Kairion Posted March 25, 2023 Posted March 25, 2023 Hi @yoe06, I have checked your account and it has been suspended for spam. Could you explain why was your account sending spam and what is your mailing policy? 1
wolstech Posted March 25, 2023 Posted March 25, 2023 This user is also over disk quota...1386.6MB of 1000MB used. 1
yoe06 Posted March 27, 2023 Author Posted March 27, 2023 On 3/26/2023 at 5:26 AM, Kairion said: Hi @yoe06, I have checked your account and it has been suspended for spam. Could you explain why was your account sending spam and what is your mailing policy? I never didn't send spam email
yoe06 Posted March 27, 2023 Author Posted March 27, 2023 On 3/26/2023 at 5:49 AM, wolstech said: This user is also over disk quota...1386.6MB of 1000MB used. How throght it?
wolstech Posted March 27, 2023 Posted March 27, 2023 We're receiving abuse reports about your email content, so you are sending spam even though you might not know it. These are just 2 reports, but we've received at least 5. Unfortunately Terra doesn't include the message body so we can't identifyĀ whatĀ was being sent. My bet is that your Wordpress install is hacked. It's infamous for terrible security if not maintained properly. We have received a complaint about your account. Please investigate and fix within 24 hours. Hurricane Electric Abuse Department support@he.net From fbl@bounce.mailstream.senderscore.net Fri Mar 24 05:23:05 2023 Return-Path: <fbl@bounce.mailstream.senderscore.net> X-Original-To: report@abuse.he.net Delivered-To: report@abuse.he.net Received: from mail.he.net (mail.he.net [216.218.186.2]) by abuse.he.net (Postfix) with ESMTPS id B587D1EA07AD for <report@abuse.he.net>; Fri, 24 Mar 2023 05:23:03 -0700 (PDT) Authentication-Results: abuse.he.net; dkim=pass reason="1024-bit key; insecure key" header.d=senderscore.net header.i=@senderscore.net header.b=vwf8KX9r; dkim-adsp=none (insecure policy); dkim-atps=neutral Authentication-Results: mail.he.net; dkim=pass (no signature error) header.i=@senderscore.net header.s=081107 header.b=vwf8KX9r; spf=pass (mail.he.net: domain of bounce.mailstream.senderscore.net designates 54.84.12.226 as permitted sender) smtp.mailfrom=fbl@bounce.mailstream.senderscore.net smtp.helo=mrd.us-east-1a.returnpath.net; dmarc=none (Policy up to you. No DMARC record found) header.from=terrafbl.senderscore.net X-DMARC-Results: none X-SPF-Results: pass Received-SPF: pass (mail.he.net: domain of bounce.mailstream.senderscore.net designates 54.84.12.226 as permitted sender) client-ip=54.84.12.226; envelope-from=fbl@bounce.mailstream.senderscore.net; helo=mrd.us-east-1a.returnpath.net; X-DKIM-Results: pass Received: from mrd.us-east-1a.returnpath.net (mrd.us-east-1a.returnpath.net [54.84.12.226]) by he.net with ESMTPS (TLS_AES_256_GCM_SHA384:TLSv1.3:Kx=any:Au=any:Enc=AESGCM(256):Mac=AEAD) for <abuse@he.net>; Fri, 24 Mar 2023 05:21:54 -0700 Received: (Haraka outbound); Fri, 24 Mar 2023 12:21:53 +0000 Received: from localhost ([10.252.144.226]) by mrd.us-east-1a.returnpath.net (Haraka/2.8.28) with ESMTP id A8F1F9DD-D380-4311-8351-AA729BB2BE20.1 envelope-from <fbl@bounce.mailstream.senderscore.net>; Fri, 24 Mar 2023 12:21:53 +0000 Subject: Terra Abuse Report From: Terra FBL Service <feedbackloop@terrafbl.senderscore.net> Date: Fri, 24 Mar 2023 12:21:53 +0000 Mime-Version: 1.0 X-Rp-Fbl: