Knowledgebase

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Mail queue messages


Mail queue messages




Posted by mylinear, 09-15-2010, 09:33 AM
In WHM mail queu manager, there were many messages listed which seems to be spam and was deleted. Below are 2 examples. These are not real messages sent by the real user at the real domain. Can anyone tell from the message details how these messages got in the queue? Could it be an external 3rd party accessing the real user's PC and sending the messages through the real user's email address? real.user@real.domain replaces real user's email address. 11.22.33.44 replaces the real user's IP address. server.i.p.address is the real server IP adress. The From, To, Subject, other IPs are the spammer's. Example 1: Example 2:
Posted by GOT, 09-15-2010, 12:38 PM
Based on the headers, they were sent using SMTP authentication which usually means a users email address was compromised.
Posted by mylinear, 09-15-2010, 01:39 PM
Thanks for your reply. Compromised as in a 3rd party has figured out the real.user@real.domain email account password and set up his own email account in Outlook Express to send out the spam? Or the 3rd party is somehow connecting to the real user's PC and sending out spam through that? I ask the latter because these header seem to indicate the message was from a 3rd party IP address to the real user's IP address then to the mail server. Does it not?
Posted by GOT, 09-15-2010, 01:50 PM
Since I don't know everyone's IPs its hard to tell and a lot of that can be faked, especially the mailer. Bottom line is, change the email account password and don't give it to the client for a couple of days. Then give it to him and see if the problem returns.
Posted by mylinear, 09-15-2010, 02:13 PM
Thanks for the advice. Its definitely not the client doing the spamming. As you say, probably a compromised account. Only thing I could do at that time was to firewall the IP (11.22.33.44) from connecting to the server to stop those spam messages.
Posted by GOT, 09-15-2010, 02:29 PM
A decent short term solution, but i would not be surprised if they come back from a different IP. I would definitely reset the password.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
nginx admin, safe to use or not? (Views: 591)
MySQL config optimization help (Views: 617)
mysql move need help (Views: 530)
Anyone heard of these guys? (Views: 613)
"money back guarantee" (Views: 624)


Language:

Contact us

Copyright © 2018 DC International LLC. - All Rights Reserved.