[Solved] Suspended: icgit

[icgit2]

Hi.

 

Today my account was suspended again.

 

Before I was suspended I started receiving replies to e-mails that I never sent and immediately changed the password for that account.

 

username: ICGIT

server: Tommy

domain: www.icgit.com.uy

 

All my email accounts are used only from gmail accounts. I do not understand how it is possible that someone has obtained the password and they have used it to send spam.

 

The cpanel password generator is safe? Or is it possible that someone has those passwords?

 

[wolstech]

Honestly, none of us have any idea why this keeps happening to your account. You're the only one with the issue though, so something unique to you or how you're using our service is stealing your password. The cPanel password generator is random and runs on the client, so no, we don't have the passwords it generates. The only way they'd get out is if something on your computer grabbed them while you were changing it or entering it to log in.

 

I suspect one of the devices you check the mail on is compromised. In addition, if you use a mail program like Outlook or the Windows Mail app, some malware just uses the native mail functions in Windows to send the spam mail using the default configured email address (which if its this account, will result in us getting the abuse reports). This method doesn't even require that the password be known to the malware author because Windows knows and they can just make their malware ask Windows to send the mail for them.

 

Unsuspended again. Please change passwords and perhaps a malware scan would be a good idea as well. 

 

The abuse report has been provided below for reference. The spam links were removed to avoid promoting their dubious pharma website.

We have received a complaint about your account. Please investigate and fix within 24 hours.

Hurricane Electric Abuse Department
support@he.net

From fbl-no-reply@postmaster.aol.com  Sun Feb  4 01:08:24 2018
Return-Path: <fbl-no-reply@postmaster.aol.com>
X-Original-To: report@abuse.he.net
Delivered-To: report@abuse.he.net
Received: from smr-m04e.mx.aol.com (smr-m04e.mx.aol.com [204.29.186.193])
        by abuse.he.net (Postfix) with ESMTPS id 905F35401E7
        for <report@abuse.he.net>; Sun,  4 Feb 2018 01:08:23 -0800 (PST)
Received: from scmp-m008.mail.aol.com (scmp-m008.mail.aol.com [172.29.110.249])
        by smr-m04e.mx.aol.com (AOL Mail Bouncer) with ESMTP id 9A5C43800086
        for <report@abuse.he.net>; Sun,  4 Feb 2018 04:08:15 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mx.postmaster.aol.com; s=20160722; t=1517735295;
        bh=lSzh0o3fXpO8q1B99GsT8T2d3g8GUx8fBSCNdxO40u0=;
        h=To:From:Date:Subject;
        b=J8BgA7Jt6OvpPYlPY7alZj4Bnm1N4JZx6EGv0uEPd4il+pkk+vOE4uldETZDQ0lK0
         HO+XJqmaAjgxrt72bE3/68Zvyz5Fd+TzOozIRXw8ThS9GqsnsvrYKfuJ/PSAJ4IxG9
         g36aWri6/fARkWITDDrrO9GYJJx3TKM+jkUqf4iw=
Received: from fbl-no-reply@postmaster.aol.com by scmp-m008.mail.aol.com; Sun, 04 Feb 2018 04:08:14 EST
To: report@abuse.he.net
From: fbl-no-reply@postmaster.aol.com
Date: Sun, 04 Feb 2018 04:08:14 EST
Subject: Email Feedback Report for IP 66.220.18.189
MIME-Version: 1.0
Content-Type: multipart/report; report-type=feedback-report; boundary="boundary-1138-29572-2659438-6813"
X-AOL-INRLY: icgit.com.uy [66.220.18.189] scmp-m008
X-Loop: scomp

--boundary-1138-29572-2659438-6813
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

This is an email abuse report for an email message with the message-id of AE6583B3.1979184@icgit.com.uy received from IP address 66.220.18.189 on Sun,  4 Feb 2018 02:30:24 -0500 (EST)

For information, please review the top portion of the following page:
https://postmaster.aol.com/fbl-request#info

For information about AOL E-mail guidelines, please see
https://postmaster.aol.com/best-practices

