What is this and where is it coming from?
Question asked by Francis Gibbons - 3/18/2016 at 1:54 PM
Hello All,
I don't get it lately with my mail on my server. I am running SM 9.x on a Windows 2008. I have notice a ton of email in my spool from two domains now. It started with the one now its two domains. 
I had the client scan there one system with Malewarebytes to see if they have a virus/maleware. She said she would get back to me on the other still waiting to hear. But more or less I am getting like 20,000 email from them in my system and I can't tell if they are sending it out of if someone is just sending random emails to this domain. Below is an example of the two domains in my spool. I also changed user name password to a 20 Char Password for the Salon domain but that didn't seem to stop it either. My server isn't an open relay either so I don't know what else to do. Can someone please help me figure where this is coming from and how I can stop it?
Header for Domain salonbotaniqueecochic
None of these users exist they are all made up!
Return-Path: <faye_gomez@salonbotaniqueecochic.com>
Received: from 369473-www2 (369473-www2 []) by 369473-www2.gdisinc. with SMTP;
   Fri, 18 Mar 2016 16:45:18 -0400
Subject: For stone-stiff hard-ons
To: nksica@yahoo.com
X-PHP-Originating-Script: 0:code.php(1953) : eval()'d code
Date: Fri, 18 Mar 2016 16:45:18 -0400
From: Faye Gomez <faye_gomez@salonbotaniqueecochic.com>
Message-ID: <85a7ed7b84b87c546c0558910b2ad850@salonbotaniqueecochic.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.9
MIME-Version: 1.0
Content-Type: multipart/alternative;
Content-Transfer-Encoding: 8bit
Here is the Delivery Log Report for the above fake user : 
16:45:21 [56847] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56848] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56860] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56854] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56845] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56856] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56857] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56862] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56863] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:21 [56855] Delivery started for faye_gomez@salonbotaniqueecochic.com at 4:45:21 PM
16:45:48 [56863] Skipping spam checks: No local recipients
16:45:48 [56855] Skipping spam checks: No local recipients
16:45:48 [56862] Skipping spam checks: No local recipients
16:45:48 [56857] Skipping spam checks: No local recipients
16:45:48 [56856] Skipping spam checks: No local recipients
16:45:48 [56845] Skipping spam checks: No local recipients
16:45:48 [56854] Skipping spam checks: No local recipients
16:45:48 [56860] Skipping spam checks: No local recipients
16:45:48 [56848] Skipping spam checks: No local recipients
16:45:48 [56847] Skipping spam checks: No local recipients
16:45:51 [56855] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56863] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56862] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56855] Initiating connection to
16:45:51 [56855] Connecting to (Id: 1)
16:45:51 [56855] Binding to local IP (Id: 1)
16:45:51 [56857] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56862] Initiating connection to
16:45:51 [56862] Connecting to (Id: 1)
16:45:51 [56862] Binding to local IP (Id: 1)
16:45:51 [56856] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56863] Initiating connection to
16:45:51 [56863] Connecting to (Id: 1)
16:45:51 [56863] Binding to local IP (Id: 1)
16:45:51 [56845] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56862] Connection to from succeeded (Id: 1)
16:45:51 [56854] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:51 [56857] Initiating connection to
16:45:51 [56857] Connecting to (Id: 1)
16:45:51 [56857] Binding to local IP (Id: 1)
