[Solved] Suspended: Icgit

[icgit2]

username: ICGIT

server: Tommy

domain: www.icgit.com.uy

[icgit2]

I just realized that from one of my accounts sent in a period of 12 hours about 800 emails like this:

 

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

eugeniomanzzo@gmail.com
Domain icgit.com.uy has outgoing email disabled.
h.w3rd5@gmail.com
Domain icgit.com.uy has outgoing email disabled.
ccu2003@yahoo.com
Domain icgit.com.uy has outgoing email disabled.

Action: failed
Final-Recipient: rfc822;ccu2003@yahoo.com
Status: 5.0.0

Action: failed
Final-Recipient: rfc822;h.w3rd5@gmail.com
Status: 5.0.0

Action: failed
Final-Recipient: rfc822;eugeniomanzzo@gmail.com
Status: 5.0.0


---------- Mensaje reenviado ----------
From: Eulalia <soporte@icgit.com.uy>
To:
Cc:
Bcc:
Date: Tue, 16 May 2017 15:49:19 +0300
Subject: Adult dates ASAP ,Women from around
http://www.medici.cal.pl/wp-includes/js/tinymce/plugins/wpautoresize/dda626784e.html Enjoy sex tonight! Nearby local dates Nearby chicks
with amazing lust

 

Surely this is the cause for which the account was suspended.

I need to reactivate the account to be able to change the passwords of e-mail and see if this solves that problem.

Thank you.

[wolstech]

You're indeed suspended for spam.

 

Are you ready to fix the problem now? If so I'll unsuspend you.

[icgit2]

You're indeed suspended for spam.

 

Are you ready to fix the problem now? If so I'll unsuspend you.

Yes, I'm ready to do it right now.

 

Thanks.

[wolstech]

Unsuspended. Please fix it quickly.

[icgit2]

Unsuspended. Please fix it quickly.

TYVM!

 

I just changed the password of the supposedly affected account.

Do I have a way to monitor from the CPANEL some unusual activity that may be happening?

[wolstech]

There is not unfortunately. Krydos can tell you how many emails you've sent in the past day though, so if you and your website aren't sending much, you could stop back in a day or so and ask to see if the number sent for the day is what you expect.

I'd also recommend changing your cpanel password just for good measure, even though there's no evidence of it being compromised.

Thank you for taking care of this quickly.

 

Also, you figured out your issue on your own, but if you're interested, the below is the abuse report for the spam email that got you suspended. Normally I'd have posted this earlier, but I was on a mobile device that can't copy/paste properly on these forums.

We have received a complaint about your account. Please investigate and fix within 24 hours.

Hurricane Electric Abuse Department
support@he.net

From fblbounces@senderscore.net  Tue May 16 02:49:59 2017
Return-Path: <fblbounces@senderscore.net>
X-Original-To: report@abuse.he.net
Delivered-To: report@abuse.he.net
Received: from he.net (he.net [216.218.186.2])
        by abuse.he.net (Postfix) with ESMTPS id C86C6541245
        for <report@abuse.he.net>; Tue, 16 May 2017 02:49:58 -0700 (PDT)
Received: from mrfbl00-den.returnpath.net ([66.45.29.178])
        by he.net with ESMTPS (AES256-GCM-SHA384:TLSv1.2:Kx=RSA:Au=RSA:Enc=AESGCM(256):Mac=AEAD)
        for <abuse@he.net>; Tue, 16 May 2017 02:50:34 -0700
Received: from poma01.lan.returnpath.net (poma01.lan.returnpath.net [10.2.0.106])
        by mrfbl00-den.returnpath.net (Postfix) with ESMTP id 524894A0AB8
        for <abuse@he.net>; Tue, 16 May 2017 03:49:53 -0600 (MDT)
Received: by poma01.lan.returnpath.net (Postfix, from userid 106706)
        id 50A5C60492; Tue, 16 May 2017 03:49:53 -0600 (MDT)
Content-Type: multipart/report; boundary="_----------=_14949281932053952960"; report-type="feedback-report"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.029 (F2.84; T2.04; A2.12; B3.13; Q3.13)
Date: Tue, 16 May 2017 03:49:53 -0600
Subject: Synacor Abuse Report
To: abuse@he.net
From: feedbackloop@fbl.synacor.com
Message-Id: <20170516094953.50A5C60492@poma01.lan.returnpath.net>
Content-Transfer-Encoding: 7bit

This is a multi-part message in MIME format.

