Interesting spam sent via Exim...


Well-Known Member
Verifed Vendor
Apr 8, 2004
Chirpy, perhaps you could be able to help? :)

Yesterday we got the warning from our Datacenter about phishing email sent.

We have reviewed logs and found some interesting things (partial logs of course).

2006-03-06 03:39:09 SMTP connection from []:3056 I=[OURIP]:25 (TCP/IP connection count = 3)
2006-03-06 03:39:10 no IP address found for host (during SMTP connection from (COMETTA) []:3056 I=[OURIP]:25)
2006-03-06 03:39:10 1FG4gn-0000UC-Qq <= [email protected] H=localhost (OURHOSTNAME) []:53606 I=[]:25 P=smtp S=32232 id=009901c4bb26$7a1b82ef$586ac347@ofkl T="Scanned cheque, $17,051.58 to your e-gold" from <[email protected]> for [email protected]
2006-03-06 03:39:10 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1FG4gn-0000UC-Qq
2006-03-06 03:39:10 SMTP connection from localhost (OURHOSTNAME) []:53606 I=[]:25 closed by QUIT
2006-03-06 03:39:11 1FG4gn-0000UC-Qq ** [email protected] F=<[email protected]> R=fail_remote_domains: unrouteable mail domain ""
2006-03-06 03:39:11 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1FG4gn-0000UC-Qq
This is clear that email was not delivered (as relay forbidden, right?) - also emails were unroutable as well, but some were misteriously sent as Spamcop got the report...

We have phpsuexec installed, mails from nobody are blocked, POP before SMTP not allowed, just the plain SMTP Authorization and etc. What way has been used to send these emails? I'm really confused...

EDIT: Looks like we have found something even more interesting... Check the domain and you will see that its A records is (!):
$ host
Using domain server:
Aliases: has address
The domain is hosted on the HostGator. We will contact them for explanations.