Article 15760 at 09/06/30 09:43:08 From: kenmarcus (at mark) precisionweb.net Subject: [coba-e:15760] Re: spam problem w/ email

Index: [Article Count Order] [Thread]
Date:  Mon, 29 Jun 2009 17:42:42 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Subject:  [coba-e:15760] Re: spam problem w/ email - hope not serious
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <043D931D79F64A068865350AD1BF78C9@OfficeKen>
References:  <4A494565.3040805 (at mark) nomealaska.org> <200906300129.52771.bq (at mark) solarspeed.net> <4A4959B8.1060101 (at mark) nomealaska.org>
X-Mail-Count: 15760


----- Original Message ----- 
From: "Jim Dory" <jdory (at mark) nomealaska.org>
To: <coba-e (at mark) bluequartz.org>
Sent: Monday, June 29, 2009 5:18 PM
Subject: [coba-e:15755] Re: spam problem w/ email - hope not serious


> Michael Stauber wrote:
>> Hi Jim,
>>
>>
>>> I just started getting this error returned as a Returned mail from our
>>> server's "Mail_delivery_subsytem<MAILER-DAEMON (at mark) srv1.nomecity.org> and I
>>> don't know about one of our users jenns (at mark) nomealaska.org with
>>> jenns@localhost being used like it is, plus the line "jenns set sender
>>> to <jdory (at mark) nomealaska.org> using -f " which I see a lot in our maillog
>>> also with other email addresses set sender to from same user.
>>>
>>
>> Most likely a PHP script owned by user "jens" is sending those emails.
>>
>> To find out which files that may be you can use several methods:
>>
>> Find all filesin /home/.sites/ owned by user "jens":
>>
>> find /home/.sites/ -user jens
>>
>> Go to the home directory of that user and then check what site that is:
>> cd ~jens | pwd | cut -d / -f5
>>
>> That will report back something like "site2". To then find out the site's 
>> FQDN do this:
>>
>> ls -la /home/sites/ | grep site2
>>
>>
> This particular user is on vacation and has her webmail personal info set 
> to forward her email to a hotmail account. Otherwise I see nothing unusual 
> but I may be missing something.. /jd
>
> -- 
> Jim Dory
> Engineering
> City of Nome
> PO Box 281
> 102 Division St.
> Nome, AK 99762
> 907.443.6604
>
> http://www.nomealaska.org
>
>


It seems like if it was a php script then it would say apache set sender. 
But since it says  "jens set sender", then  possibly it is a cgi script.
Maybe webmail does that. Maybe the vacation message does that.

In any case, I think it would be reasonable to change the jens  password.

Maybe jens gets a lot of spam with a fake from address and then sends the 
vacation message to those fake from addresses.

What blacklists are you using? Try  zen.spamhaus.org

Also, I have heard that adding a null mx record as the lowest priority MX 
and another null mx record as the highest priority MX  reduces spam
http://blog.heluna.com/2007/10/11/reducing-spam-mx-records/




----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net