1
What is this and where is it coming from?
Question asked by Francis Gibbons - March 18, 2016 at 1:54 PM
Unanswered
Hello All,
 
I don't get it lately with my mail on my server. I am running SM 9.x on a Windows 2008. I have notice a ton of email in my spool from two domains now. It started with the one now its two domains. 
 
I had the client scan there one system with Malewarebytes to see if they have a virus/maleware. She said she would get back to me on the other still waiting to hear. But more or less I am getting like 20,000 email from them in my system and I can't tell if they are sending it out of if someone is just sending random emails to this domain. Below is an example of the two domains in my spool. I also changed user name password to a 20 Char Password for the Salon domain but that didn't seem to stop it either. My server isn't an open relay either so I don't know what else to do. Can someone please help me figure where this is coming from and how I can stop it?
 
Header for Domain salonbotaniqueecochic
 
None of these users exist they are all made up!
 
Return-Path: <faye_gomez@salonbotaniqueecochic.com>
Received: from 369473-www2 (369473-www2 [127.0.0.1]) by 369473-www2.gdisinc. with SMTP;
   Fri, 18 Mar 2016 16:45:18 -0400
Subject: For stone-stiff hard-ons
To: nksica@yahoo.com
X-PHP-Originating-Script: 0:code.php(1953) : eval()'d code
Date: Fri, 18 Mar 2016 16:45:18 -0400
From: Faye Gomez <faye_gomez@salonbotaniqueecochic.com>
Message-ID: <85a7ed7b84b87c546c0558910b2ad850@salonbotaniqueecochic.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.9
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_85a7ed7b84b87c546c0558910b2ad850"
Content-Transfer-Encoding: 8bit
 
Here is the Delivery Log Report for the above fake user : 
faye_gomez@salonbotaniqueecochic.com
 
