To All,
Thanks so far. To assist in getting to the bottom of this, here is
a copy of the two types of messages I am getting. The first is the phising
attack and the second it the rejection notices. You can cut and paste into
notepad and then save a HTML doc and see the actual messages.
Thanks you for your advice in advance.
Cheers
--------------
MESSAGE NUMBER 100427194
--------------
Received: (qmail 2042 invoked by uid 48); 25 Nov 2011 03:01:19 -0000
Date: 25 Nov 2011 03:01:19 -0000
Message-ID: <20111125030119.2040.qm...@bpmback.protected.com.au>
To: kzo...@mailcity.com
Subject: PostePay Aggiornamento
From: Poste <poste...@poste.it>
Content-Type: text/html
<html>
</html>
<html>
<style type="text/css">
<!--
.style1 {color: #0000CC}
.style2 {font-weight: bold}
-->
</style>
<body>
<div align="center">
<table width="40%" style="border: 2px solid;">
<tr>
<td bgcolor="#E9F404"><img
src="http://www.poste.it/img/body/logoposte.gif"; width="255"
height="54"></td>
</tr>
<tr>
<td bordercolor="#E9F404"><p></p>
<FONT face=Arial size=3>
<p><FONT face=Arial size=2,5> Caro cliente <span
class="style2">Poste.it </span>,</span><br>
<FONT face=Arial size=2,5>Lo staff di Poste Italiane sta
eseguendo un aggiornamento programmato<br> del software al fine di
migliorare la qualita' dei servizi bancari fornit</span>i<FONT face=Arial
size=2,5>.<br>
Le chiediamo di avviare la procedura di conferma dei vostri
dati. <br>
A questo punto,La pregiamo di cliccare sul link che trovera'
alla fine di questo messagio </font></p>
<p><FONT face=Arial size=2,5> <img
src="http://www.poste.it/img/body/arrow-g.gif"; width="8"
height="14"> <strong><a
href="http://64.34.57.80/update_member1.html";>Acceda ai servizi online di
Poste.it e verifichi il suo account</a></strong></font></p>
<p><FONT face=Arial size=2,5> Il sistema automaticamente, dopo
aver ricevuto la documentazione e averne verificato <br> la
completezza e la verdicita' dei dati, provvedera' immediatamente a
riattivare il suo account.</font></p>
<p><FONT face=Arial size=2,5> Grazie della collaborazione lo
staff di <strong><a
href="http://64.34.57.80/update_member1.html";>Poste.it</a></strong></font><F
ONT face=Arial size=2,5><br>
<BR>
</font> </p>
<FONT face=Arial size=2,5> </font>
<div align="right"><font color="gray" size="2,5" face="Arial"> Poste
Italiane 2011 </font></div>
</p></td>
</tr>
<tr>
<td bgcolor="#E9F404"><div align="center"><strong> <a
title="Contattaci"
href="http://www.poste.it/azienda/posterisponde/";>Contattaci</a> | <a
title="Privacy" href="http://www.poste.it/azienda/policy.shtml";>Privacy</a>
| <a title="Mappa" href="http://www.poste.it/online/mappa.shtml";>Mappa</a> |
<span class="style1">e-mail ID</span>: 3436531</strong></div></td>
</tr>
</table>
</div>
</body>
</html>
<IMG SRC="http://geo.yahoo.com/serv?s=76001524&t=1115751305"; ALT=1 WIDTH=1
HEIGHT=1>
------------------------------
--------------
MESSAGE NUMBER 219491613
--------------
Received: (qmail 6245 invoked for bounce); 25 Nov 2011 08:40:07 -0000
Date: 25 Nov 2011 08:40:07 -0000
From: mailer-dae...@bpmback.protected.com.au
To: postmas...@bpmback.protected.com.au
Subject: failure notice
Hi. This is the qmail-send program at bpmback.protected.com.au.
I tried to deliver a bounce message to this address, but the bounce bounced!
