Getting spam on certain accounts

[ayu]

I have an easyjet account, with a unique mail alias "easyjet@mydomain.tld", including a jetstrap account for making bootstrap sites with the same setup for the mail.
This means that I ONLY use those mail aliases on those sites (I have a very special system, with one email per account I create on any site, thus I have loads of addresses on my server).

Anyway, so yesterday and today I got spam with attached malware on the two addresses mentioned above.
And I'm trying to figure out why.

I have not ruled out the possibility of my server being hacked, but since I've only receieved spam on two addresses thus far, I see that as unlikely.
I have contacted easyjer and jetstrap about this, and so far I've only gotten a reply from easyjet, with a super idiotic reply that only really tells me that they have no idea what they are talking about.

What I wonder now, is if other Suck-o members have easyjet or jetstrap accounts, and have gotten spam in the recent days that can be connected to this?

[bad_brain]

hm, I have no accounts there, but have you checked your server logs for incoming mail attempts that might point to a wordlist for example? also have you checked the mail headers, just to make sure the mails were really for those addresses and your mail server is not badly configured and treats accounts like catchall addresses (for example)?

I get spammed on one of my accounts too, which is pretty strange because it's a business account which isn't displayed anywhere in public, and all spam is russian one....

[ayu]

hm, I have no accounts there, but have you checked your server logs for incoming mail attempts that might point to a wordlist for example? also have you checked the mail headers, just to make sure the mails were really for those addresses and your mail server is not badly configured and treats accounts like catchall addresses (for example)?

I get spammed on one of my accounts too, which is pretty strange because it's a business account which isn't displayed anywhere in public, and all spam is russian one....

Yeah the headers have been checked and they are sent to those addresses specifically, and I would never use catch all, not anymore at least xD

Will check the logs though, good idea!

[ayu]

Logs doesn't indicate anything of interest really.
Only emails that have been recieved are for those addresses.

Code: Select all

Nov 26 14:00:57 mai postfix/smtpd[3268]: connect from 125-230-210-168.dynamic.hinet.net[125.230.210.168]
Nov 26 14:00:59 mai postfix/smtpd[3268]: XXXXXXXXX: client=125-230-210-168.dynamic.hinet.net[125.230.210.168]
Nov 26 14:01:00 mai postfix/cleanup[3272]: XXXXXXXXX: message-id=<XXXXXXX.XXXXXXXXX@bordmanjzfi.uaaghmvjoscsfmp.ru>
Nov 26 14:01:01 mai postfix/qmgr[2483]: XXXXXXXXX: from=<office@autokreditbank.ru>, size=98409, nrcpt=1 (queue active)
Nov 26 14:01:01 mai postfix/virtual[3273]: XXXXXXXXX: to=<mainaccount@mydomain.se>, orig_to=<easyjet@mydomain.se>, relay=virtual, delay=2.7, delays=2.7/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Nov 26 14:01:01 mai postfix/qmgr[2483]: XXXXXXXXX: removed

[bad_brain]

ahh...good ol' hinet.
wouldn't worry about being compromised, the whole hinet IP range is one big spamhole, best is to either block the whole ranges completely by route reject because nothing good ever came from there anyway, or to use postgrey.
how they got your mail addresses is of course hard to say, it's possible they used a wordlist and fired out mails to whole IP ranges (that's what they usually do, and that's also why greylisting works so well against them), another option might be your mail address was in the database of a pwnd site or an infected private computer....good idea would be to see if google comes up with a result for the addresses.

[ayu]

ahh...good ol' hinet.
wouldn't worry about being compromised, the whole hinet IP range is one big spamhole, best is to either block the whole ranges completely by route reject because nothing good ever came from there anyway, or to use postgrey.
how they got your mail addresses is of course hard to say, it's possible they used a wordlist and fired out mails to whole IP ranges (that's what they usually do, and that's also why greylisting works so well against them), another option might be your mail address was in the database of a pwnd site or an infected private computer....good idea would be to see if google comes up with a result for the addresses.

Yeah did some searching, but nothing comes up (yet).
Will keep an eye out though, and bomb/spam the easyjet and jestrap support a bit until they can give a more professional answer ^^

[bad_brain]

until they can give a more professional answer ^^

well, it's almost christmas time, miracles happen then...