Why am I getting so much spam from/to my domain all of a sudden?
am 18.12.2007 01:00:30 von OhmsterFor some reason, I am getting hundreds of bounced emails that seem to be
hammering my domain all of a sudden, lettermanstationery.com. I have
gotten almost 300 emails every time I check my mail, several times a
day. Is it that some spammer has picked my domain and has just started
hammering me or do you think that something more insidious is going on
like my server is compromised? I run Fedora Core 6 with
sendmail-8.13.8-2 installed.
*********************
Here are some of the maillogs that show the domain:
*********************
Dec 16 18:50:44 ohmster sendmail[6268]: lBGNogp3006268:
from=
TP, daemon=MTA, relay=mail.myshakti.com [203.199.114.172] (may be
forged)
Dec 16 18:50:50 ohmster sendmail[6273]: lBGNonBo006273:
ruleset=check_rcpt, arg1=
lay=mail.grs-s.com [63.174.37.124], reject=550 5.7.1
Dec 16 18:50:50 ohmster sendmail[6273]: lBGNonBo006273:
from=
s=0, proto=SMTP, daemon=MTA, relay=mail.grs-s.com [63.174.37.124]
Dec 16 18:50:50 ohmster sendmail[6274]: lBGNooeO006274:
ruleset=check_rcpt, arg1=
lay=mail.grs-s.com [63.174.37.124], reject=550 5.7.1
Dec 16 18:50:51 ohmster sendmail[6274]: lBGNooeO006274:
from=
s=0, proto=SMTP, daemon=MTA, relay=mail.grs-s.com [63.174.37.124]
Dec 16 19:06:48 ohmster sendmail[6945]: lBH06mT5006945:
ruleset=check_rcpt, arg1=
relay=[64.80.3.156], reject=550 5.7.1
lookup failed
[64.80.3.156]
Dec 16 19:06:48 ohmster sendmail[6945]: lBH06mT5006945: from=<>, size=0,
class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[
64.80.3.156]
Dec 16 19:28:27 ohmster sendmail[8217]: ruleset=check_relay,
arg1=pD957ED4B.dip.t-dialin.net, arg2=127.0.0.2, relay=pD957ED
4B.dip.t-dialin.net [217.87.237.75], reject=553 5.3.0 Spam blocked see:
http://spamcop.net/bl.shtml?217.87.237.75
Dec 16 19:38:32 ohmster sendmail[8569]: lBH0cW4N008569:
ruleset=check_rcpt, arg1=
lay=72-48-175-130.ip.grandenetworks.net [72.48.175.130], reject=550
5.7.1
g denied
*********************
And here are a couple of the spams:
**********************
Received: from imta15.westchester.pa.mail.comcast.net ([76.96.62.54])
by sccrmxc12.comcast.net (sccrmxc12) with ESMTP
id <20071217191114s120000il5e>; Mon, 17 Dec 2007 19:11:14
+0000
X-Originating-IP: [76.96.62.54]
Received: from mail3.zoneedit.com ([209.190.25.90])
by IMTA15.westchester.pa.mail.comcast.net with comcast
id RvAz1Y03H1weK4p0F00a00; Mon, 17 Dec 2007 19:11:07 +0000
X-Authority-Analysis: v=1.0 c=1 a=cb4V60z6X88A:15
a=Gfx/U0q3QyvNeBfOd+zkGg==:17 a=kSYKaphPH2VT8s2dBvMA:9
a=sGX9D4S6t8yykxC6jTB2UrAIHnIA:4 a=kBgy3V-7g20A:10 a=nWtov_rQAZcA:10
a=XF7b4UCPwd8A:10 a=GHe0LqhuNuBKNgNWfVoA:9
a=gdAhpdfyLBjlBV2BAYAt66RJajYA:4 aÖ8rLpO3hrMA:10 a=eZLSmJVMEtUA:10
a=Tf4fDoeziwT-J4q4FQ8A:9 a=ZXf5PxFc_TZniI8Th2jSQNfU2cAA:4
Received: from inbound.sys.gtei.net
(ce23000.f10t8-10.Broomfield1.Level3.net [209.245.18.30])
by mail3.zoneedit.com (Postfix) with ESMTP id 36B5012169E9