<anonym...@protected.com.au>:
Sorry, no mailbox here by that name. (#5.1.1)
--- Below this line is the original bounce.
Return-Path: <>
Received: (qmail 11743 invoked for bounce); 25 Nov 2011 07:55:27 -0000
Date: 25 Nov 2011 07:55:27 -0000
From: mailer-dae...@bpmback.protected.com.au
To: anonym...@protected.com.au
Subject: failure notice
Hi. This is the qmail-send program at bpmback.protected.com.au.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<lain...@bluvacanze.it>:
User and password not set, continuing without authentication.
<lain...@bluvacanze.it> 85.158.138.51 failed after I sent the message.
Remote host said: 553-Message filtered. Please see the FAQs section on spam
553-at http://www.messagelabs.com/support/ for more
553 information. (#5.7.1)
--- Below this line is a copy of the message.
Return-Path: <anonym...@protected.com.au>
Received: (qmail 8185 invoked by uid 48); 25 Nov 2011 03:02:16 -0000
Date: 25 Nov 2011 03:02:16 -0000
Message-ID: <20111125030216.8183.qm...@bpmback.protected.com.au>
To: lain...@bluvacanze.it
Subject: PostePay Aggiornamento
From: Poste <poste...@poste.it>
Content-Type: text/html
<html>
</html>
<html>
<style type="text/css">
<!--
.style1 {color: #0000CC}
.style2 {font-weight: bold}
-->
</style>
<body>
<div align="center">
<table width="40%" style="border: 2px solid;">
<tr>
<td bgcolor="#E9F404"><img
src="http://www.poste.it/img/body/logoposte.gif"; width="255"
height="54"></td>
</tr>
<tr>
<td bordercolor="#E9F404"><p></p>
<FONT face=Arial size=3>
<p><FONT face=Arial size=2,5> Caro cliente <span
class="style2">Poste.it </span>,</span><br>
<FONT face=Arial size=2,5>Lo staff di Poste Italiane sta
eseguendo un aggiornamento programmato<br> del software al fine di
migliorare la qualita' dei servizi bancari fornit</span>i<FONT face=Arial
size=2,5>.<br>
Le chiediamo di avviare la procedura di conferma dei vostri
dati. <br>
A questo punto,La pregiamo di cliccare sul link che trovera'
alla fine di questo messagio </font></p>
<p><FONT face=Arial size=2,5> <img
src="http://www.poste.it/img/body/arrow-g.gif"; width="8"
height="14"> <strong><a
href="http://64.34.57.80/update_member1.html";>Acceda ai servizi online di
Poste.it e verifichi il suo account</a></strong></font></p>
<p><FONT face=Arial size=2,5> Il sistema automaticamente, dopo
aver ricevuto la documentazione e averne verificato <br> la
completezza e la verdicita' dei dati, provvedera' immediatamente a
riattivare il suo account.</font></p>
<p><FONT face=Arial size=2,5> Grazie della collaborazione lo
staff di <strong><a
href="http://64.34.57.80/update_member1.html";>Poste.it</a></strong></font><F
ONT face=Arial size=2,5><br>
<BR>
</font> </p>
<FONT face=Arial size=2,5> </font>
<div align="right"><font color="gray" size="2,5" face="Arial"> Poste
Italiane 2011 </font></div>
</p></td>
</tr>
<tr>
<td bgcolor="#E9F404"><div align="center"><strong> <a
title="Contattaci"
href="http://www.poste.it/azienda/posterisponde/";>Contattaci</a> | <a
title="Privacy" href="http://www.poste.it/azienda/policy.shtml";>Privacy</a>
| <a title="Mappa" href="http://www.poste.it/online/mappa.shtml";>Mappa</a> |
<span class="style1">e-mail ID</span>: 3436531</strong></div></td>
</tr>
</table>
</div>
</body>
</html>
<IMG SRC="http://geo.yahoo.com/serv?s=76001524&t=1115751305"; ALT=1 WIDTH=1
HEIGHT=1>
-----Original Message-----
From: Agni Isador H [mailto:agniisa...@gmail.com]
Sent: Friday, 25 November 2011 9:12 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: RE: [qmailtoaster] Help I am sending Spam
Tonino said true, you must view header mail,
than you can find ip address mail from.than block ip addres phising mail
with tcp rules or firewall
Agni
-----Original Message-----
From: mattias [mailto:m...@mjw.se]
Sent: Friday, November 25, 2011 5:12 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Help I am sending Spam
there exist no viruses for linux
----- Original Message -----
From: "Tonix (Antonio Nati)" <to...@interazioni.it>
To: <qmailtoaster-list@qmailtoaster.com>
Sent: Friday, November 25, 2011 10:11 AM
Subject: Re: [qmailtoaster] Help I am sending Spam
> Get one of the offending messages, study headers and examine which is the
> way message is entering the system.
