Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

spamcop and spammer got my banned


nzGoner

Recommended Posts

oh man, my hosting company suspended the website because my site is reported spam

 

I need to find out what is wrong with the site before they enable the site back... can anyone please give me some advice which files/folders are infected

 

i have been looking for the last 1 hour and cant find any line or php is hacked X_X or maybe i am just frustrated and tired

 

my eyes :( please help me !!!!

 

The hosting company kindly provide the warning message to me:

 

Date: Friday, April 27, 2012 3:20 AM -0400
From: [email protected]
To: Abuse Complaints &--#60;.net"]abuse@[member='gnax'].net&--#62;
Subject: [spamCop (http://www.nottyhorse.co.nz./product_info.php?products_id=111) id:5756350126]Your friend *** MAKEMONEY Everyday. A 24CARAT Life..

MIME-Version: 1.0
Received: from sembx02.gnax.net (209.51.141.3) by MBX02.gnax.lan
(172.16.20.93) with Microsoft SMTP Server (TLS) id 8.1.436.0; Fri, 27 Apr
2012 07:58:20 -0400
Received: from sc-smtp7-inbound.soma.ironport.com ([204.15.82.101]) by
sembx02.gnax.net with esmtp (Exim 4.76) (envelope-from
&--#60;.spamcop.net"]5756350126.d8b0d39a@[member='bounceswirl'].spamcop.net&--#62;) id 1SNjoV-0002YZ-7a for
.net"]abuse@[member='gnax'].net; Fri, 27 Apr 2012 07:58:20 -0400
Received: from prod-sc-www1.soma.ironport.com (HELO prod-sc-www1.spamcop.net)
([192.168.50.136]) by sc-smtp-vip.soma.ironport.com with SMTP; 27 Apr 2012
04:58:09 -0700
Received: from [69.0.91.167] by spamcop.net with HTTP; Fri, 27 Apr 2012
11:58:09 GMT
From: "[email protected]" &--#60;[email protected]&--#62;
To: Abuse Complaints &--#60;.net"]abuse@[member='gnax'].net&--#62;
Date: Fri, 27 Apr 2012 02:20:32 -0400
Subject: [spamCop
(http://www.nottyhorse.co.nz./product_info.php?products_id=111)
id:5756350126]Your friend *** MAKEMONEY Everyday. A 24CARAT Life..
Thread-Topic: [spamCop
(http://www.nottyhorse.co.nz./product_info.php?products_id=111)
id:5756350126]Your friend *** MAKEMONEY Everyday. A 24CARAT Life..
Thread-Index: Ac0kbP1odHrzuNe2Sv6Njh6VjfR5+
Q==
Message-ID: &--#60;[email protected]&--#62;
Accept-Language: en-US
Content-Language: en-US
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: MBX02.gnax.lan
X-MS-Has-Attach:
X-Auto-Response-Suppress: All
X-MS-TNEF-Correlator:
x-filter-id:
XtLePq6GTMn8G68F0EmQvZdZ6gtnbeQ8GngGrvAbQQ1Iz8IToLbcFeN7umh2uL0/ulvX8HGJsdmB
zmlODocdNdnZzMv/E7YCFKjNeoZ9hmemfFnkfS+XVLw88hbKAH7zZucLEJ9a5arzvw0gMoMtZi4I
NNHE+9OoU2hIY4v9xjsuI/DxiC07iTYLws35gDQiSQ/aWuLBTI6xy/AFQ+sJzXEeEyqkte6ch47x
+0E2A6lTVeiexinONJWi83U74KajXwZTRfV/dOZrBcwXJUQWhufYGjWnJWUxJNKHONRGsneEPw7T
27N13i2g4ZX18beykahhWiqS0yZHJjnvbxQMVy5hWCcYT01fHF/ixjceFaHkjPjcZrSCZLD7je9X
Yh69S+EwNc0Tbd3vsR+uM5ngDOSRlqgYp+0z2RHioTRZU6vonV+E7OMXRvgtdyMlnmWi4zGrOd/h
TVS7LOZrn3QgZFvQIQ5Qc/sdonQpHPfLdP/iC0NilibG69rkX/y8FSKurAi//v4TWe9KSQEUyhjb
Ug==
x-spamexperts-class: whitelisted
x-spamexperts-evidence: recipient
x-recommended-action: accept
x-whitelisted: recipient
x-spamcop-sourceip: 207.210.76.133
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

[ SpamCop V4.6.2.001 ]
This message is brief for your comfort. Please use links below for details.