16:45:21 [56847] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56848] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56860] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56854] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56845] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56856] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56857] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56862] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56863] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56855] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:48 [56863] Skipping spam checks: No local recipients
16:45:48 [56855] Skipping spam checks: No local recipients
16:45:48 [56862] Skipping spam checks: No local recipients
16:45:48 [56857] Skipping spam checks: No local recipients
16:45:48 [56856] Skipping spam checks: No local recipients
16:45:48 [56845] Skipping spam checks: No local recipients
16:45:48 [56854] Skipping spam checks: No local recipients
16:45:48 [56860] Skipping spam checks: No local recipients
16:45:48 [56848] Skipping spam checks: No local recipients
16:45:48 [56847] Skipping spam checks: No local recipients
16:45:51 [56855] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56863] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56862] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56855] Initiating connection to 63.250.192.45
16:45:51 [56855] Connecting to 63.250.192.45:25 (Id: 1)
16:45:51 [56855] Binding to local IP 174.143.136.101:0 (Id: 1)
16:45:51 [56857] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56862] Initiating connection to 64.233.180.26
16:45:51 [56862] Connecting to 64.233.180.26:25 (Id: 1)
16:45:51 [56862] Binding to local IP 174.143.136.101:0 (Id: 1)
16:45:51 [56856] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56863] Initiating connection to 152.163.0.99
16:45:51 [56863] Connecting to 152.163.0.99:25 (Id: 1)
16:45:51 [56863] Binding to local IP 174.143.136.101:0 (Id: 1)
16:45:51 [56845] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56862] Connection to 64.233.180.26:25 from 174.143.136.101:50982 succeeded (Id: 1)
16:45:51 [56854] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56857] Initiating connection to 65.54.188.126
16:45:51 [56857] Connecting to 65.54.188.126:25 (Id: 1)
16:45:51 [56857] Binding to local IP 174.143.136.101:0 (Id: 1)
16:45:51 [56863] Connection to 152.163.0.99:25 from 174.143.136.101:50983 succeeded (Id: 1)
16:45:51 [56855] Connection to 63.250.192.45:25 from 174.143.136.101:50981 succeeded (Id: 1)
16:45:52 [56856] Initiating connection to 65.55.92.136
16:45:52 [56856] Connecting to 65.55.92.136:25 (Id: 1)
16:45:52 [56856] Binding to local IP 174.143.136.101:0 (Id: 1)
16:45:52 [56860] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:52 [56845] Initiating connection to 98.136.216.25
16:45:52 [56845] Connecting to 98.136.216.25:25 (Id: 1)
16:45:52 [56845] Binding to local IP 174.143.136.101:0 (Id: 1)
16:45:52 [56848] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:52 [56856] Connection to 65.55.92.136:25 from 174.143.136.101:50987 succeeded (Id: 1)
16:45:52 [56862] RSP: 220 mx.google.com ESMTP v4si3231150oer.61 - gsmtp
16:45:52 [56862] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56847] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:52 [56854] Initiating connection to 64.233.168.27
16:45:52 [56854] Connecting to 64.233.168.27:25 (Id: 1)
16:45:52 [56854] Binding to local IP 174.143.136.101:0 (Id: 1)
16:45:52 [56856] RSP: 220 SNT004-MC1F38.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. Fri, 18 Mar 2016 13:45:51 -0700 
16:45:52 [56856] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56854] Connection to 64.233.168.27:25 from 174.143.136.101:50990 succeeded (Id: 1)
16:45:52 [56857] Connection to 65.54.188.126:25 from 174.143.136.101:50986 succeeded (Id: 1)
16:45:52 [56855] RSP: 220 mta1544.mail.gq1.yahoo.com ESMTP ready
16:45:52 [56855] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56862] RSP: 250-mx.google.com at your service, [174.143.136.101]
16:45:52 [56862] RSP: 250-SIZE 35882577
16:45:52 [56862] RSP: 250-8BITMIME
16:45:52 [56862] RSP: 250-STARTTLS
16:45:52 [56862] RSP: 250-ENHANCEDSTATUSCODES
