We had a problem with one of our domains at the beginning of the month -apparently our mailing script was compromised and used to send thousands of spam - and it was the form lunar recommends and configures - but it happened.  We removed the form from the site.  We are not using the outgoing mail server for the domain as we connect with broadband and use that server and this morning I got an email from tech -
"We are still getting complaints of spam against your account.

The most recent complaint was sent was sent out on Sat, 27 Dec 2003.

Someone that has access to your account has a virus or your password for this account has been comprimised.

It's important that this situation is corrected. We would be unable to continue to host an account that is allowing spam to be processed through it
Do not hesitate to contact us if you have any questions.

Lee Coleman
support@lunarpages.com"

I emailed back within 30 minutes of receiving that message and still have had no reply - very frustrating.  

We are not sending any outoing email - and I'm wondering if this has something to do with problems with AOL mentioned in numerous other posts.  I have never had a problem with any of our sites witih prior hosts and am trying my darndest to understand what is going on here.  I asked before - could this be an inside job?  Once someone knows the format of the outgoing mail server it doesn't take much to use it - and Lunar proudly posts the names of all its servers on their website...

I'm still waiting for a reply from Lee Coleman with particulars of what "spam" was sent on our account that generated a complaint.  This time there is nor returned mail to even inspect.

Any advice would be greatly appreciated.  I'm spending way too much time on trying to resolve a problem that we have no part in.

Kathie Meier

Thank you Miranda.  I understand the responsibility for the script - tho while I have heard of these types of problems - I have scripts on most of our sites and never had even a hint of a problem.  However, we immediately removed the script, changed passwords etc.  I do computer consulting by profession and am fanatical about antivirus software, anti-trojan software, anti-spyware etc. so I am virtually certain that no compromise has occurred from my end.  This is what I find so frustrating...  I have no idea where the smtp access is coming from as we don't use the lunar outgoing mail servers.  I anxiously await further response from Lee.

Kathie

Kathie,

If you recall I did call you on Sunday, the day after your message was sent to our office.   When your message was received on Saturday I was not working and unable to call you immediately.

The situation with spammers exploiteing formmail scripts is not limited to Lunarpages.  

Many hosting companies are not allowing any type of formmail script on their servers, because of the situation.

Lee - I don't think that Formmail is how these spoofers are compromising us, because I have never used Formmail. I guess we should find out by asking others if this is the case for them.

Are those of you who are having this spoofing (identity theft where someone is using your domain to send out SPAM) problem using the Formmail script?  Yes or No?

Although, this is definitely not the only way to be compromised (via scripts) this info could be very useful and helpful.

From what I've seen on the bounce messages I've received for spam spoofing my domain, none was actually sent from my domain - they were all pure forgeries. (Leighsww, you nailed it --we're victims of identity theft.) While I viewed them all at first, now I just don't have the time to look at 'em all.


Back when I was looking at all the bounce messages I checked the actual headers from the spam message (if enclosed) and wrote to "abuse" and/or"postmaster" at the appropriate domain. Out of the approximately 75 messages I sent out I received one reply, from a university. That postmaster tracked down the spammer and banned him from their systems.

Yes, a lot have been from AOL. I haven't visited http://postmaster.info.aol.com yet, but will when I get home from work.

I just wish the scripts generating the bounce messages looked at the actual mail forwarding headers instead of the "From:" header which is so easily forged.

/a

It is amazing how easy it is to spoof with an open relay. I have one from comcast but i do not use it.

I was telling my dad about it and he didn't belive me so i studied an email he sent me and, with his permission, spoofed his work account. I actually authenticated with LP's server becuase i figured it was once, with his permission, for his own security reasons.

I told my dad to look at the message headers to see the server it was relayed from.