16:45:51 [56863] Connection to from succeeded (Id: 1)
16:45:51 [56855] Connection to from succeeded (Id: 1)
16:45:52 [56856] Initiating connection to
16:45:52 [56856] Connecting to (Id: 1)
16:45:52 [56856] Binding to local IP (Id: 1)
16:45:52 [56860] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:52 [56845] Initiating connection to
16:45:52 [56845] Connecting to (Id: 1)
16:45:52 [56845] Binding to local IP (Id: 1)
16:45:52 [56848] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:52 [56856] Connection to from succeeded (Id: 1)
16:45:52 [56862] RSP: 220 mx.google.com ESMTP v4si3231150oer.61 - gsmtp
16:45:52 [56862] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56847] Sending remote mail for faye_gomez@salonbotaniqueecochic.com
16:45:52 [56854] Initiating connection to
16:45:52 [56854] Connecting to (Id: 1)
16:45:52 [56854] Binding to local IP (Id: 1)
16:45:52 [56856] RSP: 220 SNT004-MC1F38.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. Fri, 18 Mar 2016 13:45:51 -0700 
16:45:52 [56856] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56854] Connection to from succeeded (Id: 1)
16:45:52 [56857] Connection to from succeeded (Id: 1)
16:45:52 [56855] RSP: 220 mta1544.mail.gq1.yahoo.com ESMTP ready
16:45:52 [56855] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56862] RSP: 250-mx.google.com at your service, []
16:45:52 [56862] RSP: 250-SIZE 35882577
16:45:52 [56862] RSP: 250-8BITMIME
16:45:52 [56862] RSP: 250-STARTTLS
16:45:52 [56862] RSP: 250-ENHANCEDSTATUSCODES
16:45:52 [56862] RSP: 250-PIPELINING
16:45:52 [56862] RSP: 250-CHUNKING
16:45:52 [56862] RSP: 250 SMTPUTF8
16:45:52 [56862] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1227
16:45:52 [56845] Connection to from succeeded (Id: 1)
16:45:52 [56860] Initiating connection to
16:45:52 [56860] Connecting to (Id: 1)
16:45:52 [56860] Binding to local IP (Id: 1)
16:45:52 [56856] RSP: 250-SNT004-MC1F38.hotmail.com ( Hello []
16:45:52 [56856] RSP: 250-SIZE 36909875
16:45:52 [56856] RSP: 250-PIPELINING
16:45:52 [56856] RSP: 250-8bitmime
16:45:52 [56856] RSP: 250-BINARYMIME
16:45:52 [56856] RSP: 250-CHUNKING
16:45:52 [56856] RSP: 250-STARTTLS
16:45:52 [56856] RSP: 250-AUTH LOGIN
16:45:52 [56856] RSP: 250-AUTH=LOGIN
16:45:52 [56856] RSP: 250 OK
16:45:52 [56856] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1243
16:45:52 [56854] RSP: 220 mx.google.com ESMTP g190si10325171oic.82 - gsmtp
16:45:52 [56854] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56848] Initiating connection to
16:45:52 [56848] Connecting to (Id: 1)
16:45:52 [56848] Binding to local IP (Id: 1)
16:45:52 [56847] Initiating connection to
16:45:52 [56847] Connecting to (Id: 1)
16:45:52 [56847] Binding to local IP (Id: 1)
16:45:52 [56863] RSP: 421 mtaig-aae02.mx.aol.com Service unavailable - try again later
16:45:52 [56863] CMD: QUIT
16:45:52 [56862] RSP: 250 2.1.0 OK v4si3231150oer.61 - gsmtp
16:45:52 [56862] CMD: RCPT TO:<nkrivena@gmail.com>
16:45:52 [56848] Connection to from succeeded (Id: 1)
16:45:52 [56847] Connection to from succeeded (Id: 1)
16:45:52 [56860] Connection to from succeeded (Id: 1)
16:45:52 [56856] RSP: 421 RP-001 (SNT004-MC1F38) Unfortunately, some messages from weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
16:45:52 [56856] CMD: QUIT
16:45:52 [56854] RSP: 250-mx.google.com at your service, []
16:45:52 [56854] RSP: 250-SIZE 35882577
16:45:52 [56854] RSP: 250-8BITMIME
16:45:52 [56854] RSP: 250-STARTTLS
16:45:52 [56857] RSP: 220 BAY004-MC4F56.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. Fri, 18 Mar 2016 13:45:52 -0700 
16:45:52 [56854] RSP: 250-ENHANCEDSTATUSCODES
16:45:52 [56854] RSP: 250-PIPELINING
16:45:52 [56854] RSP: 250-CHUNKING
16:45:52 [56857] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56854] RSP: 250 SMTPUTF8
16:45:52 [56854] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1229