16:45:52 [56862] RSP: 250-PIPELINING
16:45:52 [56862] RSP: 250-CHUNKING
16:45:52 [56862] RSP: 250 SMTPUTF8
16:45:52 [56862] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1227
16:45:52 [56845] Connection to 98.136.216.25:25 from 174.143.136.101:50988 succeeded (Id: 1)
16:45:52 [56860] Initiating connection to 152.163.0.100
16:45:52 [56860] Connecting to 152.163.0.100:25 (Id: 1)
16:45:52 [56860] Binding to local IP 174.143.136.101:0 (Id: 1)
16:45:52 [56856] RSP: 250-SNT004-MC1F38.hotmail.com (3.21.0.230) Hello [174.143.136.101]
16:45:52 [56856] RSP: 250-SIZE 36909875
16:45:52 [56856] RSP: 250-PIPELINING
16:45:52 [56856] RSP: 250-8bitmime
16:45:52 [56856] RSP: 250-BINARYMIME
16:45:52 [56856] RSP: 250-CHUNKING
16:45:52 [56856] RSP: 250-STARTTLS
16:45:52 [56856] RSP: 250-AUTH LOGIN
16:45:52 [56856] RSP: 250-AUTH=LOGIN
16:45:52 [56856] RSP: 250 OK
16:45:52 [56856] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1243
16:45:52 [56854] RSP: 220 mx.google.com ESMTP g190si10325171oic.82 - gsmtp
16:45:52 [56854] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56848] Initiating connection to 64.233.179.26
16:45:52 [56848] Connecting to 64.233.179.26:25 (Id: 1)
16:45:52 [56848] Binding to local IP 174.143.136.101:0 (Id: 1)
16:45:52 [56847] Initiating connection to 173.194.201.27
16:45:52 [56847] Connecting to 173.194.201.27:25 (Id: 1)
16:45:52 [56847] Binding to local IP 174.143.136.101:0 (Id: 1)
16:45:52 [56863] RSP: 421 mtaig-aae02.mx.aol.com Service unavailable - try again later
16:45:52 [56863] CMD: QUIT
16:45:52 [56862] RSP: 250 2.1.0 OK v4si3231150oer.61 - gsmtp
16:45:52 [56862] CMD: RCPT TO:<nkrivena@gmail.com>
16:45:52 [56848] Connection to 64.233.179.26:25 from 174.143.136.101:50995 succeeded (Id: 1)
16:45:52 [56847] Connection to 173.194.201.27:25 from 174.143.136.101:50996 succeeded (Id: 1)
16:45:52 [56860] Connection to 152.163.0.100:25 from 174.143.136.101:50992 succeeded (Id: 1)
16:45:52 [56856] RSP: 421 RP-001 (SNT004-MC1F38) Unfortunately, some messages from 174.143.136.101 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
16:45:52 [56856] CMD: QUIT
16:45:52 [56854] RSP: 250-mx.google.com at your service, [174.143.136.101]
16:45:52 [56854] RSP: 250-SIZE 35882577
16:45:52 [56854] RSP: 250-8BITMIME
16:45:52 [56854] RSP: 250-STARTTLS
16:45:52 [56857] RSP: 220 BAY004-MC4F56.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. Fri, 18 Mar 2016 13:45:52 -0700 
16:45:52 [56854] RSP: 250-ENHANCEDSTATUSCODES
16:45:52 [56854] RSP: 250-PIPELINING
16:45:52 [56854] RSP: 250-CHUNKING
16:45:52 [56857] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56854] RSP: 250 SMTPUTF8
16:45:52 [56854] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1229
16:45:52 [56848] RSP: 220 mx.google.com ESMTP z85si10302685oia.86 - gsmtp
16:45:52 [56845] RSP: 220 mta1176.mail.gq1.yahoo.com ESMTP ready
16:45:52 [56848] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56845] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56847] RSP: 220 mx.google.com ESMTP s62si10314589oie.136 - gsmtp
16:45:52 [56847] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56855] RSP: 250-mta1544.mail.gq1.yahoo.com
16:45:52 [56855] RSP: 250-PIPELINING
16:45:52 [56855] RSP: 250-SIZE 41943040
16:45:52 [56855] RSP: 250-8BITMIME
16:45:52 [56855] RSP: 250 STARTTLS
16:45:52 [56855] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1274
16:45:52 [56854] RSP: 250 2.1.0 OK g190si10325171oic.82 - gsmtp
16:45:52 [56854] CMD: RCPT TO:<nksdaniel57@gmail.com>
16:45:52 [56857] RSP: 250-BAY004-MC4F56.hotmail.com (3.21.0.230) Hello [174.143.136.101]
16:45:52 [56857] RSP: 250-SIZE 36909875
16:45:52 [56857] RSP: 250-PIPELINING
16:45:52 [56857] RSP: 250-8bitmime
16:45:52 [56857] RSP: 250-BINARYMIME
16:45:52 [56857] RSP: 250-CHUNKING
16:45:52 [56857] RSP: 250-STARTTLS
16:45:52 [56857] RSP: 250-AUTH LOGIN
16:45:52 [56857] RSP: 250-AUTH=LOGIN
16:45:52 [56857] RSP: 250 OK
16:45:52 [56857] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1202
16:45:52 [56845] RSP: 250-mta1176.mail.gq1.yahoo.com
16:45:52 [56845] RSP: 250-PIPELINING
16:45:52 [56845] RSP: 250-SIZE 41943040
16:45:52 [56845] RSP: 250-8BITMIME
16:45:52 [56845] RSP: 250 STARTTLS
