Compromised University Server being used to send out Spam

When I investigated further trying to pinpoint the source of the UK Lottery Scam email, I discovered this that a University server was compromised and in turn was being used to send out spam emails.

Return-Path: <claimsagent_alenfoster207@yahoo.co.uk>
Received: from mail.westmont.edu (mail.westmont.edu [64.136.190.200])
by mx.google.com with ESMTP id b2si6730331rvf.2007.08.10.20.50.01;
Fri, 10 Aug 2007 20:50:32 -0700 (PDT)
Received-SPF: neutral (google.com: 64.136.190.200 is neither permitted nor denied by domain of claimsagent_alenfoster207@yahoo.co.uk) client-ip=64.136.190.200;
Received: from localhost (ns1.westmont.edu [10.50.10.1])
by mail.westmont.edu (Postfix) with ESMTP id 2B654C278C6;
Fri, 10 Aug 2007 20:48:00 -0700 (PDT)
Received: from 81.199.63.50.rmts.satcom-systems.net
(81.199.63.50.rmts.satcom-systems.net [81.199.63.50]) by
webmail.westmont.edu (Horde MIME library) with HTTP; Fri, 10 Aug 2007
20:47:58 -0700
Message-ID: <20070810204758.hhdwcd108c8g00gw@webmail.westmont.edu>
X-Priority: 3 (Normal)
Date: Fri, 10 Aug 2007 20:47:58 -0700
From: UK NATIONAL LOTTERY <claimsagent_alenfoster207@yahoo.co.uk>
Reply-to: claimsagent_alenfoster2000@yahoo.co.uk
To: undisclosed-recipients:;
Subject: YOU WON
User-Agent: Internet Messaging Program (IMP) H3 (4.0.4-RC2)

Observations

1. Google is hosting the email of this university

2. Spammers are sending out mail from a university email server that of westmont.edu or Westmont College in California, USA to send out a UK Lottery Scam EMail

3. Does this mean we are dealing with a hacked email account of a Westmont student, a hacked email server of Westmont College or is the webmail.westmont.edu an open relay server which spammers can use to bounce email of and make it appear as if the email was coming from Westmont College.

Nearly all of the internet-connected computers that send email are controlled by spammers, according to Return Path, a company that compiles email reputation data.

Of the 20 million IP addresses that send email and are tracked by Return Path, only 0.9 per cent have earned a reputation score that will allow their emails to be delivered to Return Path clients. About 2.5 per cent encounter problems such as spam traps or having garnered too many complaints. But 96.7 per cent score so badly the sending computer is likely to be a hacked PC, the company said.

Spam makes up almost 75 per cent of all messages sent today, according to email security service Postini.

This email needs further investigation. I will follow up on this.

I just received a mail from the Associate Director of IT at Wesmont College

We have identified the true source of this compromise as not 4.136.190.200 but a webmail server on-campus that was hit by cross-site cripting.

hat server has been removed from service.  Now we are attempting to get our IP off the blacklists of aol, msn, hotmail, and  a few others.

Any suggestions along that line would be greatly appreciated.

Thanks for the help.

John Rodkey
Associate Director of IT
Westmont College

This entry was written by Ajit Gaddam and posted on August 15, 2007 at 9:00 pm and filed under Security. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

One Comment

  1. toojels
    Posted November 1, 2007 at 2:12 am | Permalink

    ONLINE - DRUGSTORE!
    PRICES of ALL MEDICINES!

    FIND THAT NECESSARY…
    VIAGRA, CIALIS, PHENTERMINE, SOMA… and other pills!

    Welcome please: pills-prices.blogspot.com

    NEW INFORMATION ABOUT PAYDAY LOANS!

    Welcome please: payday-d-loans.blogspot.com

    GOOD LUCK!

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*