16:45:52 [56848] RSP: 220 mx.google.com ESMTP z85si10302685oia.86 - gsmtp
16:45:52 [56845] RSP: 220 mta1176.mail.gq1.yahoo.com ESMTP ready
16:45:52 [56848] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56845] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56847] RSP: 220 mx.google.com ESMTP s62si10314589oie.136 - gsmtp
16:45:52 [56847] CMD: EHLO 369473-www2.gdisinc.com
16:45:52 [56855] RSP: 250-mta1544.mail.gq1.yahoo.com
16:45:52 [56855] RSP: 250-PIPELINING
16:45:52 [56855] RSP: 250-SIZE 41943040
16:45:52 [56855] RSP: 250-8BITMIME
16:45:52 [56855] RSP: 250 STARTTLS
16:45:52 [56855] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1274
16:45:52 [56854] RSP: 250 2.1.0 OK g190si10325171oic.82 - gsmtp
16:45:52 [56854] CMD: RCPT TO:<nksdaniel57@gmail.com>
16:45:52 [56857] RSP: 250-BAY004-MC4F56.hotmail.com ( Hello []
16:45:52 [56857] RSP: 250-SIZE 36909875
16:45:52 [56857] RSP: 250-PIPELINING
16:45:52 [56857] RSP: 250-8bitmime
16:45:52 [56857] RSP: 250-BINARYMIME
16:45:52 [56857] RSP: 250-CHUNKING
16:45:52 [56857] RSP: 250-STARTTLS
16:45:52 [56857] RSP: 250-AUTH LOGIN
16:45:52 [56857] RSP: 250-AUTH=LOGIN
16:45:52 [56857] RSP: 250 OK
16:45:52 [56857] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1202
16:45:52 [56845] RSP: 250-mta1176.mail.gq1.yahoo.com
16:45:52 [56845] RSP: 250-PIPELINING
16:45:52 [56845] RSP: 250-SIZE 41943040
16:45:52 [56845] RSP: 250-8BITMIME
16:45:52 [56845] RSP: 250 STARTTLS
16:45:52 [56845] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1192
16:45:52 [56847] RSP: 250-mx.google.com at your service, []
16:45:52 [56847] RSP: 250-SIZE 35882577
16:45:52 [56847] RSP: 250-8BITMIME
16:45:52 [56847] RSP: 250-STARTTLS
16:45:52 [56847] RSP: 250-ENHANCEDSTATUSCODES
16:45:52 [56847] RSP: 250-PIPELINING
16:45:52 [56847] RSP: 250-CHUNKING
16:45:52 [56847] RSP: 250 SMTPUTF8
16:45:52 [56847] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1248
16:45:52 [56848] RSP: 250-mx.google.com at your service, []
16:45:52 [56848] RSP: 250-SIZE 35882577
16:45:52 [56848] RSP: 250-8BITMIME
16:45:52 [56848] RSP: 250-STARTTLS
16:45:52 [56848] RSP: 250-ENHANCEDSTATUSCODES
16:45:52 [56848] RSP: 250-PIPELINING
16:45:52 [56848] RSP: 250-CHUNKING
16:45:52 [56848] RSP: 250 SMTPUTF8
16:45:52 [56848] CMD: MAIL FROM:<faye_gomez@salonbotaniqueecochic.com> SIZE=1240
16:45:52 [56855] RSP: 421 4.7.1 [TS03] All messages from will be permanently deferred; Retrying will NOT succeed. See https://help.yahoo.com/kb/postmaster/SLN3436.html
16:45:52 [56855] CMD: QUIT
16:45:52 [56848] RSP: 250 2.1.0 OK z85si10302685oia.86 - gsmtp
16:45:52 [56847] RSP: 250 2.1.0 OK s62si10314589oie.136 - gsmtp
16:45:52 [56848] CMD: RCPT TO:<nkraskoff@gmail.com>
16:45:52 [56847] CMD: RCPT TO:<nkswr1953pgn@gmail.com>
16:45:52 [56857] RSP: 421 RP-001 (BAY004-MC4F56) Unfortunately, some messages from weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
16:45:52 [56857] CMD: QUIT
16:45:52 [56845] RSP: 421 4.7.1 [TS03] All messages from will be permanently deferred; Retrying will NOT succeed. See https://help.yahoo.com/kb/postmaster/SLN3436.html
16:45:52 [56845] CMD: QUIT
16:45:52 [56862] RSP: 250 2.1.5 OK v4si3231150oer.61 - gsmtp
16:45:52 [56862] CMD: DATA
16:45:52 [56862] RSP: 354  Go ahead v4si3231150oer.61 - gsmtp
16:45:52 [56862] RSP: 250 2.0.0 OK 1458333952 v4si3231150oer.61 - gsmtp
16:45:52 [56862] CMD: QUIT
16:45:52 [56847] RSP: 250 2.1.5 OK s62si10314589oie.136 - gsmtp
16:45:52 [56847] CMD: DATA
16:45:52 [56854] RSP: 250 2.1.5 OK g190si10325171oic.82 - gsmtp
16:45:52 [56854] CMD: DATA
16:45:52 [56847] RSP: 354  Go ahead s62si10314589oie.136 - gsmtp
16:45:52 [56862] RSP: 221 2.0.0 closing connection v4si3231150oer.61 - gsmtp
16:45:52 [56862] Delivery for faye_gomez@salonbotaniqueecochic.com to nkrivena@gmail.com has completed (Delivered)
16:45:52 [56854] RSP: 354  Go ahead g190si10325171oic.82 - gsmtp
16:45:52 [56848] RSP: 250 2.1.5 OK z85si10302685oia.86 - gsmtp
