Hi Folks,
I'm not sure this is right place to post this, but since I'm suspecting maybe this is related to BIND's miss configuration I'll post it here. I apologize if this is wrong place.
Last night I received a ticket from my ISP (They're using giga-international servers in Germany) that says (It's quoted from giga):
It seems theres a message from davidkm092@gmail.com or davidkim189@gmail.com that they claim he sends his message from my IP (I swear I've never heard of him).
The most important note is no one has any kind of access to my VPS except myself.
I suspect:
1. My bind configuration or any other thing has problem
2. giga-international made a mistake
In case one, this is my configuration:
And for sendmail:
/etc/mail/access
/etc/mail/local-host-names
/etc/mail/virtusertable
Am I doing something wrong??
If so, Is there anyway to hardening them??
Thanks in Advance.
And this is the full ticket including the spam message with headers:
I'm not sure this is right place to post this, but since I'm suspecting maybe this is related to BIND's miss configuration I'll post it here. I apologize if this is wrong place.
Last night I received a ticket from my ISP (They're using giga-international servers in Germany) that says (It's quoted from giga):
We have received complaints about your server, specifically about the IP-address
91.194.91.7, assigned to the server 6035 (main IP: 91.194.91.75). Please see the
forwarded e-mail below for more details. Apparently, your server is used for
distributing SPAM, which is strictly forbidden by our ToS.
It seems theres a message from davidkm092@gmail.com or davidkim189@gmail.com that they claim he sends his message from my IP (I swear I've never heard of him).
The most important note is no one has any kind of access to my VPS except myself.
I suspect:
1. My bind configuration or any other thing has problem
2. giga-international made a mistake
In case one, this is my configuration:
Code:
[url=http://forums.freebsd.org/showthread.php?t=10593]http://forums.freebsd.org/showthread.php?t=10593[/URL]
And for sendmail:
/etc/mail/access
Code:
babaei.net RELAY
3rr0r.babaei.net RELAY
91.194.91.7 RELAY
127.0.0.1 RELAY
localhost RELAY
/etc/mail/local-host-names
Code:
babaei.net
3rr0r.babaei.net
91.194.91.7
127.0.0.1
localhost
/etc/mail/virtusertable
Code:
ace.of.zerosync@gmail.com root
Am I doing something wrong??
If so, Is there anyway to hardening them??
Thanks in Advance.
And this is the full ticket including the spam message with headers:
Dear Mr Yarmohammadi,
dear Mr Aryafar,
We have received complaints about your server, specifically about the IP-address
91.194.91.7, assigned to the server 6035 (main IP: 91.194.91.75). Please see the
forwarded e-mail below for more details. Apparently, your server is used for
distributing SPAM, which is strictly forbidden by our ToS.
Please take immediate action to stop this. Abuse is a very serious topic and we
have to handle this strictly. It is required that we receive your reply and that
the problem is solved within the next 24 hours. The abuse must have been stopped
by you within the next 24 hours. Your reply must contain all information so we
know what you have done to stop this immediately and what you have done to avoid
such or similar things in the future.
Abuse is a serious threat and can cause a huge amount of damage. We ask for your
understanding that, as an Internet provider, we must handle abuse strictly and
with no tolerance. We will suspend access to your server if we do not receive your
reply within the next 24 hours or if the problem has not been solved within the
next 24 hours. The reactivation of your server always demands a reactivation fee
of at least 30.00 EUR.
We are waiting for your earliest reply
If you have any questions or need help, please don't hesitate to contact us.
--
Best regards,
Christian Fischer
Technischer Support / Technical support
Giga-Hosting GmbH
Aschauer Straße 32a
81549 München
http://www.Giga-International.com
E-mail: support@giga-international.com
Tel.: +49 (0) 89 212 683 72
Fax: +49 (0) 89 216 658 62
Amtsgericht München
HRB 180722
Authorized executives:
Michael Herpich & Michael Bölke
___________________________________________________________
Please do not change the subject line of this e-mail. Only by this you make sure
that your answer will not be out of context.