16:45:52 [56845] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1192
16:45:52 [56847] RSP: 250-mx.google.com at your service, [174.143.136.101]
16:45:52 [56847] RSP: 250-SIZE 35882577
16:45:52 [56847] RSP: 250-8BITMIME
16:45:52 [56847] RSP: 250-STARTTLS
16:45:52 [56847] RSP: 250-ENHANCEDSTATUSCODES
16:45:52 [56847] RSP: 250-PIPELINING
16:45:52 [56847] RSP: 250-CHUNKING
16:45:52 [56847] RSP: 250 SMTPUTF8
16:45:52 [56847] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1248
16:45:52 [56848] RSP: 250-mx.google.com at your service, [174.143.136.101]
16:45:52 [56848] RSP: 250-SIZE 35882577
16:45:52 [56848] RSP: 250-8BITMIME
16:45:52 [56848] RSP: 250-STARTTLS
16:45:52 [56848] RSP: 250-ENHANCEDSTATUSCODES
16:45:52 [56848] RSP: 250-PIPELINING
16:45:52 [56848] RSP: 250-CHUNKING
16:45:52 [56848] RSP: 250 SMTPUTF8
16:45:52 [56848] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1240
16:45:52 [56855] RSP: 421 4.7.1 [TS03] All messages from 174.143.136.101 will be permanently deferred; Retrying will NOT succeed. See https://help.yahoo.com/kb/postmaster/SLN3436.html
16:45:52 [56855] CMD: QUIT
16:45:52 [56848] RSP: 250 2.1.0 OK z85si10302685oia.86 - gsmtp
16:45:52 [56847] RSP: 250 2.1.0 OK s62si10314589oie.136 - gsmtp
16:45:52 [56848] CMD: RCPT TO:<nkraskoff@gmail.com>
16:45:52 [56847] CMD: RCPT TO:<nkswr1953pgn@gmail.com>
16:45:52 [56857] RSP: 421 RP-001 (BAY004-MC4F56) Unfortunately, some messages from 174.143.136.101 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
16:45:52 [56857] CMD: QUIT
16:45:52 [56845] RSP: 421 4.7.1 [TS03] All messages from 174.143.136.101 will be permanently deferred; Retrying will NOT succeed. See https://help.yahoo.com/kb/postmaster/SLN3436.html
16:45:52 [56845] CMD: QUIT
16:45:52 [56862] RSP: 250 2.1.5 OK v4si3231150oer.61 - gsmtp
16:45:52 [56862] CMD: DATA
16:45:52 [56862] RSP: 354  Go ahead v4si3231150oer.61 - gsmtp
16:45:52 [56862] RSP: 250 2.0.0 OK 1458333952 v4si3231150oer.61 - gsmtp
16:45:52 [56862] CMD: QUIT
16:45:52 [56847] RSP: 250 2.1.5 OK s62si10314589oie.136 - gsmtp
16:45:52 [56847] CMD: DATA
16:45:52 [56854] RSP: 250 2.1.5 OK g190si10325171oic.82 - gsmtp
16:45:52 [56854] CMD: DATA
16:45:52 [56847] RSP: 354  Go ahead s62si10314589oie.136 - gsmtp
16:45:52 [56862] RSP: 221 2.0.0 closing connection v4si3231150oer.61 - gsmtp
16:45:52 [56862] Delivery for faye_gomez@salonbotaniqueecochic.com to nkrivena@gmail.com has completed (Delivered)
16:45:52 [56854] RSP: 354  Go ahead g190si10325171oic.82 - gsmtp
16:45:52 [56848] RSP: 250 2.1.5 OK z85si10302685oia.86 - gsmtp
16:45:52 [56848] CMD: DATA
16:45:52 [56848] RSP: 354  Go ahead z85si10302685oia.86 - gsmtp
16:45:52 [56847] RSP: 550-5.7.1 [174.143.136.101      18] Our system has detected that this message is
16:45:52 [56847] RSP: 550-5.7.1 likely suspicious due to the very low reputation of the sending IP
16:45:52 [56847] RSP: 550-5.7.1 address. To best protect our users from spam, the message has been
16:45:52 [56847] RSP: 550-5.7.1 blocked. Please visit
16:45:52 [56847] RSP: 550 5.7.1  https://support.google.com/mail/answer/188131 for more information. s62si10314589oie.136 - gsmtp
16:45:52 [56847] CMD: QUIT
16:45:52 [56854] RSP: 550-5.7.1 [174.143.136.101      18] Our system has detected that this message is
16:45:52 [56854] RSP: 550-5.7.1 likely suspicious due to the very low reputation of the sending IP
16:45:52 [56854] RSP: 550-5.7.1 address. To best protect our users from spam, the message has been
16:45:52 [56854] RSP: 550-5.7.1 blocked. Please visit
16:45:52 [56854] RSP: 550 5.7.1  https://support.google.com/mail/answer/188131 for more information. g190si10325171oic.82 - gsmtp
16:45:52 [56854] CMD: QUIT
16:45:52 [56848] RSP: 250 2.0.0 OK 1458333952 z85si10302685oia.86 - gsmtp
16:45:52 [56848] CMD: QUIT
16:45:52 [56848] RSP: 221 2.0.0 closing connection z85si10302685oia.86 - gsmtp
16:45:52 [56848] Delivery for faye_gomez@salonbotaniqueecochic.com to nkraskoff@gmail.com has completed (Delivered)
16:45:53 [56860] RSP: 421 mtaig-aah01.mx.aol.com Service unavailable - try again later
16:45:53 [56860] CMD: QUIT
16:45:55 [56862] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:45:55 PM    [id:139456862]
16:45:55 [56848] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:45:55 PM    [id:139456848]