16:45:52 [56848] CMD: DATA
16:45:52 [56848] RSP: 354  Go ahead z85si10302685oia.86 - gsmtp
16:45:52 [56847] RSP: 550-5.7.1 [      18] Our system has detected that this message is
16:45:52 [56847] RSP: 550-5.7.1 likely suspicious due to the very low reputation of the sending IP
16:45:52 [56847] RSP: 550-5.7.1 address. To best protect our users from spam, the message has been
16:45:52 [56847] RSP: 550-5.7.1 blocked. Please visit
16:45:52 [56847] RSP: 550 5.7.1  https://support.google.com/mail/answer/188131 for more information. s62si10314589oie.136 - gsmtp
16:45:52 [56847] CMD: QUIT
16:45:52 [56854] RSP: 550-5.7.1 [      18] Our system has detected that this message is
16:45:52 [56854] RSP: 550-5.7.1 likely suspicious due to the very low reputation of the sending IP
16:45:52 [56854] RSP: 550-5.7.1 address. To best protect our users from spam, the message has been
16:45:52 [56854] RSP: 550-5.7.1 blocked. Please visit
16:45:52 [56854] RSP: 550 5.7.1  https://support.google.com/mail/answer/188131 for more information. g190si10325171oic.82 - gsmtp
16:45:52 [56854] CMD: QUIT
16:45:52 [56848] RSP: 250 2.0.0 OK 1458333952 z85si10302685oia.86 - gsmtp
16:45:52 [56848] CMD: QUIT
16:45:52 [56848] RSP: 221 2.0.0 closing connection z85si10302685oia.86 - gsmtp
16:45:52 [56848] Delivery for faye_gomez@salonbotaniqueecochic.com to nkraskoff@gmail.com has completed (Delivered)
16:45:53 [56860] RSP: 421 mtaig-aah01.mx.aol.com Service unavailable - try again later
16:45:53 [56860] CMD: QUIT
16:45:55 [56862] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:45:55 PM    [id:139456862]
16:45:55 [56848] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:45:55 PM    [id:139456848]
16:45:57 [56847] Bounce email written to 139456868.eml
16:45:57 [56847] Delivery for faye_gomez@salonbotaniqueecochic.com to nkswr1953pgn@gmail.com has completed (Bounced)
16:45:57 [56854] Bounce email written to 139456869.eml
16:45:57 [56854] Delivery for faye_gomez@salonbotaniqueecochic.com to nksdaniel57@gmail.com has completed (Bounced)
16:45:58 [56868] Delivery started for  at 4:45:58 PM
16:45:58 [56869] Delivery started for  at 4:45:58 PM
16:45:58 [56854] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:45:58 PM    [id:139456854]
16:45:58 [56847] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:45:58 PM    [id:139456847]
16:46:25 [56869] Error checking SPF Record: Spf check failed due to null sender's ip
16:46:25 [56868] Error checking SPF Record: Spf check failed due to null sender's ip
16:46:25 [56868] Spam check results: [_REVERSEDNSLOOKUP: passed], [_DK: None], [_DKIM: None], [BARRACUDA - BRBL: passed], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [MAILSPIKE Z: passed], [NOABUSE: passed], [NOPOSTMASTER: passed], [RHSBL: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SOCKS: passed], [SORBS 02 - HTTP: passed], [SORBS 03 - SOCKS: passed], [SORBS 04 - MISC: passed], [SORBS 05 - SMTP: passed], [SORBS 06 - RECENT: passed], [SORBS 07 - WEB: passed], [SORBS 09 - BLOCK: passed], [SORBS 09 - ZOMBIE: passed], [SORBS 10 - DYNAMIC IP: passed], [SORBS 11 - BAD CONFIG: passed], [SORBS 12 - NOAAIL: passed], [SORBS 13 - NO SERVER: passed], [SPAMCOP: passed], [SPAMHAUS - PBL 1: passed], [SPAMHAUS - PBL 2: passed], [SPAMHAUS - SBL 1: passed], [SPAMHAUS - SBL 2: passed], [SPAMHAUS - XBL 1: passed], [SPAMHAUS - XBL 2: passed], [SPAMHAUS - XBL 3: passed], [SPAMHAUS - XBL 4: passed], [SPAMHAUS - ZEN: passed], [SPAMRATS: passed], [SURBL ??? ABUSE BUSTER: passed], [SURBL - SEM-URIRED: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [URIBL - SEM-URIBL: passed], [VIRUS RBL - MSRBL: passed]
