From owner-freebsd-questions@FreeBSD.ORG Wed Apr 30 00:28:16 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A6656DF5 for ; Wed, 30 Apr 2014 00:28:16 +0000 (UTC) Received: from corpex.softcom.com (corpex01.ad1.softcom.biz [168.144.252.20]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "", Issuer "PositiveSSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E468D04 for ; Wed, 30 Apr 2014 00:28:15 +0000 (UTC) Received: from CORPEX01.ad1.softcom.biz (2002:a890:fc0d::a890:fc0d) by CorpEX01.ad1.softcom.biz (2002:a890:fc0d::a890:fc0d) with Microsoft SMTP Server (TLS) id 15.0.620.29; Tue, 29 Apr 2014 20:29:40 -0400 Received: from CORPEX01.ad1.softcom.biz ([fe80::a147:3b64:dfea:dc8c]) by CorpEX01.ad1.softcom.biz ([fe80::a147:3b64:dfea:dc8c%14]) with mapi id 15.00.0620.020; Tue, 29 Apr 2014 20:29:40 -0400 From: David Joyce To: "freebsd-questions@freebsd.org" Subject: Re: Spam to list participants (from openhosting.com & softcom.com) Thread-Topic: Spam to list participants (from openhosting.com & softcom.com) Thread-Index: AQHPY/ITt54FRJIonkeACNzJPxg5/g== Date: Wed, 30 Apr 2014 00:29:40 +0000 Message-ID: <3af52f184cc94a02946d36dd7e259d71@CorpEX01.ad1.softcom.biz> References: <20140430073351.4383f0d2@X220.alogt.com> Accept-Language: en-US, en-CA Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.1.9.180] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 00:28:16 -0000 Hi Erich,=0A= =0A= I occasionally read this list and use FreeBSD once in a while.=0A= =0A= Unlike that other provider we didn't just block a couple IP addresses.=0A= We identified all servers purchased using similar information and shut=0A= them down once we were made aware of the issue.=0A= =0A= I did receive some spam messages after my post here, originating from=0A= another hosting provider.=0A= =0A= Unfortunately I can't provide too much information, but when looking at=0A= the servers I found no obvious botnet traffic. There was no evidence=0A= that the server was compromised. It appears the person who ordered the=0A= server installed a PHP based application that was creating MySQL=0A= connections to an Amazon AWS server, likely to obtain lists of fresh=0A= email accounts to spam.=0A= =0A= Again, if you notice any other of our servers involved in this, please=0A= let me know by emailing abuse@myhosting.com so that I can do a more=0A= detailed analysis and disable them as soon as possible.=0A= =0A= Best Regards,=0A= David=0A=