If you would like to cancel or change the configuration for your FBL please use the tool located at:
https://postmaster.aol.com/fbl-request


--boundary-1138-29572-2659438-6813
Content-Disposition: inline
Content-Type: message/feedback-report

Feedback-Type: abuse
User-Agent: AOL SComp
Version: 0.1
Received-Date: Sun,  4 Feb 2018 02:30:24 -0500 (EST)
Source-IP: 66.220.18.189
Reported-Domain: icgit.com.uy
Redacted-Address: redacted
Redacted-Address: redacted@


--boundary-1138-29572-2659438-6813
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <adrian@icgit.com.uy>
Received: from icgit.com.uy (icgit.com.uy [66.220.18.189])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mtaig-aal01.mx.aol.com (Internet Inbound) with ESMTPS id 2A55E70000084
        for <tcwas16255@aol.com>; Sun,  4 Feb 2018 02:30:24 -0500 (EST)
Received: from [200.66.119.214] (port=4887 helo=[127.0.0.1])
        by tommy.heliohost.org with esmtpa (Exim 4.89)
        (envelope-from <adrian@icgit.com.uy>)
        id 1eiEko-0006Co-5b; Sat, 03 Feb 2018 23:30:22 -0800
To: redacted@yahoo.com
Cc: redacted@sbcglobal.net
From: adrian@icgit.com.uy
Subject: Thus forces a larger dose?
Message-ID: <AE6583B3.1979184@icgit.com.uy>
Date: Sun, 4 Feb 2018 08:30:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101
 Thunderbird/38.2.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - tommy.heliohost.org
X-AntiAbuse: Original Domain - aol.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - icgit.com.uy
X-Get-Message-Sender-Via: tommy.heliohost.org: authenticated_id: adrian@icgit.com.uy
X-Authenticated-Sender: tommy.heliohost.org: adrian@icgit.com.uy
X-Source:
X-Source-Args:
X-Source-Dir:
x-aol-global-disposition: S
Authentication-Results: mx.aol.com;
        spf=none (aol.com: the domain icgit.com.uy appears to have no SPF Record.) smtp.mailfrom=icgit.com.uy;
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1b14c15a76b6904d46
X-AOL-IP: 66.220.18.189
X-AOL-SPF: domain : icgit.com.uy SPF : none

Understimulation, the persistence of learned sexual behaviour?

<spam link removed>

1 Sexual orientation, identity, and behavior?


--boundary-1138-29572-2659438-6813--

[Krydos]

I agree that the most likely case here is your computer is infected with malware.

[icgit2]

I scanned my three computers with MalwareBytes and NOD32 but no viruses / malware were found.

 

My email account that was used to send SPAM had the same password since 2015. As a security measure I will change the passwords of all mail accounts I have on heliohost.

 

All my accounts are set up within a GMAIL account. I do not use desktop mail clients (Outlook, Thunderbird, etc.). I still do not understand how they could have obtained my password.

 

Another thing: I understand that heliohost limits 50 outgoing e-mails per day, which for my use is more than enough. How is it possible that the spammer was allowed to send thousands of emails in a matter of hours without being blocked?

 

I await your comments. Thank you very much.

[Krydos]

If you exceed the number of emails per hour you will start getting bounce back messages saying that you've reached your limit.

[icgit2]

If you exceed the number of emails per hour you will start getting bounce back messages saying that you've reached your limit.

 

I'm not aware of receiving those alerts.

 

Can you tell me what text contains those messages?

 

Is there a way to know how many mails were sent? Yesterday I had 73,000 emails in inbox...

[Krydos]

Can you tell me what text contains those messages?

Here's the contents of one of the emails

<spam link> Get ya' med's

=C2=A9 2017-2018. Privacy Policyunsubscribe

 

 

ieyvs hpezyonwfh kgrjcpseih upvpmw

ytvhsjgzu kkiio gxwets eanbyrfrj

wyrobbyaa kobesgu ckhds tuemf

Is there a way to know how many mails were sent? Yesterday I had 73,000 emails in inbox...

We've gotten 16 spam reports regarding your account so far.