----------=_14949281932053952960
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/plain

This is a Synacor email abuse report for an email message received from IP 65.19.143.6 on Tue, 16 May 2017 09:49:48 +0000


----------=_14949281932053952960
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report

User-Agent: ReturnPathFBL/1.0
Abuse-Type: complaint
Arrival-Date: Tue, 16 May 2017 09:49:48 +0000
Feedback-Type: abuse
Version: 1
Source-IP: 65.19.143.6
Original-Mail-From: hello@enviral.com.au

----------=_14949281932053952960
Content-Disposition: inline
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Return-Path: hello@enviral.com.au
Received: from mx01.agate.dfw.synacor.com (LHLO mx01.agate.dfw.synacor.com)
  (10.40.0.40) by md46.agate.dfw.synacor.com with LMTP; Tue, 16 May 2017
  05:49:49 -0400 (EDT)
Return-Path: <hello@enviral.com.au>
X-Spam-Rating: **
X-CLOUDMARK-CSI: SUSPECT
X-Spam-Rating: **
X-SPAMHAUS: CSS
X_CMAE_Category: , ,
X-CNFS-Analysis: v=2.2 cv=etCd9chX c=1 sm=1 tr=0
  a=XYFu0eUjL/+itSNVGxuTsQ==:117 a=XYFu0eUjL/+itSNVGxuTsQ==:17
  a=MNe2cPJyAAAA:8 a=9+rZDBEiDlHhcck0kWbJtElFXBc=:19 a=KGjhK52YXX0A:10
  a=9cW_t1CCXrUA:10 a=tJ8p9aeEuA8A:10 a=r77TgQKjGQsHNAKrUKIA:9
  a=vC9Y8pdhBniNNv-C_owA:9 a=Ft8UYL4EG9YA:10 a=291NRvSM8msMbchfAPYA:9
  a=_W_S_7VecoQA:10 a=wUT0n_FaeesJAGgxTkP1:22
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
X-Received-HELO: from [65.19.143.6] (helo=tommy.heliohost.org)
Received: from [65.19.143.6] ([65.19.143.6:36462] helo=tommy.heliohost.org)
  by smtp.embarq.synacor.com (envelope-from <hello@enviral.com.au>) (ecelerity
  3.6.14.50842 r(Core:3.6.14.1)) with ESMTPS
  (cipher=DHE-RSA-AES256-GCM-SHA384)  id 4C/D2-18882-D3BCA195; Tue, 16 May
  2017 05:49:49 -0400
Received: from [222.254.34.113] (port=38625 helo=5.45.73.16) by
  tommy.heliohost.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
  (Exim 4.89) (envelope-from <hello@enviral.com.au>) id 1dAZ6x-0005rg-K0; Tue,
  16 May 2017 02:49:48 -0700
Message-ID: <9396207378AC8231EDE8A11C785262B6@enviral.com.au>
From: "Jayde" <hello@enviral.com.au>
Subject: =?UTF-8?B?0J/RgNC40LzQtdGAIA==?= =?UTF-8?B?0J/QuNGB0YzQvNCw?=
Date: Tue, 16 May 2017 12:49:45 +0300
MIME-Version: 1.0
X-AntiAbuse: This header was added to track abuse, please include it with
  any abuse report
X-AntiAbuse: Primary Hostname - tommy.heliohost.org
X-AntiAbuse: Original Domain - centurytel.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - enviral.com.au
X-Get-Message-Sender-Via: tommy.heliohost.org: authenticated_id:
  soporte@icgit.com.uy
X-Authenticated-Sender: tommy.heliohost.org: soporte@icgit.com.uy
X-Source:
X-Source-Args:
X-Source-Dir:
Content-Type: multipart/alternative; boundary="028121e0413199332f382e8001ef"

This is a multi-part message in MIME format.



--028121e0413199332f382e8001ef
Content-Type: text/plain; charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

=C7=E4=F0=E0=E2=F1=F2=E2=F3=E9=F2=E5,

=D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC, Millicent


--028121e0413199332f382e8001ef
Content-Type: text/html; charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dwindows=
-1251">
</HEAD>
<BODY bottomMargin=3D5 leftMargin=3D5 rightMargin=3D5 topMargin=3D5=20
bgColor=3D#ffffff><FONT color=3D#000000 size=3D2 face=3DArial>
<DIV>=C7=E4=F0=E0=E2=F1=F2=E2=F3=E9=F2=E5, </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>=D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC, Millicent</DIV></FONT></BODY></HTML=
>


--028121e0413199332f382e8001ef--

----------=_14949281932053952960--

[icgit2]

Hi.

 

Today my account was suspended again.

 

Before I was suspended I started receiving replies to e-mails that I never sent and immediately changed the password for that account.

 

username: ICGIT

server: Tommy

domain: www.icgit.com.uy

[icgit2]

All my email accounts are used only from gmail accounts. I do not understand how it is possible that someone has obtained the password and they have used it to send spam.

 

The cpanel password generator is safe? Or is it possible that someone has those passwords?