Please direct all support issues directly to support@giga-international.com .
This will guarantee fastest processing possible.
___________________________________________________________
22.03.2010 10:26 - Dietmar Braun schrieb:
>
> Dear Administrators,
>
> this is a complaint about a spam mail sent to netcologne.de by one of your
> subscribers. See the complete mail with headers below.
>
> Please deal with this incident and stop the abuse.
>
> netcologne.de reserves the right to block your abusing network if this
> abuse doesn't stop or we get the impression that you are not handling
> abuse complaints properly.
>
> Thank you for your cooperation in the fight against spam.
>
> Regards,
> Dietmar Braun
> NetCologne Postmaster
>
> ===8<============== Original Spam Mail ===============
> Return-Path: <davidkm092@gmail.com>
> Received: from mailstore6.netcologne.de ([unix socket])
> by mailstore6.netcologne.de (Cyrus) with LMTPA;
> Sat, 20 Mar 2010 17:24:53 +0100
> Received: from antispam2.netcologne.de (antispam2.netcologne.de [194.8.194.149])
> by mailstore6.netcologne.de (Postfix) with ESMTP id 735C610C
> for <dbraun@mailstore6.netcologne.de>; Sat, 20 Mar 2010 17:24:53 +0100
> (MET)
> X-IronPort-Anti-Spam-Filtered: true
> X-IronPort-Anti-Spam-Result:
>
Av//AH6TpEtbwlsFX2dsb2JhbAADAQEwgTEBAQGBIIlegRYDOg1cgkuGEYJWD2UqBhYlhhF2KR6eHIZwCjYKghsIhEEuiX2BGAURAQcIEASBSowTBIMrgRU
> X-NetCologne-Spam: H
> Received: from mx0.netcologne.de ([194.8.194.44])
> by antispam2.netcologne.de with ESMTP; 20 Mar 2010 17:24:52 +0100
> Received: from power.hostjewelry.info (power.hostjewelry.info [91.194.91.5])
> by mx0.netcologne.de (Postfix) with ESMTP id BCBBF6200AD
> for <dietmar.braun@netcologne.de>; Sat, 20 Mar 2010 17:24:52 +0100 (CET)
> Received: from vc-41-27-237-84.umts.vodacom.co.za ([41.27.237.84] helo=User)
> by power.hostjewelry.info with esmtpa (Exim 4.69)
> (envelope-from <davidkm092@gmail.com>)
> id 1Nt1Pw-00032L-7F; Sat, 20 Mar 2010 09:20:53 -0700
> Reply-To: <davidkm092@gmail.com>
> From: "David Kim" <davidkm092@gmail.com>
> Subject: Your kind Attention Needed.
> Date: Sat, 20 Mar 2010 18:23:14 +0200
> MIME-Version: 1.0
> Content-Type: text/html;
> charset="Windows-1251"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> X-AntiAbuse: This header was added to track abuse, please include it with any
> abuse report
> X-AntiAbuse: Primary Hostname - power.hostjewelry.info
> X-AntiAbuse: Original Domain - netcologne.de
> X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
> X-AntiAbuse: Sender Address Domain - gmail.com
> Message-Id: <20100320162453.735C610C@mailstore6.netcologne.de>
> To: undisclosed-recipients:;
>
> DEAR FRIEND,
>
>
>
> URGENT AND CONFIDENTIAL:
>
>
>
>
>
> TRANSFER OF [$13,500.000.00 USD. THIRTEEN MILLION FIVE HUNDRED THOUSAND UNITED
> STATES DOLLARS
>
>
>
>
>
> WE WANT TO TRANSFER TO OVERSEAS [$13,500.000.00] THIRTEEN MILLION FIVE HUNDRED
> THOUSAND UNITED STATES DOLLARS FROM CAPITEC BANK IN SOUTH AFRICA. I WOULD LIKE, IF
> YOU WILL BE CAPABLE AND FIT TO PROVIDE EITHER AN EXISTING BANK ACCOUNT OR TO SET
> UP A NEW BANK ACCOUNT IMMEDIATELY TO RECEIVE THIS MONEY, EVEN AN EMPTY ACCOUNT CAN
> SERVE TO RECEIVE THIS MONEY, AS LONG AS YOU WILL REMAIN HONEST TO ME TILL THE END
> OF THIS IMPORTANT BUSINESS TRANSACTION.
