need help with spam

Subject: بٿرٿشٿ ٿرٿشٿ ٿٿٿٿٿٿ
X-PHP-Script: www.------------------------------------------------
From: ٿٿٿٿٿٿٿٿٿاٿ <a@a.com>


Can anyone tell me what the symbols after Subject: and From: mean ?
Is this a spoofing attack ?

Customer is getting thousands of similar messages per day even after swapping computers. Scanned both machines with different security programs and didn't detect much
Brett4567Asked:
Who is Participating?
 
Paul MacDonaldDirector, Information SystemsCommented:
If that's your web server then yeah, I'd say at a minimum the server has been hacked.  If the server's been compromised, who knows what else has been taken over.  
0
 
Paul MacDonaldDirector, Information SystemsCommented:
They're almost certainly characters in a non-western character set. in other words, they're probably how your mail reader renders Chinese characters.
0
 
Brett4567Author Commented:
Do you think its a virus on both of the computers ? (same problem after swapping towers)

or could it be spoofing ?

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Paul MacDonaldDirector, Information SystemsCommented:
It could be, but it's not possible to tell without looking at the headers.  It's far more likely they're spoofing your return address though.
0
 
Brett4567Author Commented:
could I send you the headers to have a look at ?
0
 
mechanicus01Commented:
E-mail spoofing is e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails"

You should look at the headers and get the <>return path. Block the return path sender at your security gateway, i.e. Symantec, Barracuda.

Thanks
0
 
Paul MacDonaldDirector, Information SystemsCommented:
You can post the headers here so we can take a look.  Essentially, you're looking for the first sender in the header:

Received: from mx2.mydomain.com (192.168.48.37) by mx1.mydomain.com
 (192.168.48.36) with Microsoft SMTP Server (TLS) id 14.1.289.1; Wed, 12 Oct
 2011 08:05:21 -0400

Received: from moutng.kundenserver.de (212.227.17.9) by mx2.mydomain.com
 (192.168.48.35) with Microsoft SMTP Server id 14.1.289.1; Wed, 12 Oct 2011
 08:05:20 -0400

Received: from SERVER2 (p578b97d3.dip0.t-ipconnect.de [87.139.151.211]) by
 mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id
 0MNvyt-1RC3k40kI7-007ZWY; Wed, 12 Oct 2011 14:05:19 +0200

From: Todd Maxwell <todd.maxwell@open-e.com>

In this example, the mail message says it came from open-e.com (the FROM address), but in reality the message was sent from the t-ipconnect.de domain.  This doesn't mean the message is spam, but that the return address is different from the server it was sent from.  If I were concerned about spam being sent from my domain, this is the first place I would look.  

We can see the  mail goes from t-ipconnect.de to kundenserver.de, then to mx2.mydomain.com and finally to mx1.mydomain.com for delivery.  
0
 
Brett4567Author Commented:
------ This is a copy of the message, including all the headers. ------

Return-path: <sunshin4@cherry.websitewelcome.com>
Received: from sunshin4 by cherry.websitewelcome.com with local (Exim 4.69)
(envelope-from <sunshin4@cherry.websitewelcome.com>)
id 1RDxcT-0007uu-Eg
for drw@hotmail.com; Wed, 12 Oct 2011 07:09:09 -0500
To: drw@hotmail.com
Subject: سٿف تٿٿٿ شرٿة اٿٿٿتٿٿٿ باغٿاٿ حسابٿ ٿرٿباٿ !!
X-PHP-Script: www.sunshinecoastmotorlodge.com.au/TnT.php for 188.49.146.115
From: Windows Live Team <postmaster@windowslivemail.com>
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <E1RDxcT-0007uu-Eg@cherry.websitewelcome.com>
Date: Wed, 12 Oct 2011 07:09:09 -0500

0
 
Brett4567Author Commented:
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  s3odxx@gmail.com
    SMTP error from remote mail server after RCPT TO:<s3odxx@gmail.com>:
    host gmail-smtp-in.l.google.com [74.125.65.26]:
    550 5.2.1 The email account that you tried to reach is disabled. 13si6620605ybn.27

------ This is a copy of the message, including all the headers. ------

Return-path: <sunshin4@cherry.websitewelcome.com>
Received: from sunshin4 by cherry.websitewelcome.com with local (Exim 4.69)
        (envelope-from <sunshin4@cherry.websitewelcome.com>)
        id 1RDxEp-0004zC-BJ
        for s3odxx@gmail.com; Wed, 12 Oct 2011 06:44:43 -0500
To: s3odxx@gmail.com
Subject: Mailer Info
X-PHP-Script: www.sunshinecoastmotorlodge.com.au/TnT.php for 188.49.146.115
From: saudihacker <s3oxx@gmail.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1RDxEp-0004zC-BJ@cherry.websitewelcome.com>
Date: Wed, 12 Oct 2011 06:44:43 -0500
0
 
Paul MacDonaldDirector, Information SystemsCommented:
The header indicates "cherry.websitewelcome.com" is the machine from where the e-mail originated.

If that's your domain, look at the PHP page here:   www.sunshinecoastmotorlodge.com.au/TnT.php
0
 
Brett4567Author Commented:
I clicked on the link and its asking for a password. The dialog box says something about TNT Hacker.

Could the website be compromised ?


We unplugged the computer's network cable last night and there was a burst of spam between 6.44 AM CDT and 7.09 AM CDT which is night time here.

Our computer was unplugged at this time
0
 
Brett4567Author Commented:
superb - thank you
0
 
Paul MacDonaldDirector, Information SystemsCommented:
No problem and good luck!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.