Compromised University Server being used to send out Spam

Filed under Security

When I investigated further trying to pinpoint the source of the UK Lottery Scam email, I discovered this that a University server was compromised and in turn was being used to send out spam emails.

Return-Path: <claimsagent_alenfoster207@yahoo.co.uk>
Received: from mail.westmont.edu (mail.westmont.edu [64.136.190.200])
by mx.google.com with ESMTP id b2si6730331rvf.2007.08.10.20.50.01;
Fri, 10 Aug 2007 20:50:32 -0700 (PDT)
Received-SPF: neutral (google.com: 64.136.190.200 is neither permitted nor denied by domain of claimsagent_alenfoster207@yahoo.co.uk) client-ip=64.136.190.200;
Received: from localhost (ns1.westmont.edu [10.50.10.1])
by mail.westmont.edu (Postfix) with ESMTP id 2B654C278C6;
Fri, 10 Aug 2007 20:48:00 -0700 (PDT)
Received: from 81.199.63.50.rmts.satcom-systems.net
(81.199.63.50.rmts.satcom-systems.net [81.199.63.50]) by
webmail.westmont.edu (Horde MIME library) with HTTP; Fri, 10 Aug 2007
20:47:58 -0700
Message-ID: <20070810204758.hhdwcd108c8g00gw@webmail.westmont.edu>
X-Priority: 3 (Normal)
Date: Fri, 10 Aug 2007 20:47:58 -0700
From: UK NATIONAL LOTTERY <claimsagent_alenfoster207@yahoo.co.uk>
Reply-to: claimsagent_alenfoster2000@yahoo.co.uk
To: undisclosed-recipients:;
Subject: YOU WON
User-Agent: Internet Messaging Program (IMP) H3 (4.0.4-RC2)

Observations

1. Google is hosting the email of this university

2. Spammers are sending out mail from a university email server that of westmont.edu or Westmont College in California, USA to send out a UK Lottery Scam EMail

3. Does this mean we are dealing with a hacked email account of a Westmont student, a hacked email server of Westmont College or is the webmail.westmont.edu an open relay server which spammers can use to bounce email of and make it appear as if the email was coming from Westmont College.

Nearly all of the internet-connected computers that send email are controlled by spammers, according to Return Path, a company that compiles email reputation data.

Of the 20 million IP addresses that send email and are tracked by Return Path, only 0.9 per cent have earned a reputation score that will allow their emails to be delivered to Return Path clients. About 2.5 per cent encounter problems such as spam traps or having garnered too many complaints. But 96.7 per cent score so badly the sending computer is likely to be a hacked PC, the company said.

Spam makes up almost 75 per cent of all messages sent today, according to email security service Postini.

This email needs further investigation. I will follow up on this.

I just received a mail from the Associate Director of IT at Wesmont College

We have identified the true source of this compromise as not 4.136.190.200 but a webmail server on-campus that was hit by cross-site cripting.

hat server has been removed from service.  Now we are attempting to get our IP off the blacklists of aol, msn, hotmail, and  a few others.

Any suggestions along that line would be greatly appreciated.

Thanks for the help.

John Rodkey
Associate Director of IT
Westmont College

2 Comments »

  1. toojels said,

    November 1, 2007 @ 2:12 am

    ONLINE – DRUGSTORE!
    PRICES of ALL MEDICINES!

    FIND THAT NECESSARY…
    VIAGRA, CIALIS, PHENTERMINE, SOMA… and other pills!

    Welcome please: pills-prices.blogspot.com

    NEW INFORMATION ABOUT PAYDAY LOANS!

    Welcome please: payday-d-loans.blogspot.com

    GOOD LUCK!

  2. Simon said,

    January 9, 2011 @ 12:23 pm

    ATTENTION: URGENT REPLY. PROF, DAVID DANKOR.lørdag 8. januar 2011 13.07
    Fra: Denne afsender er DomainKeys-bekræftet”Prof, David Dankor” Føj afsender til KontakterTil: a4a95614@telus.net

    Western Union Money Transfer Service
    Fastest Way to Transfer And Receive Money World Wide.
    West Lane PO Box 8252, Accra, Ghana.
    Tel:- (00) 233-249512957/FAX: +233-280-318204
    http://www.westernunioncustomeronline@union.net

    FROM THE CHIEF OPERATOR DEPARTMENT.
    WESTERN UNION MONEY TRANSFER.
    GLOBAL ACCESS.
    ACCRA GHANA.

    Attention Beneficiary,

    Dear Friend.
    I would like to express my gratitude to you for towards your fund that was brought to us. This is to inform you that we have started the transfer of your fund to you accordingly to our service permit, ($5000 USD per M.T.C.N pick-up) and you shall receive the total sum of $50,000 USD daily out of your $1,000.000.00 USD and the balance amount of $950,000.00 USD will be wired then after.

    We have prepared ten M.T.C.N (Money Transfer Control Numbers) in your name, which will enable you pick up your fund from any nearest WESTERN UNION that is available to you in your Country once you meet up with our procedures.
    Please what you are expected to do now is to send us your mobile/telephone contact together with your identification for verification before releasing to you immediately.

    We shall provide you the ten M.T.C.N (Money Transfer Control Numbers) that is already available for pick up by you in any Western Union Office or Agent in your Country as soon you send us the needed information’s.

    You have to call me after reading this mail for further discussion on how you can pick up your fund. In view, we wait for your response as we promise to give you an efficient and courteous service.

    Regards.
    Prof. David Dankor.
    Western Union Chief System Operator.
    (00) 233-249-512957.

RSS feed for comments on this post · TrackBack URI

Leave a Comment