1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How the hell are spammers using my domains email accounts!?

Discussion in 'BlackHat Lounge' started by dog-tag, Sep 24, 2011.

  1. dog-tag

    dog-tag Senior Member

    Joined:
    Oct 19, 2010
    Messages:
    811
    Likes Received:
    912
    Occupation:
    Full-Time Internet Marketer + Business Consultant
    Location:
    Thailand
    Hey all,

    I'm just wondering how on earth are spammers using my domain email accounts to spam?

    They've actually made accounts using my domain names, and then spammed the living shit out of email accounts...

    The reason I want to know is to to prevent this from happening, I had bluehost contact me last year with the same issue and now I've just purchased a new domain, with new hosting and I'm wondering "how the f'ing hell is this happening again??"

    Anyway thanks for the replies and I hope this is the right section to post in.

    Gilesy
     
  2. moundown

    moundown BANNED BANNED

    Joined:
    Jun 24, 2010
    Messages:
    118
    Likes Received:
    32
    Do these email accounts exist ? If yes, change your password.
     
  3. dog-tag

    dog-tag Senior Member

    Joined:
    Oct 19, 2010
    Messages:
    811
    Likes Received:
    912
    Occupation:
    Full-Time Internet Marketer + Business Consultant
    Location:
    Thailand
    What do you mean by script? I've always just used cpanel...

    No the accounts they're spamming with were made by them!?
    I can't even see the accounts they're using in my cpanel account..

    so the email accs are alive but not viewable in my cpanel? Is this even possible?:eek:
     
  4. andytopspin

    andytopspin Registered Member

    Joined:
    Aug 18, 2011
    Messages:
    59
    Likes Received:
    40
    Occupation:
    9-5
    Location:
    Sweden
    What kind of hosting do you have? If you have standard webhosting it's most likely managed by the hoster. Ask them for a security audit of your account. Tell them that your account has been compromised and that you need a complete reset of all passwords and an in-depth search of all your folders to find where the malicious code is hiding that logs your passwords. Cause I think you've got something nasty hiding and running in your folder structure.
     
  5. dog-tag

    dog-tag Senior Member

    Joined:
    Oct 19, 2010
    Messages:
    811
    Likes Received:
    912
    Occupation:
    Full-Time Internet Marketer + Business Consultant
    Location:
    Thailand
    Ohh.. I used xsitepro to build these websites... you got any ideas?
     
  6. jairathnem

    jairathnem Power Member

    Joined:
    Oct 27, 2010
    Messages:
    550
    Likes Received:
    316
    Occupation:
    Student
    Location:
    Incredible India!
    Home Page:
    My guess is they are using a mass mailer application! which allows to mask the an email with any email address!

    I don't think you can do anything!
     
    • Thanks Thanks x 1
  7. dog-tag

    dog-tag Senior Member

    Joined:
    Oct 19, 2010
    Messages:
    811
    Likes Received:
    912
    Occupation:
    Full-Time Internet Marketer + Business Consultant
    Location:
    Thailand
    I just mailed my host to have them look into and give me some advice...

    I have alot of hosting solutions but this one is on a shared server. I had a very similar problem when I was with bluehost, and then I was with EW until he screwed up, so I wouldn't be blaming any hosts for this but how the hell did they plant anything on my system?

    And more importantly how can I stop people like this?? Depressing to think that someone can actually mask their email account and spam away :(
     
  8. dowser

    dowser Power Member

    Joined:
    Jun 5, 2011
    Messages:
    685
    Likes Received:
    122
    Location:
    canada
    Those are spooffed (fake) e-mail accounts, nothing much you can do about it, but nobody takes them too seriously, so if you get angry e-mails from spammed people - just refer them to spamcop or just tell them it's fake and ask them to check the ip

    I get my share of them, especially on my oldest domain
     
  9. dog-tag

    dog-tag Senior Member

    Joined:
    Oct 19, 2010
    Messages:
    811
    Likes Received:
    912
    Occupation:
    Full-Time Internet Marketer + Business Consultant
    Location:
    Thailand
    I wish people who spam would learn how to market and instead of being dicks... the worst people online have to be spammers and virus coders... sadistic people, who need some porn in their lives or something..

    well at least my host knows now, and I use offshore hosting/domains so shouldn't be any hassle.

    Cheers as always for the suggestion boys, BHW never lets ye down!
     