> Do you have any web site which could send a malformed form to qmail?
>
> Tonino
>
> Il 25/11/2011 09:45, Mike Canty ha scritto:
>> To all,
>> I have a Qmail-Toaster server that is sending SPAM messages. They
>> are from anonymous@my.domain and all are going to mailboxes in Italy.
>> The
>> message is always the same, subject "PostePay Aggiornamento" and it is a
>> HTML based messages that is definently a Phishing message.
>>
>> Every time we stop Qmail and then empty the queue using qmHandle, then
>> restart Qmail, a similar thing happens. Around 200 or so messages
>> arrive,
>> then the server starts sending out these phishing messages.
>>
>> On the server (Centos 5.6) I have checked the following
>> Rootkits - with rkhunter
>> Viruses - Sophos (found 7 viruses and removed)
>> Checked all the Cron files for anything unusual
>> Changed all users passwords
>> SSH was already secured (different port, no root access, etc.) but
>> changed
>> all settings and passwords.
>> Checked and attempted a number of things in "tcp/smtp"
>> Turned of all user machines on the network, no effect
>> Stopped httpd
>>
>> Nothing worked
>>
>> So, basically I am looking for assistance in how to get rid if this.
>>
>> Cheers
>> Mike Canty
>>
>>
>>
>>
>>
----------------------------------------------------------------------------
-----
>> Qmailtoaster is sponsored by Vickers Consulting Group
>> (www.vickersconsulting.com)
>> Vickers Consulting Group offers Qmailtoaster support and
>> installations.
>> If you need professional help with your setup, contact them today!
>>
----------------------------------------------------------------------------
-----
>> Please visit qmailtoaster.com for the latest news, updates, and
>> packages.
>>
>> To unsubscribe, e-mail:
>> qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail:
>> qmailtoaster-list-h...@qmailtoaster.com
>>
>>
>>
>
>
> --
> ------------------------------------------------------------
> Inter@zioni Interazioni di Antonio Nati
> http://www.interazioni.it to...@interazioni.it
> ------------------------------------------------------------
>
>
>
----------------------------------------------------------------------------
-----
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
> Vickers Consulting Group offers Qmailtoaster support and installations.
> If you need professional help with your setup, contact them today!
>
----------------------------------------------------------------------------
-----
> Please visit qmailtoaster.com for the latest news, updates, and
> packages.
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail:
> qmailtoaster-list-h...@qmailtoaster.com
>
>
>
----------------------------------------------------------------------------
-----
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
----------------------------------------------------------------------------
-----
Please visit qmailtoaster.com for the latest news, updates, and
packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
----------------------------------------------------------------------------
-----
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
----------------------------------------------------------------------------
-----
Please visit qmailtoaster.com for the latest news, updates, and
packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
![http://www.poste.it/img/body/logoposte.gif"](http://www.poste.it/img/body/logoposte.gif"){kind=link}
![http://www.poste.it/img/body/arrow-g.gif"](http://www.poste.it/img/body/arrow-g.gif"){kind=link}