Email from 207.210.76.133 / Thu, 26 Apr 2012 23:20:32 -0700
http://www.spamcop.net/w3m?i=z5756350124z18a2d43a5c0a345c1a97bcca2e1c99eaz

Spamvertised web site: http://www.nottyhorse.co.nz./
http://www.spamcop.net/w3m?i=z5756350125zb3fb42b28ad3b0305a69aabd8ba0acffz
http://www.nottyhorse.co.nz./ is 75.127.67.106; Fri, 27 Apr 2012 11:57:42
GMT

Spamvertised web site:
http://www.nottyhorse.co.nz./product_info.php?products_id=111
http://www.spamcop.net/w3m?i=z5756350126zd8b0d39a34ed2fa03348505e6071af46z
http://www.nottyhorse.co.nz./product_info.php?products_id=111 is
75.127.67.106; Fri, 27 Apr 2012 11:57:42 GMT

[ Offending message ]
X-Apparently-To: x via 98.138.198.113; Thu, 26 Apr 2012 23:20:32 -0700
Return-Path: &--#60;.dnsprotect.com"]nobody@[member='shuttle'].dnsprotect.com&--#62;
X-YahooFilteredBulk: 207.210.76.133
Received-SPF: none (domain of shuttle.dnsprotect.com does not designate
permitted sender hosts) X-YMailISG:
DPyaG9EWLDuoWFg4_E7q7Zg1ZVGl0fwjTqn28h2BeSv_2KZ2
Bx7oOE3u80nfh6LcqJmRYaathSeUvJO_KrZvBuJoPP79VCC.N7O.Gj_6JrK5
5iq.QlJo36vZeKEx1jjsQH3MIrYYEXv0YVD6Oc9ktQg0Qm0bFZtIMGoBPJyR
G_RqRaZ1g2WNrJFY3BtlCfV9sQf_D4rC8dzPgFfXl3Q6jOvZiIKBu5GkbLO4
A6KUJhVLjEpQsX3_XTSXFtTTxu_b4Ezb2f0nIQERm36b0keMT7S2H62QmMmo
fTX3I3xRT0ftuqaOpAt3PH2HoMvN69ytd_gYzK_DT_uZQmXw0Ox0_PL73hYR
EwBOYlFctf8wkoPiIXjuc19v4aWWWLD0ffDSYxowjomv1XOxW_U1f6Yco9Zd
5SLF0wIveT8Z_KQ_QxQn7Ys.mWgcw5e99pSlTQ9Zv28JreaX81HmkRS6Cy15
vOwdf.OLbDLhc3DzdP7aezCm1FQrMd8inIA0xPU2ZFlXPdbzGdE1w5pp8jf_
M30n.fkjJ2n3ovfe.mKm_OAQtnSlFN0MbtSCRIthympf9svKEj7HUdtsgUlv
SO0ea01890SfgYfvcIqP5HqjIHPGT.3V2Wfv93UaQ1qz6G_rjGdfqn4mnnTq
6wrE2QPcmWYM0BITDas83vv1B7Fjr_CKh.hS7MJ_hkRdB50nZKabnxrT6gQX
NjGKr1X1jSNSTP9DEzA9DLRAerYfCX9qAnWBkPEt78V6CCOh0T2tBIkX74Js
ZHPsnxI012yvlYjVj7L75T8VF0bI9wGd3yV3_eSMREyHlMv0o4SIwsyTseDF
S0o647x1u46m8vFcqBPqJxmib_NFCR34r7VhkpEUqj7B_54760hyTkYrgwdF
bS89UkdeY.UfFRNt_mICS_02YRG25Mk4vBahG5xbfPAxJdmNG.VUqvkiTBeJ
zf_BwqVqnmViwU8dknlIqKLS8ZHAgxovDF4mvSaU1tGIPgqqfai_jnBBqVfI
2K_Ase8GvmmlO0hnTxtTVDHc98lF5rWTPtv6tLmbDtpfroB87oyI6O.vBpVE
goyB1ctGfdUyXlDrw2bayiozt.7rWGf7V3VuRoPz9.5uKMa1FciV_naSDxft
lZpb0YWEbD.5ZAk2pne1kowvj_o3gRHrmUphxZj1M2pjyg77HpEjF58H7I4V
YDXTX9OB_8nREN_hG7BDAGy4GPsLwGmp6XSOMv9X0pc-
X-Originating-IP: [207.210.76.133]
Authentication-Results: mta1033.sbc.mail.sp1.yahoo.com from=excite.com;
domainkeys=neutral (no sig); from=excite.com; dkim=neutral (no sig)
Received: from 207.115.20.126 (EHLO flpd116.prodigy.net) (207.115.20.126)
by mta1033.sbc.mail.sp1.yahoo.com with SMTP; Thu, 26 Apr 2012 23:20:32
-0700 X-Originating-IP: [207.210.76.133]
Received: from shuttle.dnsprotect.com (shuttle.dnsprotect.com
[207.210.76.133] (may be forged)) by flpd116.prodigy.net (8.14.4
IN/8.14.4) with ESMTP id q3R6KVmO016531 for &--#60;x&--#62;; Thu, 26 Apr 2012 23:20:32
-0700
Received: from nobody by shuttle.dnsprotect.com with local (Exim 4.77)
(envelope-from &--#60;.dnsprotect.com"]nobody@[member='shuttle'].dnsprotect.com&--#62;)
id 1SNeXd-0002uT-GP
for x; Fri, 27 Apr 2012 02:20:29 -0400
To: "x" &--#60;x&--#62;
Subject: Your friend *** MAKEMONEY Everyday. A 24CARAT Life Changing INFO.
*** has recommended this great product from NottyHorse X-PHP-Script:
www.nottyhorse.co.nz/tell_a_friend.php for 76.72.169.27 From: "***
MAKEMONEY Everyday. A 24CARAT Life Changing INFO. ***"
&--#60;.com"]PricelessInformation@[member='excite'].com&--#62; MIME-Version: 1.0
X-Mailer: osCommerce Mailer
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: &--#60;.dnsprotect.com"]E1SN_________T-GP@[member='shuttle'].dnsprotect.com&--#62;
Date: Fri, 27 Apr 2012 02:20:29 -0400
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report X-AntiAbuse: Primary Hostname - shuttle.dnsprotect.com
X-AntiAbuse: Original Domain - snet.net
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - shuttle.dnsprotect.com
Content-Length: 506