16:45:57 [56847] Bounce email written to 139456868.eml
16:45:57 [56847] Delivery for faye_gomez@salonbotaniqueecochic.com to nkswr1953pgn@gmail.com has completed (Bounced)
16:45:57 [56854] Bounce email written to 139456869.eml
16:45:57 [56854] Delivery for faye_gomez@salonbotaniqueecochic.com to nksdaniel57@gmail.com has completed (Bounced)
16:45:58 [56868] Delivery started for  at 4:45:58 PM
16:45:58 [56869] Delivery started for  at 4:45:58 PM
16:45:58 [56854] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:45:58 PM    [id:139456854]
16:45:58 [56847] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:45:58 PM    [id:139456847]
16:46:25 [56869] Error checking SPF Record: Spf check failed due to null sender's ip
16:46:25 [56868] Error checking SPF Record: Spf check failed due to null sender's ip
16:46:25 [56868] Spam check results: [_REVERSEDNSLOOKUP: passed], [_DK: None], [_DKIM: None], [BARRACUDA - BRBL: passed], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [MAILSPIKE Z: passed], [NOABUSE: passed], [NOPOSTMASTER: passed], [RHSBL: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SOCKS: passed], [SORBS 02 - HTTP: passed], [SORBS 03 - SOCKS: passed], [SORBS 04 - MISC: passed], [SORBS 05 - SMTP: passed], [SORBS 06 - RECENT: passed], [SORBS 07 - WEB: passed], [SORBS 09 - BLOCK: passed], [SORBS 09 - ZOMBIE: passed], [SORBS 10 - DYNAMIC IP: passed], [SORBS 11 - BAD CONFIG: passed], [SORBS 12 - NOAAIL: passed], [SORBS 13 - NO SERVER: passed], [SPAMCOP: passed], [SPAMHAUS - PBL 1: passed], [SPAMHAUS - PBL 2: passed], [SPAMHAUS - SBL 1: passed], [SPAMHAUS - SBL 2: passed], [SPAMHAUS - XBL 1: passed], [SPAMHAUS - XBL 2: passed], [SPAMHAUS - XBL 3: passed], [SPAMHAUS - XBL 4: passed], [SPAMHAUS - ZEN: passed], [SPAMRATS: passed], [SURBL ??? ABUSE BUSTER: passed], [SURBL - SEM-URIRED: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [URIBL - SEM-URIBL: passed], [VIRUS RBL - MSRBL: passed]
16:46:25 [56869] Spam check results: [_REVERSEDNSLOOKUP: passed], [_DK: None], [_DKIM: None], [BARRACUDA - BRBL: passed], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [MAILSPIKE Z: passed], [NOABUSE: passed], [NOPOSTMASTER: passed], [RHSBL: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SOCKS: passed], [SORBS 02 - HTTP: passed], [SORBS 03 - SOCKS: passed], [SORBS 04 - MISC: passed], [SORBS 05 - SMTP: passed], [SORBS 06 - RECENT: passed], [SORBS 07 - WEB: passed], [SORBS 09 - BLOCK: passed], [SORBS 09 - ZOMBIE: passed], [SORBS 10 - DYNAMIC IP: passed], [SORBS 11 - BAD CONFIG: passed], [SORBS 12 - NOAAIL: passed], [SORBS 13 - NO SERVER: passed], [SPAMCOP: passed], [SPAMHAUS - PBL 1: passed], [SPAMHAUS - PBL 2: passed], [SPAMHAUS - SBL 1: passed], [SPAMHAUS - SBL 2: passed], [SPAMHAUS - XBL 1: passed], [SPAMHAUS - XBL 2: passed], [SPAMHAUS - XBL 3: passed], [SPAMHAUS - XBL 4: passed], [SPAMHAUS - ZEN: passed], [SPAMRATS: passed], [SURBL ??? ABUSE BUSTER: passed], [SURBL - SEM-URIRED: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [URIBL - SEM-URIBL: passed], [VIRUS RBL - MSRBL: passed]
16:46:28 [56869] Starting local delivery to faye_gomez@salonbotaniqueecochic.com
16:46:28 [56869] Delivery for  to faye_gomez@salonbotaniqueecochic.com has completed (Bounced)
16:46:28 [56869] Delivery for  to faye_gomez@salonbotaniqueecochic.com has completed (Bounced)
16:46:28 [56869] Delivery finished for  at 4:46:28 PM    [id:139456869]
16:46:28 [56868] Starting local delivery to faye_gomez@salonbotaniqueecochic.com
16:46:28 [56868] Delivery for  to faye_gomez@salonbotaniqueecochic.com has completed (Bounced)
16:46:28 [56868] Delivery for  to faye_gomez@salonbotaniqueecochic.com has completed (Bounced)
16:46:28 [56868] Delivery finished for  at 4:46:28 PM    [id:139456868]
16:55:27 [56855] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456855]
16:55:27 [56863] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456863]
16:55:27 [56857] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456857]
16:55:27 [56856] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456856]
16:55:27 [56845] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456845]
16:55:27 [56860] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456860]
 