for
15:56:21 -0500 (EST)
Received: by inbound.sys.gtei.net (Postfix)
id 4736443E85; Sun, 16 Dec 2007 20:56:20 +0000 (GMT)
Date: Sun, 16 Dec 2007 20:56:20 +0000 (GMT)
From: MAILER-DAEMON@inbound.sys.gtei.net (Mail Delivery System)
Subject: **SPAM** Delayed Mail (still being retried)
To: LaurenceMackey@lettermanstationery.com
Auto-Submitted: auto-replied
Message-Id: <20071216205620.4736443E85@inbound.sys.gtei.net>
X-Antivirus: AVG for E-mail 7.5.503 [269.17.4/1187]
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="=======AVGMAIL-4766EB865B2F======="
X-Bayesian-Result: Spam (99)
X-Bayesian-Words: 7.5.503 94 assistance 24 attached 19 back 76 checked
23 database 22 delayed 85 delete 29 delivered 71 edition 23 found 23
free 93 further 55 host 93 include 16 incoming 23 more 63 myself 20 need
82 only 78 please 16 postmaster 55 problem 12 release 23 report 48
resend 50 retried 50 returned 96 send 99 still 17 system 37 until 19
version 25 virus 23 warning 80
X-HTMLM-Score: 0
X-P2P: PASS
--=======AVGMAIL-4766EB865B2F=======
Content-Type: multipart/report; report-type=delivery-status;
boundary="0462441ACA.1197838580/inbound.sys.gtei.net"
--0462441ACA.1197838580/inbound.sys.gtei.net
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii
This is the mail system at host inbound.sys.gtei.net.
############################################################ ########
# THIS IS A WARNING ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. #
############################################################ ########
Your message could not be delivered for more than 4 hour(s).
It will be retried until it is 3 day(s) old.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
--0462441ACA.1197838580/inbound.sys.gtei.net
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; inbound.sys.gtei.net
X-Postfix-Queue-ID: 0462441ACA
X-Postfix-Sender: rfc822; LaurenceMackey@lettermanstationery.com
Arrival-Date: Sun, 16 Dec 2007 15:44:17 +0000 (GMT)
Content-Type: text/plain
Final-Recipient: rfc822; jhecht@gellerco.com
Original-Recipient: rfc822;jhecht@gellerco.com
Action: delayed
Status: 4.4.6
Diagnostic-Code: X-Postfix; mail for gellerco.com loops back to myself
Will-Retry-Until: Wed, 19 Dec 2007 15:44:17 +0000 (GMT)
--0462441ACA.1197838580/inbound.sys.gtei.net
Content-Description: Undelivered Message Headers
Content-Type: text/rfc822-headers
Received: from pc (unknown [200.103.177.151])
by inbound.sys.gtei.net (Postfix) with SMTP id 0462441ACA
for
Message-ID: 0f0901c83ffa$859b23d0$0401010a@pc
From: "Dr. Laurence Mackey"
To:
Subject: Stop feel shy of your male machine size.
Date: Sun, 16 Dec 2007 13:43:21 +0300
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
--0462441ACA.1197838580/inbound.sys.gtei.net--
--=======AVGMAIL-4766EB865B2F=======
Content-Type: text/plain; x-avg=cert; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "AVG certification"
No virus found in this incoming message.
