icgit2 Posted February 4, 2018 Posted February 4, 2018 Hi. Today my account was suspended again. Before I was suspended I started receiving replies to e-mails that I never sent and immediately changed the password for that account. username: ICGITserver: Tommydomain: www.icgit.com.uy All my email accounts are used only from gmail accounts. I do not understand how it is possible that someone has obtained the password and they have used it to send spam. The cpanel password generator is safe? Or is it possible that someone has those passwords?
wolstech Posted February 4, 2018 Posted February 4, 2018 Honestly, none of us have any idea why this keeps happening to your account. You're the only one with the issue though, so something unique to you or how you're using our service is stealing your password. The cPanel password generator is random and runs on the client, so no, we don't have the passwords it generates. The only way they'd get out is if something on your computer grabbed them while you were changing it or entering it to log in. I suspect one of the devices you check the mail on is compromised. In addition, if you use a mail program like Outlook or the Windows Mail app, some malware just uses the native mail functions in Windows to send the spam mail using the default configured email address (which if its this account, will result in us getting the abuse reports). This method doesn't even require that the password be known to the malware author because Windows knows and they can just make their malware ask Windows to send the mail for them. Unsuspended again. Please change passwords and perhaps a malware scan would be a good idea as well. The abuse report has been provided below for reference. The spam links were removed to avoid promoting their dubious pharma website. We have received a complaint about your account. Please investigate and fix within 24 hours. Hurricane Electric Abuse Department support@he.net From fbl-no-reply@postmaster.aol.com Sun Feb 4 01:08:24 2018 Return-Path: <fbl-no-reply@postmaster.aol.com> X-Original-To: report@abuse.he.net Delivered-To: report@abuse.he.net Received: from smr-m04e.mx.aol.com (smr-m04e.mx.aol.com [204.29.186.193]) by abuse.he.net (Postfix) with ESMTPS id 905F35401E7 for <report@abuse.he.net>; Sun, 4 Feb 2018 01:08:23 -0800 (PST) Received: from scmp-m008.mail.aol.com (scmp-m008.mail.aol.com [172.29.110.249]) by smr-m04e.mx.aol.com (AOL Mail Bouncer) with ESMTP id 9A5C43800086 for <report@abuse.he.net>; Sun, 4 Feb 2018 04:08:15 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.postmaster.aol.com; s=20160722; t=1517735295; bh=lSzh0o3fXpO8q1B99GsT8T2d3g8GUx8fBSCNdxO40u0=; h=To:From:Date:Subject; b=J8BgA7Jt6OvpPYlPY7alZj4Bnm1N4JZx6EGv0uEPd4il+pkk+vOE4uldETZDQ0lK0 HO+XJqmaAjgxrt72bE3/68Zvyz5Fd+TzOozIRXw8ThS9GqsnsvrYKfuJ/PSAJ4IxG9 g36aWri6/fARkWITDDrrO9GYJJx3TKM+jkUqf4iw= Received: from fbl-no-reply@postmaster.aol.com by scmp-m008.mail.aol.com; Sun, 04 Feb 2018 04:08:14 EST To: report@abuse.he.net From: fbl-no-reply@postmaster.aol.com Date: Sun, 04 Feb 2018 04:08:14 EST Subject: Email Feedback Report for IP 66.220.18.189 MIME-Version: 1.0 Content-Type: multipart/report; report-type=feedback-report; boundary="boundary-1138-29572-2659438-6813" X-AOL-INRLY: icgit.com.uy [66.220.18.189] scmp-m008 X-Loop: scomp --boundary-1138-29572-2659438-6813 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit This is an email abuse report for an email message with the message-id of AE6583B3.1979184@icgit.com.uy received from IP address 66.220.18.189 on Sun, 4 Feb 2018 02:30:24 -0500 (EST) For information, please review the top portion of the following page: https://postmaster.aol.com/fbl-request#info For information about AOL E-mail guidelines, please see https://postmaster.aol.com/best-practices If you would like to cancel or change the configuration for your FBL please use the tool located at: https://postmaster.aol.com/fbl-request --boundary-1138-29572-2659438-6813 Content-Disposition: inline Content-Type: message/feedback-report Feedback-Type: abuse User-Agent: AOL SComp Version: 0.1 Received-Date: Sun, 4 Feb 2018 02:30:24 -0500 (EST) Source-IP: 66.220.18.189 Reported-Domain: icgit.com.uy Redacted-Address: redacted Redacted-Address: redacted@ --boundary-1138-29572-2659438-6813 Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <adrian@icgit.com.uy> Received: from icgit.com.uy (icgit.com.uy [66.220.18.