E-Mail compromised....sending spam

[skullys]

Re: Skully@thepiratestore.com -- I've received over 1500 of these rejected/bounced email responses just this morning....

Nothing that I've actually sent but coming from my email address.... Any way other than taking that email address off line to stop this?

 

This is the mail system at host tommy2.heliohost.org.

 

I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.

 

For further assistance, please send mail to postmaster.

 

If you do so, please include this problem report. You can

delete your own text from the attached returned message.

 

                  The mail system

 

<fhj.heintz@gmail.com>: host gmail-smtp-in.l.google.com[142.250.141.26] said:

   550-5.7.26 This message does not have authentication information or fails

   to 550-5.7.26 pass authentication checks. To best protect our users from

   spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26

   https://support.google.com/mail/answer/81126#authentication for more 550

   5.7.26 information. e20-20020a056808149400b003261af3133esi6526770oiw.96 -

   gsmtp (in reply to end of DATA command)

 

<mrmac969@gmail.com>: host gmail-smtp-in.l.google.com[142.250.141.26] said:

   550-5.7.26 This message does not have authentication information or fails

   to 550-5.7.26 pass authentication checks. To best protect our users from

   spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26

   https://support.google.com/mail/answer/81126#authentication for more 550

   5.7.26 information. e20-20020a056808149400b003261af3133esi6526770oiw.96 -

   gsmtp (in reply to end of DATA command)

Reporting-MTA: dns; tommy2.heliohost.org

X-Postfix-Queue-ID: EB9974073B9C

X-Postfix-Sender: rfc822; skully@thepiratestore.com

Arrival-Date: Fri, 27 May 2022 16:02:18 +0000 (UTC)

 

Final-Recipient: rfc822; fhj.heintz@gmail.com

Original-Recipient: rfc822;fhj.heintz@gmail.com

Action: failed

Status: 5.7.26

Remote-MTA: dns; gmail-smtp-in.l.google.com

Diagnostic-Code: smtp; 550-5.7.26 This message does not have authentication

   information or fails to 550-5.7.26 pass authentication checks. To best

   protect our users from spam, the 550-5.7.26 message has been blocked.

   Please visit 550-5.7.26

   https://support.google.com/mail/answer/81126#authentication for more 550

   5.7.26 information. e20-20020a056808149400b003261af3133esi6526770oiw.96 -

   gsmtp

 

Final-Recipient: rfc822; mrmac969@gmail.com

Original-Recipient: rfc822;mrmac969@gmail.com

Action: failed

Status: 5.7.26

Remote-MTA: dns; gmail-smtp-in.l.google.com

Diagnostic-Code: smtp; 550-5.7.26 This message does not have authentication

   information or fails to 550-5.7.26 pass authentication checks. To best

   protect our users from spam, the 550-5.7.26 message has been blocked.

   Please visit 550-5.7.26

   https://support.google.com/mail/answer/81126#authentication for more 550

   5.7.26 information. e20-20020a056808149400b003261af3133esi6526770oiw.96 -

   gsmtp

[wolstech]

It's hard to say what's going on here without the full headers of the original email. It is common for spam to be sent with a fake "From" address though, and when it's rejected by the recipient's spam filter, the spam gets returned to the person listed in the fake From header, as opposed to the actual sender.

Have you checked the mailbox to see if it actually sent this spam? If it did not, then there's not much to do except delete the rejection emails. If it did, you'll need to change your password.

[skullys]

Here's more from the header...

Authentication-Results: tommy2.heliohost.org; dmarc=none (p=NONE sp=NONE) smtp.from= header.from=tommy2.heliohost.org (Mail Delivery System)

X-Spam-Level: 

Auto-Submitted: auto-replied

Mime-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status; boundary="1C2FF40950E9.1653669696/tommy2.heliohost.org"

X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,HTML_MESSAGE, NO_RELAYS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.0

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tommy2.heliohost.org

Return-Path: <MAILER-DAEMON>

X-Original-To: skully@thepiratestore.com

Received: by tommy2.heliohost.org (Postfix) id 1A0B14094BF3; Fri, 27 May 2022 16:41:36 +0000 (UTC)

Delivered-To: skully@thepiratestore.com

Message-Id: <20220527164136.1A0B14094BF3@tommy2.heliohost.org>

Undelivered Mail Returned to Sender

[Krydos]

Yeah, your skully@thepiratestore.com password was hacked, and your account has been sending thousands of spam messages. I changed the password for that email address and the spam stopped immediately. No wonder people have been reporting Tommy is unable to deliver emails. Your account caused the brand new server IP to be blacklisted by every spam email list in the world. That didn't take long.

[skullys]

Account Suspended.... 

Krydos, Sorry for being the one behind the server IP Blacklisting... especially after all your hard work to bring Heliohost & Tommy back to life!

Will I be permitted to log back in to this account to update all passwords... hopefully to prevent this from happening again?

[Krydos]

Yeah, you're fine. I was suspending and unsuspending your account a few times to test stuff. Since the server is so new I hadn't implemented the spam protection we had on cPanel yet. Plesk uses completely different software so I had to rewrite the spam script pretty much from scratch to make it work on the new server. There are a million things to do still, but the spam protection has been ported over now. You getting hacked was the motivation to move that to the top of the priority list.