Checked by AVG Free Edition.=20
Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date:
12/16/2007 =
11:36 AM
--=======AVGMAIL-4766EB865B2F=======--
*********************
One more spam
*********************
Received: from imta15.westchester.pa.mail.comcast.net
([76.96.62.54])
by sccrmxc12.comcast.net (sccrmxc12) with ESMTP
id <20071217191108s1200t90n6e>; Mon, 17 Dec 2007 19:11:08
+0000
X-Originating-IP: [76.96.62.54]
Received: from mail3.zoneedit.com ([209.190.25.90])
by IMTA15.westchester.pa.mail.comcast.net with comcast
id RvAz1Y03H1weK4p0F00700; Mon, 17 Dec 2007 19:11:01 +0000
X-Authority-Analysis: v=1.0 c=1 a=hOWMagi78i0A:15 a=nr5V2evGoywA:10
a=jkyVhh3uODFDoWNZwojeTw==:17 a=AcBYG2Y37zXmzC5CfNMA:9
a=WIaBUGuucDAe1wnisVP-FWwDcqwA:4 a=5WAHwiJ6TZMA:10 a=7mayv77iRtYA:10
a=LMZ9X7U6KCICgFRDYV4A:9 a=v_85FyKm0MAr-O0ZbbRudxIQotsA:4
aÖ8rLpO3hrMA:10 a=72oxJoRhc8oA:10
Received: from vulcanoil.com (unknown [66.42.138.66])
by mail3.zoneedit.com (Postfix) with ESMTP id ADB3C1214DB0
for
20:03:06 -0500 (EST)
Received: from 192.168.1.10 [192.168.1.10]
by vulcanoil.com
with XWall v3.40 ;
Sat, 15 Dec 2007 20:02:47 -0500
Received: by VULCANS1 with Internet Mail Service (5.5.2650.21)
id
Message-ID:
From: System Administrator
To: SonjaHerrera@lettermanstationery.com
Date: Sat, 15 Dec 2007 20:04:46 -0500
X-Mailer: Internet Mail Service (5.5.2650.21)
X-MS-Embedded-Report:
Subject: **SPAM** Undeliverable: Dreaming about enlarging your
instrument size
X-Antivirus: AVG for E-mail 7.5.503 [269.17.4/1187]
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----_=_NextPart_000_01C83F7F.A62336C2"
X-Bayesian-Result: Spam (100)
X-Bayesian-Words: 2007 96 7.5.503 94 about 9 checked 23 chemical 8
database 22 dreaming 99 edition 23 enlarging 99 following 25 found 23
free 93 incoming 23 instrument 89 internet 42 lettermanstationery 99
master 5 mime-version 96 mts-id 50 original 37 products 32 reach 23
recipient 92 recognized 32 release 22 sent 95 service 48 sonja 50
sonjaherrera 50 surbl 99 undeliverable 99 unknown 98 version 25 virus 23
x-mailer 97
X-HTMLM-Score: 0
X-P2P: PASS
------_=_NextPart_000_01C83F7F.A62336C2
Content-Type: text/plain; charset=iso-8859-1
Your message
To: gecho@vulcanoil.com
Subject: Dreaming about enlarging your instrument size
[mx][surbl]
Sent: Sat, 15 Dec 2007 10:06:27 -0500
did not reach the following recipient(s):
gecho@vulcanoil.com on Sat, 15 Dec 2007 20:04:44 -0500
The recipient name is not recognized
The MTS-ID of the original message is: c=US;a= ;p=Vulcan Oil ?
Che;l=VULCANS10712160104YFVFY2R1
MSEXCH:IMS:Vulcan Oil & Chemical Products:VULCANOIL:VULCANS1 0
(000C05A6) Unknown Recipient
------_=_NextPart_000_01C83F7F.A62336C2
Content-Type: message/rfc822
Message-ID: 620601c83f80$0efec300$6401a8c0@master
From: "Dr. Sonja Herrera"
To: gecho@vulcanoil.com
Subject: Dreaming about enlarging your instrument size [mx][surbl]
Date: Sat, 15 Dec 2007 10:06:27 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
X-MS-Embedded-Report:
Content-Type: text/plain
------_=_NextPart_000_01C83F7F.A62336C2
Content-Type: text/plain; x-avg=cert; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "AVG certification"
No virus found in this incoming message.
Checked by AVG Free Edition.=20
Version: 7.5.503 / Virus Database: 269.17.4/1187 - Release Date:
12/16/2007 =
11:36 AM
------_=_NextPart_000_01C83F7F.A62336C2--
Does anybody have any idea of what is going on her or how I can figure
this out? Something to worry about or just a lousy spammer hammering my
box? I can see no programs runnning that are not accounted for or eating
up the CPU.
--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is Message Body, not Subject!)
to pass my spam filter.