?
Solved

need help with spam

Posted on 2011-10-11
13
Medium Priority
?
545 Views
Last Modified: 2012-05-12
Subject: بٿرٿشٿ ٿرٿشٿ ٿٿٿٿٿٿ
X-PHP-Script: www.------------------------------------------------
From: ٿٿٿٿٿٿٿٿٿاٿ <a@a.com>


Can anyone tell me what the symbols after Subject: and From: mean ?
Is this a spoofing attack ?

Customer is getting thousands of similar messages per day even after swapping computers. Scanned both machines with different security programs and didn't detect much
0
Comment
Question by:Brett4567
  • 6
  • 6
13 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 36951703
They're almost certainly characters in a non-western character set. in other words, they're probably how your mail reader renders Chinese characters.
0
 

Author Comment

by:Brett4567
ID: 36951781
Do you think its a virus on both of the computers ? (same problem after swapping towers)

or could it be spoofing ?

0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 36951838
It could be, but it's not possible to tell without looking at the headers.  It's far more likely they're spoofing your return address though.
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 

Author Comment

by:Brett4567
ID: 36952710
could I send you the headers to have a look at ?
0
 
LVL 1

Expert Comment

by:mechanicus01
ID: 36953554
E-mail spoofing is e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails"

You should look at the headers and get the <>return path. Block the return path sender at your security gateway, i.e. Symantec, Barracuda.

Thanks
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 36955583
You can post the headers here so we can take a look.  Essentially, you're looking for the first sender in the header:

Received: from mx2.mydomain.com (192.168.48.37) by mx1.mydomain.com
 (192.168.48.36) with Microsoft SMTP Server (TLS) id 14.1.289.1; Wed, 12 Oct
 2011 08:05:21 -0400

Received: from moutng.kundenserver.de (212.227.17.9) by mx2.mydomain.com
 (192.168.48.35) with Microsoft SMTP Server id 14.1.289.1; Wed, 12 Oct 2011
 08:05:20 -0400

Received: from SERVER2 (p578b97d3.dip0.t-ipconnect.de [87.139.151.211]) by
 mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id
 0MNvyt-1RC3k40kI7-007ZWY; Wed, 12 Oct 2011 14:05:19 +0200

From: Todd Maxwell <todd.maxwell@open-e.com>

In this example, the mail message says it came from open-e.com (the FROM address), but in reality the message was sent from the t-ipconnect.de domain.  This doesn't mean the message is spam, but that the return address is different from the server it was sent from.  If I were concerned about spam being sent from my domain, this is the first place I would look.  

We can see the  mail goes from t-ipconnect.de to kundenserver.de, then to mx2.mydomain.com and finally to mx1.mydomain.com for delivery.  
0
 

Author Comment

by:Brett4567
ID: 36958256
------ This is a copy of the message, including all the headers. ------

Return-path: <sunshin4@cherry.websitewelcome.com>
Received: from sunshin4 by cherry.websitewelcome.com with local (Exim 4.69)
(envelope-from <sunshin4@cherry.websitewelcome.com>)
id 1RDxcT-0007uu-Eg
for drw@hotmail.com; Wed, 12 Oct 2011 07:09:09 -0500
To: drw@hotmail.com
Subject: سٿف تٿٿٿ شرٿة اٿٿٿتٿٿٿ باغٿاٿ حسابٿ ٿرٿباٿ !!
X-PHP-Script: www.sunshinecoastmotorlodge.com.au/TnT.php for 188.49.146.115
From: Windows Live Team <postmaster@windowslivemail.com>
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <E1RDxcT-0007uu-Eg@cherry.websitewelcome.com>
Date: Wed, 12 Oct 2011 07:09:09 -0500

0
 

Author Comment

by:Brett4567
ID: 36958268
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  s3odxx@gmail.com
    SMTP error from remote mail server after RCPT TO:<s3odxx@gmail.com>:
    host gmail-smtp-in.l.google.com [74.125.65.26]:
    550 5.2.1 The email account that you tried to reach is disabled. 13si6620605ybn.27

------ This is a copy of the message, including all the headers. ------

Return-path: <sunshin4@cherry.websitewelcome.com>
Received: from sunshin4 by cherry.websitewelcome.com with local (Exim 4.69)
        (envelope-from <sunshin4@cherry.websitewelcome.com>)
        id 1RDxEp-0004zC-BJ
        for s3odxx@gmail.com; Wed, 12 Oct 2011 06:44:43 -0500
To: s3odxx@gmail.com
Subject: Mailer Info
X-PHP-Script: www.sunshinecoastmotorlodge.com.au/TnT.php for 188.49.146.115
From: saudihacker <s3oxx@gmail.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1RDxEp-0004zC-BJ@cherry.websitewelcome.com>
Date: Wed, 12 Oct 2011 06:44:43 -0500
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 36958362
The header indicates "cherry.websitewelcome.com" is the machine from where the e-mail originated.

If that's your domain, look at the PHP page here:   www.sunshinecoastmotorlodge.com.au/TnT.php
0
 

Author Comment

by:Brett4567
ID: 36958538
I clicked on the link and its asking for a password. The dialog box says something about TNT Hacker.

Could the website be compromised ?


We unplugged the computer's network cable last night and there was a burst of spam between 6.44 AM CDT and 7.09 AM CDT which is night time here.

Our computer was unplugged at this time
0
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 2000 total points
ID: 36958549
If that's your web server then yeah, I'd say at a minimum the server has been hacked.  If the server's been compromised, who knows what else has been taken over.  
0
 

Author Closing Comment

by:Brett4567
ID: 36958587
superb - thank you
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 36958620
No problem and good luck!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question