type=arf; subscriptionID=241378 Content-Type: multipart/report; report-type=feedback-report; boundary=9d2fb1fc9c947ffc232c186782fc1b4aaf5eedaa2e8017bfce3d0e94aee0 Message-Id: <01GW9S2Y1K9S5SWZRZB9P864TG.fbl@bounce.mailstream.senderscore.net> To: abuse@he.net DKIM-Signature: v=1;a=rsa-sha256;bh=SnNdbWtFcIUlOne3VuazZQ8MSFEAKZlebEuCJQZyIgk=;c=relaxed/simple;d=senderscore.net;h=from:to:subject;s=081107;b=vwf8KX9rf1MCanxqKaF6Rwf8DYB/5PMb6WAR+9pbFv1aVvNx3DmS9Odh3kTkRrtagAB0sC0cE19vCSTle9SyMSeuRyy2119gAfgb9J2PAo3DIga+qzJCtsGck2T8VC5fnOVxRYJg1zNKoFcSne5u/9Kcwy1i76rnJ0S6qJiVpgU= --9d2fb1fc9c947ffc232c186782fc1b4aaf5eedaa2e8017bfce3d0e94aee0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable This is a Terra Abuse Report for an email message received from domain bund= er.my.id, IP 65.19.141.67, on Tue, 28 Feb 2023 21:38:50 +0000. --9d2fb1fc9c947ffc232c186782fc1b4aaf5eedaa2e8017bfce3d0e94aee0 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: message/feedback-report Version: 1 Arrival-Date: Tue, 28 Feb 2023 21:38:50 +0000 Original-Mail-From: support@bunder.my.id Abuse-Type: complaint Subscription-Link: https://fbl.returnpath.net/manage/subscriptions/241378 User-Agent: ReturnPathFBL/2.0 Original-Rcpt-To: eb9538615f462d0de4fc3ef6b78b2567@terra.com.br Reported-Domain: bunder.my.id Source-Ip: 65.19.141.67 Source: Terra Feedback-Type: abuse --9d2fb1fc9c947ffc232c186782fc1b4aaf5eedaa2e8017bfce3d0e94aee0 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: message/rfc822 Return-Path: <support@bunder.my.id> Delivered-To: 004734933d6e2dd86ec9019171129540@terra.com.br Received: from mail-proxy03-mia.tpn.terra.com ([208.84.242.88]) by mail-trr-box15-mia.tpn.terra.com with LMTP id oLPRJXF0/mMy2AEA9pqQ4A for <004734933d6e2dd86ec9019171129540@terra.com.br>; Tue, 28 Feb 2023 21:38:57 +0000 Received: from cmgw ([208.84.242.88]) by mail-proxy03-mia.tpn.terra.com with LMTP id yN2LLW90/mMS7QEAR65jug ; Tue, 28 Feb 2023 21:38:57 +0000 Received: from johnny.heliohost.org ([65.19.141.67]) by mail-cmgw-in07-mia.tpn.terra.com with ESMTP id X7gRp4ewlpcl8X7gTprKTb; Tue, 28 Feb 2023 21:38:54 +0000 X-Terra-Spam: No X-CMAE-Analysis: v=2.3 cv=XPNOtjpE c=1 sm=1 tr=0 a=QxEgMx/s3b230QKQu9V1uw==:117 a=QxEgMx/s3b230QKQu9V1uw==:17 a=m04uMKEZRckA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=xgFWuFCl1Ux1yQevzSEA:9 a=CjuIK1q_8ugA:10 X-CMAE-Score: 0 Received: by johnny.heliohost.org (Postfix, from userid 10411) id 0BF80402F8F4; Tue, 28 Feb 2023 21:38:51 +0000 (UTC) To: "0856492f4c532a9a5ae6086260cb7cb3 04cec7ce92eb9ad836da62cc8c526019" <eb9538615f462d0de4fc3ef6b78b2567@terra.com.br> Subject: 111 Date: Tue, 28 Feb 2023 21:38:50 +0000 From: support@bunder.my.id Message-ID: <e6840e9fcc8446fc0d29774778a64934@bunder.my.id> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_e6840e9fcc8446fc0d29774778a64934" Content-Transfer-Encoding: 8bit X-PPP-Message-ID: <167762033079.29295.9162551223616650781@johnny.heliohost.org> X-PPP-Vhost: yoe06.heliohost.us X-CMAE-Envelope: MS4wfErSt2kCFv9nKpE17Lxhn6JtK15vrioxLAEzKv9gFKU/bBtSxwwBP8K+PUe9GOJbbi8ZTxNVW4R78oRWX+1kmqE2icIkWBbKwwmBME4gdFoAoE6rM+cW ZtpU71GjCXUj7Bo6Wyst2aiaMzOXJ1375gnURpxr/1dVn6A+iYJuL/BM --b1_e6840e9fcc8446fc0d29774778a64934 Content-Type: text/plain; charset=us-ascii sa --b1_e6840e9fcc8446fc0d29774778a64934 Content-Type: text/html; charset=us-ascii sa --b1_e6840e9fcc8446fc0d29774778a64934-- --9d2fb1fc9c947ffc232c186782fc1b4aaf5eedaa2e8017bfce3d0e94aee0-- We have received a complaint about your account. Please investigate and fix within 24 hours. Hurricane Electric Abuse Department support@he.net From fbl@bounce.mailstream.senderscore.net Sun Mar 19 17:17:38 2023 Return-Path: <fbl@bounce.mailstream.senderscore.net> X-Original-To: report@abuse.he.net Delivered-To: report@abuse.he.net Received: from mail.he.net (mail.he.net [216.218.186.2]) by abuse.he.net (Postfix) with ESMTPS id 0FC511EA0783 for <report@abuse.he.net>; Sun, 19 Mar 2023 17:17:36 -0700 (PDT) Authentication-Results: abuse.he.net; dkim=pass reason="1024-bit key; insecure key" header.d=senderscore.net header.i=@senderscore.net header.b=oEFq8rX4; dkim-adsp=none (insecure policy); dkim-atps=neutral Authentication-Results: mail.he.net; dkim=pass (no signature error) header.i=@senderscore.net header.s=081107 header.b=oEFq8rX4; spf=pass (mail.he.net: domain of bounce.mailstream.senderscore.net designates 54.84.12.226 as permitted sender) smtp.mailfrom=fbl@bounce.mailstream.senderscore.net smtp.helo=mrd.us-east-1a.returnpath.net; dmarc=none (Policy up to you. No DMARC record found) header.from=terrafbl.senderscore.net X-DMARC-Results: none X-SPF-Results: pass Received-SPF: pass (mail.he.net: domain of bounce.mailstream.senderscore.net designates 54.84.12.226 as permitted sender) client-ip=54.84.12.226; envelope-from=fbl@bounce.mailstream.senderscore.net; helo=mrd.us-east-1a.returnpath.net; X-DKIM-Results: pass Received: from mrd.us-east-1a.returnpath.net (mrd.us-east-1a.returnpath.net [54.84.12.226]) by he.net with ESMTPS (TLS_AES_256_GCM_SHA384:TLSv1.3:Kx=any:Au=any:Enc=AESGCM(256):Mac=AEAD) for <abuse@he.net>; Sun, 19 Mar 2023 17:16:31 -0700 Received: (Haraka outbound); Mon, 20 Mar 2023 00:16:30 +0000 Received: from localhost ([10.252.144.144]) by mrd.us-east-1a.returnpath.net (Haraka/2.8.28) with ESMTP id 9116F793-039D-4E15-84EC-D0B075D1CF45.1 envelope-from <fbl@bounce.mailstream.senderscore.net>; Mon, 20 Mar 2023 00:16:30 +0000 Message-Id: <01GVY5ZV4HM6RCYWTRKFF3SMPW.fbl@bounce.mailstream.senderscore.net> To: abuse@he.net Subject: Terra Abuse Report From: Terra FBL Service <feedbackloop@terrafbl.senderscore.net> Date: Mon, 20 Mar 2023 00:16:30 +0000 Mime-Version: 1.0 X-Rp-Fbl: type=arf; subscriptionID=241378 Content-Type: multipart/report; report-type=feedback-report; boundary=9388b03922054cdb4eda0d6e270a7edf8936ad0865603869a2d674e6bfca DKIM-Signature: v=1;a=rsa-sha256;bh=EyRctsEeRiHeBzs8k3oUAnZQGq30PMKlh6mNURiFKgo=;c=relaxed/simple;d=senderscore.net;h=from:to:subject;s=081107;b=oEFq8rX4A3wGMu3tNc1OXev5kOeWW/4ckv7vC9IsR8LRPgFbvF3MEd/A0lY089mWQofN8B5JTRJeg9PaYKYiez0FNOv4hG/RpxmZK3+jYZsRtyVpJfXSmqRolg0HjP2YC04Cmx9F2gaqdFYFID8UgnuHomUYD6LGDEuvXOnL49Q= --9388b03922054cdb4eda0d6e270a7edf8936ad0865603869a2d674e6bfca Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable This is a Terra Abuse Report for an email message received from domain yoe0= 6.heliohost.us, IP 65.19.141.67, on Wed, 01 Mar 2023 11:43:53 +0000. --9388b03922054cdb4eda0d6e270a7edf8936ad0865603869a2d674e6bfca Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: message/feedback-report Original-Rcpt-To: eb9538615f462d0de4fc3ef6b78b2567@terra.com.br Source-Ip: 65.19.141.67 Abuse-Type: complaint Feedback-Type: abuse User-Agent: ReturnPathFBL/2.0 Version: 1 Arrival-Date: Wed, 01 