To All, Thanks so far. To assist in getting to the bottom of this, here is a copy of the two types of messages I am getting. The first is the phising attack and the second it the rejection notices. You can cut and paste into notepad and then save a HTML doc and see the actual messages.
Thanks you for your advice in advance. Cheers -------------- MESSAGE NUMBER 100427194 -------------- Received: (qmail 2042 invoked by uid 48); 25 Nov 2011 03:01:19 -0000 Date: 25 Nov 2011 03:01:19 -0000 Message-ID: <20111125030119.2040.qm...@bpmback.protected.com.au> To: kzo...@mailcity.com Subject: PostePay Aggiornamento From: Poste <poste...@poste.it> Content-Type: text/html <html> </html> <html> <style type="text/css"> <!-- .style1 {color: #0000CC} .style2 {font-weight: bold} --> </style> <body> <div align="center"> <table width="40%" style="border: 2px solid;"> <tr> <td bgcolor="#E9F404"><img src="http://www.poste.it/img/body/logoposte.gif" width="255" height="54"></td> </tr> <tr> <td bordercolor="#E9F404"><p></p> <FONT face=Arial size=3> <p><FONT face=Arial size=2,5> Caro cliente <span class="style2">Poste.it </span>,</span><br> <FONT face=Arial size=2,5>Lo staff di Poste Italiane sta eseguendo un aggiornamento programmato<br> del software al fine di migliorare la qualita' dei servizi bancari fornit</span>i<FONT face=Arial size=2,5>.<br> Le chiediamo di avviare la procedura di conferma dei vostri dati. <br> A questo punto,La pregiamo di cliccare sul link che trovera' alla fine di questo messagio </font></p> <p><FONT face=Arial size=2,5> <img src="http://www.poste.it/img/body/arrow-g.gif" width="8" height="14"> <strong><a href="http://64.34.57.80/update_member1.html">Acceda ai servizi online di Poste.it e verifichi il suo account</a></strong></font></p> <p><FONT face=Arial size=2,5> Il sistema automaticamente, dopo aver ricevuto la documentazione e averne verificato <br> la completezza e la verdicita' dei dati, provvedera' immediatamente a riattivare il suo account.</font></p> <p><FONT face=Arial size=2,5> Grazie della collaborazione lo staff di <strong><a href="http://64.34.57.80/update_member1.html">Poste.it</a></strong></font><F ONT face=Arial size=2,5><br> <BR> </font> </p> <FONT face=Arial size=2,5> </font> <div align="right"><font color="gray" size="2,5" face="Arial"> Poste Italiane 2011 </font></div> </p></td> </tr> <tr> <td bgcolor="#E9F404"><div align="center"><strong> <a title="Contattaci" href="http://www.poste.it/azienda/posterisponde/">Contattaci</a> | <a title="Privacy" href="http://www.poste.it/azienda/policy.shtml">Privacy</a> | <a title="Mappa" href="http://www.poste.it/online/mappa.shtml">Mappa</a> | <span class="style1">e-mail ID</span>: 3436531</strong></div></td> </tr> </table> </div> </body> </html> <IMG SRC="http://geo.yahoo.com/serv?s=76001524&t=1115751305" ALT=1 WIDTH=1 HEIGHT=1> ------------------------------ -------------- MESSAGE NUMBER 219491613 -------------- Received: (qmail 6245 invoked for bounce); 25 Nov 2011 08:40:07 -0000 Date: 25 Nov 2011 08:40:07 -0000 From: mailer-dae...@bpmback.protected.com.au To: postmas...@bpmback.protected.com.au Subject: failure notice Hi. This is the qmail-send program at bpmback.protected.com.au. I tried to deliver a bounce message to this address, but the bounce bounced! <anonym...@protected.com.au>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is the original bounce. Return-Path: <> Received: (qmail 11743 invoked for bounce); 25 Nov 2011 07:55:27 -0000 Date: 25 Nov 2011 07:55:27 -0000 From: mailer-dae...@bpmback.protected.com.au To: anonym...@protected.com.au Subject: failure notice Hi. This is the qmail-send program at bpmback.protected.com.au. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <lain...@bluvacanze.it>: User and password not set, continuing without authentication. <lain...@bluvacanze.it> 85.158.138.51 failed after I sent the message. Remote host said: 553-Message filtered. Please see the FAQs section on spam 553-at http://www.messagelabs.com/support/ for more 553 information. (#5.7.1) --- Below this line is a copy of the message. Return-Path: <anonym...@protected.com.au> Received: (qmail 8185 invoked by uid 48); 25 Nov 2011 03:02:16 -0000 Date: 25 Nov 2011 03:02:16 -0000 Message-ID: <20111125030216.8183.qm...@bpmback.protected.com.au> To: lain...@bluvacanze.it Subject: PostePay Aggiornamento From: Poste <poste...@poste.it> Content-Type: text/html <html> </html> <html> <style type="text/css"> <!-- .style1 {color: #0000CC} .style2 {font-weight: bold} --> </style> <body> <div align="center"> <table width="40%" style="border: 2px solid;"> <tr> <td bgcolor="#E9F404"><img src="http://www.poste.it/img/body/logoposte.gif" width="255" height="54"></td> </tr> <tr> <td bordercolor="#E9F404"><p></p> <FONT face=Arial size=3> <p><FONT face=Arial size=2,5> Caro cliente <span class="style2">Poste.it </span>,</span><br> <FONT face=Arial size=2,5>Lo staff di Poste Italiane sta eseguendo un aggiornamento programmato<br> del software al fine di migliorare la qualita' dei servizi bancari fornit</span>i<FONT face=Arial size=2,5>.