 
 
Other Domain mcgovernlawfirm:
 
Return-Path: <bessie_watson@mcgovernlawfirm.com>
Received: from 369473-www2 (369473-www2 [127.0.0.1]) by 369473-www2.gdisinc.com with SMTP;
   Fri, 18 Mar 2016 16:46:02 -0400
Subject: Chick Next Door Wanna F5ck
To: reallucie@aol.com
X-PHP-Originating-Script: 0:alias.php(1938) : eval()'d code
Date: Fri, 18 Mar 2016 16:46:02 -0400
From: Bessie Watson <bessie_watson@mcgovernlawfirm.com>
Message-ID: <90ba7ab60763ff0993c3571f0adee76f@mcgovernlawfirm.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.9 
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_90ba7ab60763ff0993c3571f0adee76f"
Content-Transfer-Encoding: 8bit
 
This is starting to really slow down my system and cause me problems. I try to look at the logs but I'm feeling very confused and overwhelmed now. Can someone give me some guidance as what this is?
 
If you need anything else please let me know.
 
Thank you,
 
Frank G.
 
 

1 Reply

Reply to Thread
1
Scarab Replied
March 18, 2016 at 4:49 PM
The two lines in the header that tell you where it is coming from are as follows:
 
Received: from 369473-www2 (369473-www2 [127.0.0.1]) by 369473-www2.gdisinc. with SMTP;
X-Mailer: PHPMailer 5.2.9
It looks like you set your Web Server as an SMTP Authentication Bypass and multiple sites have been compromised with uploaded php scripts that are sending out email.
 
You can remove the SMTP Authentication Bypass from SECURITY > SMTP AUTHENTICATION BYPASS in SmarterMail. If you have this enabled because you have some websites with forms that do not use SMTP Authentication then you may have to leave it enabled and set the directory permissions on those websites that are having rogue php scripts uploaded to them to no longer have SCRIPT or EXECUTE access in your IIS Handler Mappings (Feature Permissions). Any web directory with IUSR Modify/Write Access should have those Handler Mapping permissions disabled for security, for this exact reason.

Reply to Thread