Mar 2023 11:43:53 +0000 Original-Mail-From: yoe06@yoe06.heliohost.us Reported-Domain: yoe06.heliohost.us Source: Terra Subscription-Link: https://fbl.returnpath.net/manage/subscriptions/241378 --9388b03922054cdb4eda0d6e270a7edf8936ad0865603869a2d674e6bfca Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: message/rfc822 Return-Path: <yoe06@yoe06.heliohost.us> Delivered-To: 004734933d6e2dd86ec9019171129540@terra.com.br Received: from mail-proxy05-mia.tpn.terra.com ([208.84.242.111]) by mail-trr-box15-mia.tpn.terra.com with LMTP id wKi5KIA6/2NiCQAA9pqQ4A for <004734933d6e2dd86ec9019171129540@terra.com.br>; Wed, 01 Mar 2023 11:44:00 +0000 Received: from cmgw ([208.84.242.111]) by mail-proxy05-mia.tpn.terra.com with LMTP id SKtJDoA6/2MdXgEAIU0ysA ; Wed, 01 Mar 2023 11:44:00 +0000 Received: from johnny.heliohost.org ([65.19.141.67]) by mail-cmgw-in17-mia.tpn.terra.com with ESMTP id XKsFp780CyhsEXKsHpJjZh; Wed, 01 Mar 2023 11:44:00 +0000 X-Terra-Spam: No X-CMAE-Analysis: v=2.3 cv=epKhMbhX c=1 sm=1 tr=0 a=QxEgMx/s3b230QKQu9V1uw==:117 a=QxEgMx/s3b230QKQu9V1uw==:17 a=8nJEP1OIZ-IA:10 a=k__wU0fu6RkA:10 a=v0iDO7klbHDT2XZXJOUA:9 a=wPNLvfGTeEIA:10 X-CMAE-Score: 0 Received: by johnny.heliohost.org (Postfix, from userid 10411) id 01A994063284; Wed, 1 Mar 2023 11:43:53 +0000 (UTC) To: "0856492f4c532a9a5ae6086260cb7cb3 04cec7ce92eb9ad836da62cc8c526019" <eb9538615f462d0de4fc3ef6b78b2567@terra.com.br> Subject: bunder1 MIME-Version: 1.0 Content-type: text/html; charset=iso-8859-1 X-Mailer: Microsoft Office Outlook, Build 17.551210 X-Priority: 1 X-MSmail-Priority: High From: <sac@bradesco.com.br> X-PPP-Message-ID: <167767103359.26215.9305641372538039991@johnny.heliohost.org> X-PPP-Vhost: yoe06.heliohost.us Message-Id: <20230301114354.01A994063284@johnny.heliohost.org> Date: Wed, 1 Mar 2023 11:43:53 +0000 (UTC) X-CMAE-Envelope: MS4wfHYHS7YZ+ObaIHDO4mUc9LId6QQuNGxl0THmKR15lCyLZAMKdqG/UJwv7oh+hG5/cNjYRVb8mjbVtAFTPZfs7DFcmztiqzQ6Y46babPpguKVpq77EVJW xDBqtQez6tWE2p6ihk5Jzya6boifrAInlRIc5rQp+pOA3e9Z44estkC6vBjJ3tEUg0oFYHDfwZ9vBg== as --9388b03922054cdb4eda0d6e270a7edf8936ad0865603869a2d674e6bfca-- Ā
Kairion Posted March 27, 2023 Posted March 27, 2023 Just a correction regarding Terra abuse report emails: They do have the message contents, though it may be difficult to read. First message: Quote To: "0856492f4c532a9a5ae6086260cb7cb3 04cec7ce92eb9ad836da62cc8c526019" <eb9538615f462d0de4fc3ef6b78b2567@terra.com.br> Subject: 111 Date: Tue, 28 Feb 2023 21:38:50 +0000 From: support@bunder.my.id Message:Ā sa Second message: Quote To: "0856492f4c532a9a5ae6086260cb7cb3 04cec7ce92eb9ad836da62cc8c526019" <eb9538615f462d0de4fc3ef6b78b2567@terra.com.br> Subject: bunder1 MIME-Version: 1.0 Content-type: text/html; charset=iso-8859-1 X-Mailer: Microsoft Office Outlook, Build 17.551210 X-Priority: 1 X-MSmail-Priority: High From: <sac@bradesco.com.br> Date: Wed, 1 Mar 2023 11:43:53 +0000 (UTC) Message:Ā as Please note that second message was sent from Microsoft Outlook, not directly from your server's account (i.e., without using a mail client), so either you got your email account credentials stolen or your device is infected with some kind of malware. That second message even tried to spoof the from address, trying to impersonate a customer service email address (sac@bradesco.com.br) from a Brazilian bank (Bradesco) while in fact being sent fromĀ yoe06@yoe06.heliohost.us. Please also note that both messages do not seem to be automatically reported by Terra mailing system (X-Terra-Spam: No), but rather manually flagged as spam/reported by the receiver, which in both cases is the same (eb9538615f462d0de4fc3ef6b78b2567@terra.com.br), but it is possible I am misinterpreting it.
