script on the hosted account.

The issue seems to be fixed now.
mailenable_1


About Annie

I've been working in Technical Section for over 10 years in a wide range of tech jobs from Tech Support to Software Testing. I started writing blog for my future reference and useful for all.
Posted in Windows