Wierd Chopin Issue

button_man · Nov 11, 2009

I got some junk mail from my own domain today, I have no email setup on my domain. Is there anyway to protect my system so that noemail can be sent without my permission?

Regards
Darren

jtwhite · Nov 11, 2009

Do you have a script installed with uses php mail?

adamparkzer · Nov 11, 2009

k0rru_pt3dc0d_3 said:
I got some junk mail from my own domain today, I have no email setup on my domain. Is there anyway to protect my system so that noemail can be sent without my permission?

Regards
Darren

It's possible that you were hacked and someone set up an email system on your account.

Could you check and see if there are any email accounts active on your website, and delete them if you don't plan on using them?

Also, check your cron jobs to make sure only crons that you created are listed.

button_man · Nov 13, 2009

How do I check CRON jobs? I think Wordpress uses mail at some level, but this email came from takuhii.chopin.x10hosting.com...

odd?

galaxyAbstractor · Nov 13, 2009

it's also possible that's it address spoofing (they set the from field to your email instead of their own). This would make it look like it comes from your domain, but it's sent from somewhere else.

I see you got gmail, and I guess it was there you got it. You could go inside the message, click on the message option button (the down arrow at the side of the reply button). Then choose "Show original". Then it will say which server, IP and domain sent it.

I get a lot of spam emails from my own email account even, this is the SPF record of one of those spam emails:

Received-SPF: softfail (google.com: best guess record for domain of transitioning *my email address* does not designate 200.115.138.188 as permitted sender) client-ip=200.115.138.188;

Here we see that the IP is 200.115.138.188, which traces back to Panama. If this IP in your record would be the same as your server, then it would be something on your account, otherwise it's email forgery

button_man · Nov 15, 2009

I thought address spoofing, but how do they know I am on CHOPIN? Also, all my site emails are passed through a secure server, i.e. Hushmail.com

wild bill · Nov 15, 2009

hey guys isn't there some email filtering options in the cpanel?. I remember seeing some user/acct level filtering. It look as you could setup a filter using info from the spam emai headers.

button_man · Nov 16, 2009

I'll look into the filters thing, here's the header the email has:

Return-Path: <takuhi@chopin.x10hosting.com>
Received: from smtp9.hushmail.com (smtp9.hushmail.com [65.39.178.164])
by imap9.hushmail.com (Cyrus v2.2.12-Invoca-RPM-2.2.12-8.1.RHEL4) with LMTPA;
Mon, 16 Nov 2009 08:56:02 +0000
X-Sieve: CMU Sieve 2.2
Received: from smtp9.hushmail.com (localhost.localdomain [127.0.0.1])
by smtp9.hushmail.com (Postfix) with SMTP id 4F29D120055
for <takuhii_40hushmail_2ecom+Inbox@imap9.hushmail.com>; Mon, 16 Nov 2009 08:56:02 +0000 (UTC)
Received: from chopin.x10hosting.com (unknown [216.245.205.66])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp9.hushmail.com (Postfix) with ESMTP
for <takuhii@hushmail.com>; Mon, 16 Nov 2009 08:55:57 +0000 (UTC)
Received: from takuhi by chopin.x10hosting.com with local (Exim 4.69)
(envelope-from <takuhi@chopin.x10hosting.com>)
id 1N9xNM-0007E8-0k
for takuhii@hushmail.com; Mon, 16 Nov 2009 02:55:56 -0600
To: takuhii@hushmail.com
Subject: DCBOQeZQFCQYFnhpw
Date: Mon, 16 Nov 2009 03:55:56 -0500
From: lkkufhbjkgx <efhyhr@djsuub.com>
Message-ID: <720f866da58c8c2940c97f9d89e7abfa@www.takuhii.co.cc>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - chopin.x10hosting.com
X-AntiAbuse: Original Domain - hushmail.com
X-AntiAbuse: Originator/Caller UID/GID - [31926 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - chopin.x10hosting.com
X-Source: /usr/local/cpanel/cgi-sys/php5
X-Source-Args: php5
X-Source-Dir: takuhii.x10hosting.com:/public_html/takuhii.co.cc/blog

Sharky · Nov 16, 2009

X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4]

I'd say it was sent via this: http://www.takuhii.co.cc/blog/contact
To protect it, use some sort of question only a human could answer, or remove it completely.

Smith6612 · Nov 16, 2009

k0rru_pt3dc0d_3 said:
I thought address spoofing, but how do they know I am on CHOPIN? Also, all my site emails are passed through a secure server, i.e. Hushmail.com

If you left your e-mail public somewhere or you sent the spammer a message via your site, the person probably went through the trouble and connected the dots to spam you from what appeared to be your server. The e-mail headers though do show it all though.

But finding out what server you're on is easy. I can do it via a trace route/nslookup or with some abilities I have here.

button_man · Nov 16, 2009

Cheers guys, I've applied a CAPTCHA device for now to see if that cuts down the spam.

Wierd Chopin Issue

button_man

Member

jtwhite

Community Advocate

adamparkzer

On Extended Leave

button_man

Member

galaxyAbstractor

Community Advocate

button_man

Member

wild bill

New Member

button_man

Member

Sharky

Community Paragon

Smith6612

I ate all of the x10Pizza

button_man

Member

Free Web Hosting

Our Community

Legal