Topic 'Re: Outbound mail server Spoofed.' in forum 'No, I Will Not Fix Your #@$!! Computer' - dslreports.com

Re: Outbound mail server Spoofed.

Wed, 12 Dec 2012 16:00:06 EDT

unixwolf posted : You got "Joe Jobbed"

Re: Outbound mail server Spoofed.

Tue, 20 Nov 2012 10:36:48 EDT

TBBroadband posted : the problem with doing much with HG is they're at the power of everything, especially on a shared/rented machine that wasn't dedicated. But hopefully everything will be fully taken away from this week as planned and moved over. I have a huge billing system there on WHMCS that is currently being backed up and being moved to my T1. And that will be the last thing.

Re: Outbound mail server Spoofed.

Mon, 19 Nov 2012 20:56:06 EDT

TBBroadband posted : that domain only has 2 email addresses. I was hosting about 15 websites with them. They had everything as far as my websites and emails.

Re: Outbound mail server Spoofed.

Mon, 19 Nov 2012 20:55:01 EDT

TBBroadband posted : the spammers were actually sending through the mail server. But yet still claim that since it was a shared server they're unable to implement any security on the POP/IMAP/STMP server as it would "break" the internet and their servers.

Re: Outbound mail server Spoofed.

Mon, 19 Nov 2012 16:14:39 EDT

TBBroadband posted : I am moving away from HG right now. My question was basically if it was just me.

I used to use GoogleApps but ran into problems with a couple of my domains. A couple of the domains that were tied to the account would stop working. So that was when I made the move. But I'm working on bringing my websites in house and working with another company on creating my own "cloud" as a back-up.

Re: Outbound mail server Spoofed.

Mon, 19 Nov 2012 11:07:06 EDT

PToN posted : It looks like backscatter to me. We had some of that going on earlier this year. Tuning up the spam filter to actually check for backscatter solved the problem.

Re: Outbound mail server Spoofed.

Mon, 19 Nov 2012 08:37:15 EDT

tomdlgns posted : my question is....why are you still with hostgator?

also, with that small number of users, you are better off using hosted exchange from another provider (or using google apps, free for 10 users or less).

Re: Outbound mail server Spoofed.

Mon, 19 Nov 2012 07:22:06 EDT

H_T_R_N posted :

said by TBBroadband:

nope. I always use my drivers licenses number with special marks afterwords

Did you check to see if you were an open relay?

If you only have 2 email address why in the world you you outsource that? Share an ip address with a lightly used one you have on your T1.

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 22:14:20 EDT

izy posted :

said by TBBroadband:

Then I asked- would anyone consider changing hosts after they refused to help and just kept passing the buck. I've debated about putting it back on my own T1 in house again.

Best idea in this thread so far. Host your own email and use a 3rd party to filter spam.

Still, nothing you can do to prevent spammers from using a return address on your domain other than SPF.
--
"Intellectuals solve problems, geniuses prevent them." Einstein

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 20:46:14 EDT

TBBroadband posted : I know that it would do nothing. It was the fact the HostGator's answer was to fix the problem-- turn on domain keys (which is used for incoming mail) and SPF. None which would really correct the problem.

After rebuilding the server and changing the IP that was assigned to it, the SPAM did stop, but the fact is, i pay them the manage the server and all, and nothing was done but passing the buck.

Then I asked- would anyone consider changing hosts after they refused to help and just kept passing the buck. I've debated about putting it back on my own T1 in house again.

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 20:42:06 EDT

urbanriot posted : Even with SPF turned on, you still have servers on the internet firing off spam in your name and there's nothing you can do to stop it. SPF doesn't stop people from sending, it bounces back from the servers that support SPF that lookup your domain and even then, much of the internet doesn't even support SPF.

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 20:41:11 EDT

TBBroadband posted : it is an issue when they're wide open and anyone can send email through them. That does become a big issue. Especially when it becomes a hosting customer's problem when the host won't help correct their mistakes.

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 20:39:52 EDT

TBBroadband posted : nope. I always use my drivers licenses number with special marks afterwords

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 20:35:20 EDT

H_T_R_N posted : Easy to guess password? I always assign passwords so that they don't end up being easy.

