Thanks Dan, you pretty much explained in details what I suggested ;-) I agree that this is indeed a hijacked account sending out spam and receiving bounces from those that were not delivered. In addition to Dans suggestions (password change and malware scan on systems) I would recommend checking Blocklist for entries for your host (http://mxtoolbox.com/blacklists.aspx) to get cleared from them (if you landed on one of those).
Cheers, Sebastian On 26 Aug 2014, at 16:53, Dan McAllister <[email protected]> wrote: > On 8/25/2014 11:27 AM, Jim Shupert wrote: >> friends, >> >> I have one user [ MrBlue } who is a valid user on my domain of >> theppjgroup.com >> >> It seems MrBlue has been getting overloaded with failure notices.. >> I *Think >> that someone is sending mail spoofing MrBlue -- but they do not have the >> password -- so it fails >> and My ( actual ) MrBlue then gets a a failure notice. >> >> well, >> my mr blue is red with rage. >> I wonder what i can do to relieve some of the pain? >> >> below please find one of the failure notice >> >> Thanks >> >> >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] >> Sent: Friday, August 22, 2014 6:49 AM >> To: [email protected] >> Subject: failure notice >> >> Hi. This is the qmail-send program at mailhost.theppjgroup.com. >> I'm afraid I wasn't able to deliver your message to the following addresses. >> This is a permanent error; I've given up. Sorry it didn't work out. >> >> <[email protected]>: >> User and password not set, continuing without authentication. >> 65.54.188.126 does not like recipient. >> Remote host said: 550 Requested action not taken: mailbox unavailable Giving >> up on 65.54.188.126. >> >> --- Below this line is a copy of the message. >> >> Return-Path: <[email protected]> >> Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 -0000 >> Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s >> scanners: attach: 1.3.1 clamav: 0.95.2/m: >> Received: from unknown (HELO ?192.168.249.85?) >> ([email protected]@72.189.129.134) >> by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 -0000 >> Content-Type: multipart/alternative; >> boundary="===============0847007466868061251==" >> MIME-Version: 1.0 >> Message-ID: <[email protected]> >> Date: Fri, 22 Aug 2014 13:49:19 +0300 >> From: "K&L Gates international" <[email protected]> >> Subject: Urgent indebtedness notification >> To: [email protected] >> > OK - So I want to take this opportunity to educate on the reading of Mail > Headers.... > > First, new header entries always go to the TOP, so to trace the path of a > message, start at the bottom (of the header). > In the above example, the message STARTED with a header of: > Date: Fri, 22 Aug 2014 13:49:19 +0300 > From: "K&L Gates international" <[email protected]> > Subject: Urgent indebtedness notification > To: [email protected] > At which point, your SMTP server collected it and added: > Received: from unknown (HELO ?192.168.249.85?) > ([email protected]@72.189.129.134) > by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 -0000 > Content-Type: multipart/alternative; > boundary="===============0847007466868061251==" > MIME-Version: 1.0 > Message-ID: <[email protected]> > And HERE is where you'll find how this message is coming in... > The end-user connected to you with a PC (or other client device) that had a > LOCAL (LAN) IP address of 192.168.249.85 > - Is this the LAN IP address range of Mr Blue? If not, someone's logging > into your server from another LAN > The Public IP address of this client system is 72.189.129.134 (That is, the > public IP address of the source of the SMTP connection) > - Is this the WAN IP address of Mr Blue's office? Again, if not, someone's > logging into your mail server with falsified credentials) > The SMTP AUTH credential provided was [email protected] -- so if > someone's been hacked, it's Mr. Blue himself! > > The remaining headers (moving up) are the internal processing of your QMT: > Return-Path: <[email protected]> > Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 -0000 > Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s > scanners: attach: 1.3.1 clamav: 0.95.2/m: > Now you could argue at which point any of these lines gets added, but the > point in reading a mail header is that you work from the bottom up! > > So, while others have suggested MrBlue is being spoofed, or that this is > back-scatter, I think the proof here is that he may have been HACKED (that > is, if the LAN and WAN IPs don't match Mr Blue's environment, someone is > impersonating him - so change the password, pronto!), or that he has a > MALWARE infection (if those are his addresses). That LAN host -- ending in > 249.85 -- likely is the system with the malware, so scan that system (and > change the account password as well). > > I hope this helps... > > Dan > IT4SOHO > > -- > IT4SOHO, LLC > 33 - 4th Street N, Suite 211 > St. Petersburg, FL 33701-3806 > > CALL TOLL FREE: > 877-IT4SOHO > > 877-484-7646 Phone > 727-647-7646 Local > 727-490-4394 Fax > > We have support plans for QMail! >
signature.asc
Description: Message signed with OpenPGP using GPGMail