Hi x!

Your friend, *** MAKEMONEY Everyday. A 24CARAT Life Changing INFO. ***,
thought that you would be interested in Castanet (605) from NottyHorse.

 

***************************************

 

Hi,

 

 

 

It Doesnt Matter Where In The World You Are,

If You Have An Internet Connection

 

To view the product click on the link below or copy and paste the link into

your web browser:

 

www.nottyhorse.co.nz./product_info.php?products_id=111

 

Regards,

 

NottyHorse

Link to comment
Share on other sites

You may want to check the root directory for any unknown folders, etc. You can check the index.php file and I believe either at the very bottom or very top there might be code embedded there as well.

Do or Do Not, there is no try.

Link to comment
Share on other sites

Read this

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

From the subject line on the spam, I'm guessing that's not something that you sent. Nevertheless, are you sending out newsletters to customers? Maybe one of them decided that they wanted to unsubscribe and clicked "Report as spam". Some people are just stupid. Make sure that everyone who receives a newsletter or other mass mailing from you explicitly "opted in", you remind them that they opted in, and tell them how to easily unsubscribe. You may need to unsubscribe everyone and ask those who are interested to opt in to receive newsletters. Some truly important system news (e.g., a security problem discovered) should go out to everyone, regardless of whether they opted in.

 

As mentioned before, it's possible that your site has been compromised, including Tell-A-Friend. The text of the spam suggests that it came from TAF, but that's not proven. Is nottyhorse.co.nz your site? What version of osC are you running? Anything earlier than 2.3.1 that hasn't had a number of security patches applied is vulnerable to hacks.

 

Finally, it's possible that the emails weren't even sent from your site. Some spammer may be simply spoofing your address. Can your host establish from any email traffic records whether your site is the one that actually blasted out these emails? If it's not from your site, could they look at the email headers and establish the probable source (first IP address) of the spam. At least, if you can prove your innocence they should unban you.

Link to comment
Share on other sites

Thanks ctec2011 and germ adviced.

 

Hey MrPhill we dont send out the newsletters and in the future i will disable that functions too.

 

Yes,its my site, i checked on the Tell-A-Friend.php and try to find the text contains the spam keyword and i could not find anything ( i also did a massive search using notepad++ on all the php. files) ... where is it hiding? yea it runs earlier than 2.3.1 and after i fixed the problem i am going to update all the security

 

Somehow The mails were sent as ".dnsprotect.com"]nobody@@shuttle.dnsprotect.com its the host dns server(imhosted.com) i have asked the support team from the hosting company and they say its my side not thier server.

 

I am going to rename the tell_a_friend.php and once they enable my site i am going to admin panel and disable that friend function to false D: but i really want to know how they actually send the message and how to prevent it :S

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...