>
>
>
> I WANT TO BELIEVE THAT YOU WILL NEVER LET ME DOWN EITHER NOW OR IN FUTURE. I AM
> MR. DAVID KIM DIRECTOR OF ACCOUNTS DEPARTMENT OF CAPITEC BANK SA, DURING THE
> COURSE OF OUR AUDITING I DISCOVERED A FLOATING FUND IN AN ACCOUNT OPENED WITH A
> SECURITY COMPANY IN 1994 AND SINCE 2003 NOBODY HAS OPERATED ON THIS ACCOUNT AGAIN,
> AFTER GOING THROUGH SOME OLD FILES IN THE RECORDS I DISCOVERED THAT THE OWNER OF
> THE ACCOUNT DIED WITHOUT AN HEIR HENCE THE MONEY IS FLOATING AND IF I DO NOT REMIT
> THIS MONEY OUT URGENTLY IT WILL BE FORFEITED FOR NOTHING.
>
>
>
> THE OWNER OF THIS ACCOUNT WAS A FOREIGNER,AN INDUSTRIALIST, HE DIED SINCE 1998
> AND NO OTHER PERSON KNOWS ABOUT THIS ACCOUNT OR ANYTHING CONCERNING IT, THE
> ACCOUNT HAS NO BENEFICIARY AND MY INVESTIGATION PROVED TO ME AS WELL THAT THE
> ACCOUNT OWNER UNTIL HIS DEATH WAS A EXPERTRIATE/CONTRACTOR WITH ESKOM IN SOUTH
> AFRICA [PTY] SA.
>
>
>
> I AM CONTACTING YOU AS A FOREIGNER BECAUSE THIS MONEY CAN ONLY BE APPROVED TO A
> FOREIGNER WITH A VALID INTERNATIONAL PASSPORT OR DRIVERS LICENCE AND FOREIGN
> ACCOUNT BECAUSE THE MONEY IS IN US DOLLARS AND THE FORMER OWNER OF THE ACCOUNT IS
> A FOREIGNER.I AM REVEALING ALL THIS TO YOU WITH THE BELIEF THAT YOU WILL NEVER LET
> ME DOWN IN THIS BUSINESS, YOU ARE THE FIRST AND THE ONLY PERSON I AM CONTACTING
> FOR THE BUSINESS SO PLEASE REPLY URGENTLY FOR ME TO TELL YOU THE NEXT STEP TO
> TAKE.
>
>
>
> YOU SHOULD FORWARD YOUR TELEPHONE AND FAX NUMBERS WHICH IS ALSO NEEDED. YOU WILL
> HAVE TO GIVE ME THE ASSURANCE WHEN WE MEET THAT THIS MONEY WILL BE INTACT PENDING
> OUR PHYSICAL ARRIVAL IN YOUR COUNTRY FOR SHARING AND DISBURSEMENT OF THE FUND
> WHICH WILL BE 40% FOR YOUR ASSISTANCE, 55% WILL BE FOR US WHILE 5% WILL BE SET
> ASIDE TO TAKE CARE OF ALL THE EXPENSES THAT WILL BE INCURED BY BOTH PARTIES DURING
> THE COURSE OF THE TRANSFER.
>
>
>
>
>
> I LOOK FORWARD TO YOUR EARLIEST RESPONSE, NOTE YOU CAN ALSO CALL ME ON MY PRIVATE
> NUMBER OR MY E-MAIL ADDRESS BELOW, FOR SECURITY REASONS.
>
>
>
> BEST REGARDS,
>
>
>
> MR. DAVID KIM
>
> TEL:+27-732-810013
>
> FAX:+27-11-2197387
>
> Email:davidkim189@gmail.com
>
>
> ===8<=========== End of original Spam Mail ===========
> =