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 17:53:25 EDT

WireHead posted : I can't imagine unencrypted mail servers..

The horror..
The horror..

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 17:28:32 EDT

TBBroadband posted : I blame the host as they claim my information was stolen, but then they admit that they do not require any security when using a mail client. Just put in their default server information and you're good to go. If they would have set up SSL i don't think i would have had this problem.

I have used Google Apps, Outlook.com, DreamHost, Hostpapa, Fatcow and never had this problem until this last Friday with Hostgator- who puts EVERYTHING on their "help site" so they don't have to provide support. It even took 3 calls and "online chats" to get a ticket created for the abuse department. otherwise the poorly trained reps would just pass the buck after 1hour+ on hold and say it was fixed.

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 17:25:27 EDT

TBBroadband posted : I checked and didn't see anything. but the domain is: pugzbrand.com

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 17:24:49 EDT

TBBroadband posted : Since they were using my mailserver if HostGator would have SSL turned on by default I don't see how this would have gone through since the emails where going directly through my server. They also claim that I would not see them in my "sent" folder on webmail due to the items being sent through a client. Which I told them before I do NOT use client email programs for security. But they kept blaming my computer and still did in the end. They refused to take any responsibility on it. The only way they deploy SSL is on webmail which is total BS since I found out by their own "abuse team" their outgoing mail servers are listed on their website and state that no encryption is required. *smh*

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 16:57:46 EDT

nonymous posted : I use Google Apps for my home use. had asked the almost same question in security recently. Knew they were spoofed though and not coming from my Google Apps account. Did and do have spf and domain keys setup and working.
Answer was it happens and nothing besides spf and domain keys will help verify my own email. Will not stop the spoofing.

Just wanted to confirm you were not hacked. As you said hacked or spoofed. As said I did not get any way to stop the spoofing.

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 15:16:24 EDT

urbanriot posted : I have the same situation with one of my domains and basically I enabled SPF and that's all I can do. I analyze all the bounce backs and it's not originating from my location (based on IP's of senders and the fact I get the SPF failure bounce back as well).

This has nothing to do with the host and everything to do with the internet.

Re: Outbound mail server Spoofed.

Sun, 18 Nov 2012 14:31:35 EDT

WireHead posted : Like you said I did not see any spf in there that will help hosts that receive the sent mail reject it instantly. Can't look up your domain since you xxx'd it out. Be worth checking into the block lists after you get it sorted out and see if anyone is now rejecting you.
--
Retired BBR Team Starfire Team Q III Host
Live by chance. Love by choice. Kill by profession.

Re: Outbound mail server Spoofed.

Sat, 17 Nov 2012 23:18:42 EDT
TBBroadband posted : here is the latest one that shows that it was spoofed:

Reporting-MTA: dns; gatewayXX.websitewelcome.com
X-Postfix-Queue-ID: 282E1897E94A6
X-Postfix-Sender: rfc822; kyle@pugzXXXXX.com
Arrival-Date: Sat, 17 Nov 2012 21:58:50 -0600 (CST)

Final-Recipient: rfc822; joachim@jrbusiness.se
Action: failed
Status: 5.4.4
Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error
for name=jrbusiness.se type=A: Host not found