16:46:25 [56869] Spam check results: [_REVERSEDNSLOOKUP: passed], [_DK: None], [_DKIM: None], [BARRACUDA - BRBL: passed], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [MAILSPIKE Z: passed], [NOABUSE: passed], [NOPOSTMASTER: passed], [RHSBL: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SOCKS: passed], [SORBS 02 - HTTP: passed], [SORBS 03 - SOCKS: passed], [SORBS 04 - MISC: passed], [SORBS 05 - SMTP: passed], [SORBS 06 - RECENT: passed], [SORBS 07 - WEB: passed], [SORBS 09 - BLOCK: passed], [SORBS 09 - ZOMBIE: passed], [SORBS 10 - DYNAMIC IP: passed], [SORBS 11 - BAD CONFIG: passed], [SORBS 12 - NOAAIL: passed], [SORBS 13 - NO SERVER: passed], [SPAMCOP: passed], [SPAMHAUS - PBL 1: passed], [SPAMHAUS - PBL 2: passed], [SPAMHAUS - SBL 1: passed], [SPAMHAUS - SBL 2: passed], [SPAMHAUS - XBL 1: passed], [SPAMHAUS - XBL 2: passed], [SPAMHAUS - XBL 3: passed], [SPAMHAUS - XBL 4: passed], [SPAMHAUS - ZEN: passed], [SPAMRATS: passed], [SURBL ??? ABUSE BUSTER: passed], [SURBL - SEM-URIRED: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [URIBL - SEM-URIBL: passed], [VIRUS RBL - MSRBL: passed]
16:46:28 [56869] Starting local delivery to faye_gomez@salonbotaniqueecochic.com
16:46:28 [56869] Delivery for  to faye_gomez@salonbotaniqueecochic.com has completed (Bounced)
16:46:28 [56869] Delivery for  to faye_gomez@salonbotaniqueecochic.com has completed (Bounced)
16:46:28 [56869] Delivery finished for  at 4:46:28 PM    [id:139456869]
16:46:28 [56868] Starting local delivery to faye_gomez@salonbotaniqueecochic.com
16:46:28 [56868] Delivery for  to faye_gomez@salonbotaniqueecochic.com has completed (Bounced)
16:46:28 [56868] Delivery for  to faye_gomez@salonbotaniqueecochic.com has completed (Bounced)
16:46:28 [56868] Delivery finished for  at 4:46:28 PM    [id:139456868]
16:55:27 [56855] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456855]
16:55:27 [56863] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456863]
16:55:27 [56857] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456857]
16:55:27 [56856] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456856]
16:55:27 [56845] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456845]
16:55:27 [56860] Delivery finished for faye_gomez@salonbotaniqueecochic.com at 4:55:27 PM    [id:139456860]
Other Domain mcgovernlawfirm:
Return-Path: <bessie_watson@mcgovernlawfirm.com>
Received: from 369473-www2 (369473-www2 []) by 369473-www2.gdisinc.com with SMTP;
   Fri, 18 Mar 2016 16:46:02 -0400
Subject: Chick Next Door Wanna F5ck
To: reallucie@aol.com
X-PHP-Originating-Script: 0:alias.php(1938) : eval()'d code
Date: Fri, 18 Mar 2016 16:46:02 -0400
From: Bessie Watson <bessie_watson@mcgovernlawfirm.com>
Message-ID: <90ba7ab60763ff0993c3571f0adee76f@mcgovernlawfirm.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.9 
MIME-Version: 1.0
Content-Type: multipart/alternative;
Content-Transfer-Encoding: 8bit
This is starting to really slow down my system and cause me problems. I try to look at the logs but I'm feeling very confused and overwhelmed now. Can someone give me some guidance as what this is?
If you need anything else please let me know.
Thank you,
Frank G.

1 Reply

Reply to Thread
Scarab Replied
The two lines in the header that tell you where it is coming from are as follows:
Received: from 369473-www2 (369473-www2 []) by 369473-www2.gdisinc. with SMTP;
X-Mailer: PHPMailer 5.2.9
It looks like you set your Web Server as an SMTP Authentication Bypass and multiple sites have been compromised with uploaded php scripts that are sending out email.
You can remove the SMTP Authentication Bypass from SECURITY > SMTP AUTHENTICATION BYPASS in SmarterMail. If you have this enabled because you have some websites with forms that do not use SMTP Authentication then you may have to leave it enabled and set the directory permissions on those websites that are having rogue php scripts uploaded to them to no longer have SCRIPT or EXECUTE access in your IIS Handler Mappings (Feature Permissions). Any web directory with IUSR Modify/Write Access should have those Handler Mapping permissions disabled for security, for this exact reason.

Reply to Thread