<br> Le chiediamo di avviare la procedura di conferma dei vostri dati. <br> A questo punto,La pregiamo di cliccare sul link che trovera' alla fine di questo messagio </font></p> <p><FONT face=Arial size=2,5> <img src="http://www.poste.it/img/body/arrow-g.gif" width="8" height="14"> <strong><a href="http://64.34.57.80/update_member1.html">Acceda ai servizi online di Poste.it e verifichi il suo account</a></strong></font></p> <p><FONT face=Arial size=2,5> Il sistema automaticamente, dopo aver ricevuto la documentazione e averne verificato <br> la completezza e la verdicita' dei dati, provvedera' immediatamente a riattivare il suo account.</font></p> <p><FONT face=Arial size=2,5> Grazie della collaborazione lo staff di <strong><a href="http://64.34.57.80/update_member1.html">Poste.it</a></strong></font><F ONT face=Arial size=2,5><br> <BR> </font> </p> <FONT face=Arial size=2,5> </font> <div align="right"><font color="gray" size="2,5" face="Arial"> Poste Italiane 2011 </font></div> </p></td> </tr> <tr> <td bgcolor="#E9F404"><div align="center"><strong> <a title="Contattaci" href="http://www.poste.it/azienda/posterisponde/">Contattaci</a> | <a title="Privacy" href="http://www.poste.it/azienda/policy.shtml">Privacy</a> | <a title="Mappa" href="http://www.poste.it/online/mappa.shtml">Mappa</a> | <span class="style1">e-mail ID</span>: 3436531</strong></div></td> </tr> </table> </div> </body> </html> <IMG SRC="http://geo.yahoo.com/serv?s=76001524&t=1115751305" ALT=1 WIDTH=1 HEIGHT=1> -----Original Message----- From: Agni Isador H [mailto:agniisa...@gmail.com] Sent: Friday, 25 November 2011 9:12 PM To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] Help I am sending Spam Tonino said true, you must view header mail, than you can find ip address mail from.than block ip addres phising mail with tcp rules or firewall Agni -----Original Message----- From: mattias [mailto:m...@mjw.se] Sent: Friday, November 25, 2011 5:12 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Help I am sending Spam there exist no viruses for linux ----- Original Message ----- From: "Tonix (Antonio Nati)" <to...@interazioni.it> To: <qmailtoaster-list@qmailtoaster.com> Sent: Friday, November 25, 2011 10:11 AM Subject: Re: [qmailtoaster] Help I am sending Spam > Get one of the offending messages, study headers and examine which is the > way message is entering the system. > Do you have any web site which could send a malformed form to qmail? > > Tonino > > Il 25/11/2011 09:45, Mike Canty ha scritto: >> To all, >> I have a Qmail-Toaster server that is sending SPAM messages. They >> are from anonymous@my.domain and all are going to mailboxes in Italy. >> The >> message is always the same, subject "PostePay Aggiornamento" and it is a >> HTML based messages that is definently a Phishing message. >> >> Every time we stop Qmail and then empty the queue using qmHandle, then >> restart Qmail, a similar thing happens. Around 200 or so messages >> arrive, >> then the server starts sending out these phishing messages. >> >> On the server (Centos 5.6) I have checked the following >> Rootkits - with rkhunter >> Viruses - Sophos (found 7 viruses and removed) >> Checked all the Cron files for anything unusual >> Changed all users passwords >> SSH was already secured (different port, no root access, etc.) but >> changed >> all settings and passwords. >> Checked and attempted a number of things in "tcp/smtp" >> Turned of all user machines on the network, no effect >> Stopped httpd >> >> Nothing worked >> >> So, basically I am looking for assistance in how to get rid if this. >> >> Cheers >> Mike Canty >> >> >> >> >> ---------------------------------------------------------------------------- ----- >> Qmailtoaster is sponsored by Vickers Consulting Group >> (www.vickersconsulting.com) >> Vickers Consulting Group offers Qmailtoaster support and >> installations. >> If you need professional help with your setup, contact them today! >> ---------------------------------------------------------------------------- ----- >> Please visit qmailtoaster.com for the latest news, updates, and >> packages. >> >> To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: >> qmailtoaster-list-h...@qmailtoaster.com >> >> >> > > > -- > ------------------------------------------------------------ > Inter@zioni Interazioni di Antonio Nati > http://www.interazioni.it to...@interazioni.it > ------------------------------------------------------------ > > > ---------------------------------------------------------------------------- ----- > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > ---------------------------------------------------------------------------- ----- > Please visit qmailtoaster.com for the latest news, updates, and > packages. > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > > > ---------------------------------------------------------------------------- ----- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! ---------------------------------------------------------------------------- ----- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com ---------------------------------------------------------------------------- ----- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! ---------------------------------------------------------------------------- ----- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com