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mtaig-aal01.mx.aol.com (Internet Inbound) with ESMTPS id 2A55E70000084 for <tcwas16255@aol.com>; Sun, 4 Feb 2018 02:30:24 -0500 (EST) Received: from [200.66.119.214] (port=4887 helo=[127.0.0.1]) by tommy.heliohost.org with esmtpa (Exim 4.89) (envelope-from <adrian@icgit.com.uy>) id 1eiEko-0006Co-5b; Sat, 03 Feb 2018 23:30:22 -0800 To: redacted@yahoo.com Cc: redacted@sbcglobal.net From: adrian@icgit.com.uy Subject: Thus forces a larger dose? Message-ID: <AE6583B3.1979184@icgit.com.uy> Date: Sun, 4 Feb 2018 08:30:20 +0100 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - tommy.heliohost.org X-AntiAbuse: Original Domain - aol.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - icgit.com.uy X-Get-Message-Sender-Via: tommy.heliohost.org: authenticated_id: adrian@icgit.com.uy X-Authenticated-Sender: tommy.heliohost.org: adrian@icgit.com.uy X-Source: X-Source-Args: X-Source-Dir: x-aol-global-disposition: S Authentication-Results: mx.aol.com; spf=none (aol.com: the domain icgit.com.uy appears to have no SPF Record.) smtp.mailfrom=icgit.com.uy; X-AOL-REROUTE: YES x-aol-sid: 3039ac1b14c15a76b6904d46 X-AOL-IP: 66.220.18.189 X-AOL-SPF: domain : icgit.com.uy SPF : none Understimulation, the persistence of learned sexual behaviour? <spam link removed> 1 Sexual orientation, identity, and behavior? --boundary-1138-29572-2659438-6813--
Krydos Posted February 4, 2018 Posted February 4, 2018 I agree that the most likely case here is your computer is infected with malware.
icgit2 Posted February 6, 2018 Author Posted February 6, 2018 I scanned my three computers with MalwareBytes and NOD32 but no viruses / malware were found. My email account that was used to send SPAM had the same password since 2015. As a security measure I will change the passwords of all mail accounts I have on heliohost. All my accounts are set up within a GMAIL account. I do not use desktop mail clients (Outlook, Thunderbird, etc.). I still do not understand how they could have obtained my password. Another thing: I understand that heliohost limits 50 outgoing e-mails per day, which for my use is more than enough. How is it possible that the spammer was allowed to send thousands of emails in a matter of hours without being blocked? I await your comments. Thank you very much.
Krydos Posted February 6, 2018 Posted February 6, 2018 If you exceed the number of emails per hour you will start getting bounce back messages saying that you've reached your limit.
icgit2 Posted February 6, 2018 Author Posted February 6, 2018 If you exceed the number of emails per hour you will start getting bounce back messages saying that you've reached your limit. I'm not aware of receiving those alerts. Can you tell me what text contains those messages? Is there a way to know how many mails were sent? Yesterday I had 73,000 emails in inbox...
Krydos Posted February 6, 2018 Posted February 6, 2018 Can you tell me what text contains those messages?Here's the contents of one of the emails <spam link> Get ya' med's =C2=A9 2017-2018. Privacy Policyunsubscribe ieyvs hpezyonwfh kgrjcpseih upvpmw ytvhsjgzu kkiio gxwets eanbyrfrj wyrobbyaa kobesgu ckhds tuemf Is there a way to know how many mails were sent? Yesterday I had 73,000 emails in inbox...We've gotten 16 spam reports regarding your account so far.
Recommended Posts