  10. forgoten.heroes

    forgoten.heroes Newbie

    Joined:
    Sep 30, 2011
    Messages:
    4
    Likes Received:
    0
    i need inbox mailer
     
  11. gu3sswh0

    gu3sswh0 Regular Member

    Joined:
    Mar 22, 2011
    Messages:
    287
    Likes Received:
    78
    Location:
    Strip Club
    oooo I just won the Nigerian lottery and if I send them my credit card details I can claim my prize!
     
  12. dog-tag

    dog-tag Senior Member

    Joined:
    Oct 19, 2010
    Messages:
    811
    Likes Received:
    912
    Occupation:
    Full-Time Internet Marketer + Business Consultant
    Location:
    Thailand
    I won that last year but forgot to claim :( hahaha
     
  13. upl8t

    upl8t Regular Member

    Joined:
    Apr 9, 2008
    Messages:
    475
    Likes Received:
    84
    Location:
    New Scotland
    It's likely they're just spoofing email accounts from your domain in the send. You can usually check the email headers and see where it's really coming from.
     
  14. BassTrackerBoats

    BassTrackerBoats Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 10, 2010
    Messages:
    12,733
    Likes Received:
    21,945
    Occupation:
    I don't actually have a job
    Location:
    It's an Algo, of course it can be gamed.
    Home Page:
    I'm really sorry, OP, I'll tone it down some.
     
  15. frozenocean

    frozenocean Junior Member

    Joined:
    Sep 30, 2011
    Messages:
    100
    Likes Received:
    11
    Location:
    both arctic
    This is awful.

    Use security tight. shut off your smtp relay. use password authentication.
     
  16. Chees

    Chees Regular Member

    Joined:
    Apr 16, 2010
    Messages:
    476
    Likes Received:
    151
    is your server an open relay? check it at mxtoolbox.com
     
  17. dog-tag

    dog-tag Senior Member

    Joined:
    Oct 19, 2010
    Messages:
    811
    Likes Received:
    912
    Occupation:
    Full-Time Internet Marketer + Business Consultant
    Location:
    Thailand
    Tried it there, its not on an open relay!?
     
  18. MrBlue

    MrBlue Senior Member

    Joined:
    Dec 18, 2009
    Messages:
    950
    Likes Received:
    662
    Occupation:
    Web/Bot Developer
    They are spoofing sender addresses with your domain name. As it's been already pointed out there is not much you can do about it. I second using mxtoolbox.com to make sure your mail server config is following best practices.
     
  19. kvmcable

    kvmcable Supreme Member

    Joined:
    Dec 28, 2010
    Messages:
    1,355
    Likes Received:
    2,815
    Occupation:
    24 year business owner - old school dude
    Location:
    KFC - BW3
    I see this once in a while as a hosting service. Typically it has nothing to do with your hosting or website. What they do is use a compromised server and spoof the email header so the emails that bounce hit your server rather than the one they originated from. They typically use a valid email account from your website so it appears the emails came from you and are bouncing back to you.

    Check the IP in the email header and contact the owner of the server sending the emails. They have an open relay or compromised email account and they'll shut it down and thank you for letting them know.

    Second thing is to drop the email account on your server that the spammers are using so when the emails bounce back to your server they bounce back to the originator and aren't received by your host. Basically just delete the email account and use something different so you don't see all the bounced emails and neither does your host.

    If you look at the bounced messages they're probably an alphabetical list of names to large companies in China or Russia.

    Double check and make sure you're not using stupid passwords either on your email accounts. Most of the time the compromised email accounts are like webmaster@domain.com and the password is webmaster. DUH just waiting to be hacked. I had several clients using my hosting service doing such stupid stuff and of course they all got warnings once I saw the relays being sent from their compromised email accounts.

    Good luck
     
    • Thanks Thanks x 1
    Last edited: Sep 30, 2011
  20. saxgod

    saxgod Regular Member

    Joined:
    Sep 19, 2010
    Messages:
    351
    Likes Received:
    337
    Its inherent on the SMTP protocol. There is no password required to send mail. If you know a bit of SMTP you can sent it from any smtp servers that allows you to relay (eg from your isp, or your own smtp, or an open smtp, or a hacked smtp, or a hacked pc running an smtp for the spam bot).

    There are only checks to see if the sending domain really exists and thats only recently. Good receiving-mailservers also check against the senders domain mailserver to see if the account actually exists but many domain mailservers just always say 'yes' since they have no checks (eg a frontend smtp for an exchange box that is not coupled into the AD). Since the spoofed mails are getting through from unexisting accounts it looks like your domain mailserver always says yes or the receiving mailserver does not perform this check (many mails get classified as false positive spam by this so many admins disable these checks)

    If you like to know more about this just sent a PM, i'm not going to give a class here ;)

    Anyway,