Not sure if this is just a clever spoof, a bug, or a security issue. But, it looks like someone is able to send spam from my install of vB (via the sendmessage.php). I have been getting one or two the following bounced emails every day for a week or so. (I cleaned it of site, domain, and server names).
The usernames (Della Riley and Kayla Trujillo) do not exist (in my user table), nor does the email address: [email protected].
I notice the ( mailto: ) is blank and the userid is missing from: /admincp/ezbounce.php?u=
Thanks for any assistance or insight.
--RayJ
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[email protected]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
host bcgsa.com [206.130.110.179]: 550 5.1.1 <[email protected]>... User unknown
------ This is a copy of the message, including all the headers. ------
Return-path: <bounce@DOMAINNAME>
Received: from SERVERNAME ([127.0.0.1] helo=localhost)
by DOMAINNAME with esmtp (Exim 4.63)
(envelope-from <bounce@DOMAINNAME>)
id 1M132x-0000od-U4
for [email protected]; Mon, 04 May 2009 13:37:55 -0500
Date: Mon, 04 May 2009 18:37:47 +0000
To: [email protected]
From: "SITENAME" <webmaster@DOMAINNAME>
Auto-Submitted: auto-generated
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
X-EZbouncer: http://www.DOMAINNAME/admincp/ezbounce.php?u=
Subject: [email protected]
X-Spam-Report: Spam detection software, running on the system "SERVERNAME.DOMAINNAME", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Della Riley, This is a message from Kayla Trujillo ( mailto:
) from the SITENAME ( http://www.DOMAINNAME/ ). The message is as follows:
[...]
Content analysis details: (-0.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
2.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
-1.3 AWL AWL: From: address is in the auto white-list
Della Riley,
This is a message from Kayla Trujillo ( mailto: ) from the SITENAME ( http://www.DOMAINNAME/ ).
The message is as follows:
38jkwskkr2m1lzdb
<a href= http://zlqhmztvas.com >tplnh mzfv</a>
<a href= http://kmoqzgk.com >msxhfpz idyfjga</a>
<SNIPPED>
SITENAME takes no responsibility for messages sent through its system.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[email protected]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
host bcgsa.com [206.130.110.179]: 550 5.1.1 <[email protected]>... User unknown
------ This is a copy of the message, including all the headers. ------
Return-path: <bounce@DOMAINNAME>
Received: from SERVERNAME ([127.0.0.1] helo=localhost)
by DOMAINNAME with esmtp (Exim 4.63)
(envelope-from <bounce@DOMAINNAME>)
id 1M132x-0000od-U4
for [email protected]; Mon, 04 May 2009 13:37:55 -0500
Date: Mon, 04 May 2009 18:37:47 +0000
To: [email protected]
From: "SITENAME" <webmaster@DOMAINNAME>
Auto-Submitted: auto-generated
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
X-EZbouncer: http://www.DOMAINNAME/admincp/ezbounce.php?u=
Subject: [email protected]
X-Spam-Report: Spam detection software, running on the system "SERVERNAME.DOMAINNAME", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Della Riley, This is a message from Kayla Trujillo ( mailto:
) from the SITENAME ( http://www.DOMAINNAME/ ). The message is as follows:
[...]
Content analysis details: (-0.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
2.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
-1.3 AWL AWL: From: address is in the auto white-list
Della Riley,
This is a message from Kayla Trujillo ( mailto: ) from the SITENAME ( http://www.DOMAINNAME/ ).
The message is as follows:
38jkwskkr2m1lzdb
<a href= http://zlqhmztvas.com >tplnh mzfv</a>
<a href= http://kmoqzgk.com >msxhfpz idyfjga</a>
<SNIPPED>
SITENAME takes no responsibility for messages sent through its system.
I notice the ( mailto: ) is blank and the userid is missing from: /admincp/ezbounce.php?u=
Thanks for any assistance or insight.
--RayJ
Comment