wolstech Posted March 27, 2023 Posted March 27, 2023 Did some digging...the yoe06@yoe06.heliohost.us account was used to spew bogus emails (and text messages via SMTP->SMS gateways). Tons of NDR notices for emails that just have "bunder <random numbers>" as the body, or the above "sa" and "as". I'm guessing a cybercriminal verifying emails considering there's no meaningful content in any of them. The abuse reports above have hashed emails as the recipients. WordPress is very clearly hacked, and the account is full of malware. I see: At least 2 dropper scripts What I think is a bot for a botnet A script meant to exfiltrate phished credentials. A phishing site. Time for a new account...
wolstech Posted March 27, 2023 Posted March 27, 2023 Invite for replacement account has been sent. Let us know when it's set up and I can have Krydos move your domains to the new account.
wolstech Posted March 28, 2023 Posted March 28, 2023 Also, do you want your forum accounts merged? You have 3 forum accounts (yoe06, yoe2006, yoefie), and it looks like you've posted from both yoe06 and yoe2006.
yoe06 Posted March 28, 2023 Author Posted March 28, 2023 19 hours ago, wolstech said: Also, do you want your forum accounts merged? You have 3 forum accounts (yoe06, yoe2006, yoefie), and it looks like you've posted from both yoe06 and yoe2006. if that's possible, that's fine, because the yoe2006 and yoefie accounts can no longer access there
yoe06 Posted March 28, 2023 Author Posted March 28, 2023 21 hours ago, wolstech said: Invite for replacement account has been sent. Let us know when it's set up and I can have Krydos move your domains to the new account. I have created a new account with yoefie, hopefully nothing like yesterday will happen again
wolstech Posted March 28, 2023 Posted March 28, 2023 OK, I'll have Krydos move your domains onto the new account for you.
yoe06 Posted March 28, 2023 Author Posted March 28, 2023 22 hours ago, Kairion said: Just a correction regarding Terra abuse report emails: They do have the message contents, though it may be difficult to read. First message: Second message: Please note that second message was sent from Microsoft Outlook, not directly from your server's account (i.e., without using a mail client), so either you got your email account credentials stolen or your device is infected with some kind of malware. That second message even tried to spoof the from address, trying to impersonate a customer service email address (sac@bradesco.com.br) from a Brazilian bank (Bradesco) while in fact being sent fromĀ yoe06@yoe06.heliohost.us. Please also note that both messages do not seem to be automatically reported by Terra mailing system (X-Terra-Spam: No), but rather manually flagged as spam/reported by the receiver, which in both cases is the same (eb9538615f462d0de4fc3ef6b78b2567@terra.com.br), but it is possible I am misinterpreting it. i never send email using my own domain i created an email account with my domain for me to switch to gmail
Recommended Posts