Return-Path:
Received: by gatewayXX.websitewelcome.com (Postfix, from userid 5007)
id 282E1897E94A6; Sat, 17 Nov 2012 21:58:50 -0600 (CST)
Received: from vinacXXXX.websitewelcome.com (vinacXXXX.websitewelcome.com [50.97.101.199])
by gatewayXX.websitewelcome.com (Postfix) with ESMTP id 1D679897E9486
for ; Sat, 17 Nov 2012 21:58:50 -0600 (CST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=pugzXXXX.com; s=default;
h=Message-ID:Content-Transfer-Encoding:Content-Type:To:Reply-To:From:Subject:Date:MIME-Version; bh=oPiuRkyWuObK/ivNhY7v46UF9VBuUOKsVr88zlDnlQM=;
b=Q87mMeN/iUCJRU2FIHxveDxMgzMM7w34DAo47MxdpzmCytc/9bpPr7R4IORhRInYYLbAL7xwuuI/FLKw2FovuB2xOksWl3dTevaCsV7KXuSkh9ZQN2e90jgo1VZ+cY60;
Received: from [220.246.40.143] (port=1546 helo=SPORTSMARK-SRV.sportsmark.com.hk)
by vinacXXXn.websitewelcome.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.80)
(envelope-from )
id 1TZw1x-0000hb-Io
for joachim@jrbusiness.se; Sat, 17 Nov 2012 21:58:49 -0600
MIME-Version: 1.0
Date: Sun, 18 Nov 2012 11:46:35 +0800
X-Priority: 3 (Normal)
X-Mailer: Apple Mail (3.619)
Subject: transportation} firm
From: kyle@pugzXXXXX.com
Reply-To: Editheys001@hotmail.com
To: joachim@jrbusiness.se
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID:
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vinacXXXXX.websitewelcome.com
X-AntiAbuse: Original Domain - jrbusiness.se
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - pugzXXXXX.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (SPORTSMARK-SRV.sportsmark.com.hk) [220.246.40.143]:1546
X-Source-Auth: kyle@pugzXXXX.com
X-Email-Count:
X-Source-Cap: cHVnZ3k7dHJheGxlcjt2aW5hY29taW4ud2Vic2l0ZXdlbGNvbWUuY29t

Re: Outbound mail server Spoofed.

Sat, 17 Nov 2012 22:47:03 EDT
TBBroadband posted : HostGator has claimed its being spoofed. I don't have anything in my sent folders and i only have 2 accounts - the default account and my own account. The emails are showing my personal account as the sender in the "reply to" filed. Here is a copy and paste on one of the emails --- well part of the email.

This is one that was sent to an AT&T customer/user that bounced back:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

steph404@bellsouth.net
SMTP error from remote mail server after initial connection:
host gateway-f2.isp.att.net [207.115.11.16]: 550-50.97.101.199 blocked by ldap:ou=rblmx,dc=att,dc=net
550 Error - Blocked for abuse. See »att.net/blocks

------ This is a copy of the message, including all the headers. ------

Return-path:
Received: from [203.109.245.253] (port=19080 helo=server2008.BRUSTICS.local)
by vinaXXXXX.websitewelcome.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.80)
(envelope-from )
id 1TZunN-0000IM-OW
for steph404@bellsouth.net; Sat, 17 Nov 2012 20:39:42 -0600
MIME-Version: 1.0
Date: Sun, 18 Nov 2012 15:39:37 +1300
X-Priority: 3 (Normal)
X-Mailer: Microsoft Outlook Express 7.02.3157.3188
From: kyle@pugzXXXX.com (i edited my domain)
Reply-To: Michalekei710@hotmail.com
To: steph404@bellsouth.net
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID:

Re: Outbound mail server Spoofed.

Sat, 17 Nov 2012 21:41:05 EDT
nonymous posted : Is the mail spoofed or have they actually gained access to your outgoing mail server.

Re: Outbound mail server Spoofed.

Sat, 17 Nov 2012 21:02:27 EDT
TBBroadband posted : Thanks! I prefer to outsource due to redundancy and allow someone to else have the headache even though I can host internally on my own T1. But this makes me start thinking on what I'm going to move in house. Especially my email, sine my private/personal email is the one attached to the spam messages and not a general or catch all email.

Re: Outbound mail server Spoofed.

Sat, 17 Nov 2012 20:15:20 EDT
Oedipus posted : I certainly would look into it. I recommend Appriver, personally.

Outbound mail server Spoofed.

Sat, 17 Nov 2012 18:55:42 EDT
TBBroadband posted : I currently outsource my company's webserver to HG. Yesterday it started I started to get bounce backs from Mail Demon on messages being returned. Upon reading the messages (over 90 of them in 3 hours) I realized I was either hacked, or spoofed. I contacted the company and basically nothing they can/willing to do except turn on Domain Keys for inbox spam filtering and SPF but yet I have the problem.

I never had the problem with other hosts (google apps, outlook.com/office365,etc), as they generally used SSL for outgoing mail servers, etc. HG uses regular login - no protection to send using a mail client.

I've come to realize I would probably be best moving my website. Does anyone agree with me and moving or ?????