Mercury unwanted relaying :(

Sammy123

posted Apr 9 '09 at 9:41 pm

omg , im sooooooo stupid .... sorry [:$]

looks like a mail account that i made for testing purposes and deleted short time later . Im very sorry that ive wasted ur time with this [:'(]

Anyway .. thx 4 the help as i now understand much more of the functionality of mercury now [8-|] , if someone of u guys ever visit duesseldorf , Germany i invite u for a Drink

omg , im sooooooo stupid .... sorry [:$]looks like a mail account that i made for testing purposes and deleted short time later&nbsp; . Im very sorry that ive wasted ur time with this [:'(]Anyway .. thx 4 the help as i now understand much more of the functionality of mercury now&nbsp;[8-|] , if someone of u guys ever visit duesseldorf , Germany i invite u for a Drink [B]

Sammy123

posted Apr 6 '09 at 10:48 pm

Hi , i tried to use mercury for my personal mailadress and as an mailer for my private webpages . Unfortunately mercury relays some spam mail although i checked the "do not permit relaying of non local mail " and i also tried the "use strict relaying " :( anyone can tell me whats goin on there ?

as u can see in the picture an non local user send mail to nonlocal recipients and i dunno how he can do that ... :(

http://img23.imageshack.us/img23/9374/unbenanntkiw.jpg

Hi , i tried to use mercury for my personal mailadress and as an mailer for my private webpages . Unfortunately mercury relays some spam mail although i checked the "do not permit relaying of non local mail " and i also tried the "use strict relaying " :( anyone can tell me whats goin on there ?as u can see in the picture an non local user send mail to nonlocal recipients and i dunno how he can do that ... :( &nbsp;<a href="http://img23.imageshack.us/img23/9374/unbenanntkiw.jpg" mce_href="http://img23.imageshack.us/img23/9374/unbenanntkiw.jpg">http://img23.imageshack.us/img23/9374/unbenanntkiw.jpg&nbsp; </a>

Thomas R. Stephenson

posted Apr 7 '09 at 12:40 am

Hi , i tried to use mercury for my personal mailadress and as an
mailer for my private webpages . Unfortunately mercury relays some spam
mail although i checked the "do not permit relaying of non local mail "
and i also tried the "use strict relaying " :( anyone can tell me whats
goin on there ?

as u can see in the picture an non local user send mail to nonlocal recipients and i dunno how he can do that ... :(

Show us the [MercuryS] section of your mercury.ini file.

<blockquote>Hi , i tried to use mercury for my personal mailadress and as an mailer for my private webpages . Unfortunately mercury relays some spam mail although i checked the "do not permit relaying of non local mail " and i also tried the "use strict relaying " :( anyone can tell me whats goin on there ?</blockquote><blockquote>as u can see in the picture an non local user send mail to nonlocal recipients and i dunno how he can do that ... :( </blockquote>Show us the [MercuryS] section of your mercury.ini file.&nbsp;

Sammy123

posted Apr 7 '09 at 9:06 am

Hello Mr.Stephenson and thx for your reply , here it comes :

[MercuryS]
Debug : 0
HELO : mail.rayes.de
Logfile : C:\Programme\xampp\MERCURYMAIL\Logs\MERCURYS.LOG
Timeout : 20
Relay : 0
Strict_Relay : 1
8BitMime : 1
Interface : 83.136.81.6
Allow_Illegals : 0
SMTP_Authentication : 1
Auth_File : c:\programs\xampp\mercurymail\auth.pwd
Killfile : C:\Programs\xampp\mercurymail\killfile.txt
Session_logging : C:\Programs\xampp\MERCURYMAIL\Logs\sessionlogs
Session_logmode : 1
Compliance_Settings : 432
Maximum_Failed_Rcpts : 3
Max_Relay_Attempts : 2
SSL_Mode : 0
ST_Blacklisting : 288
No_VRFY : 1
SMTP_ConnFlags : 0

Hello Mr.Stephenson and thx for your reply , here it comes&nbsp; :[MercuryS] Debug : 0 HELO : mail.rayes.de Logfile : C:\Programme\xampp\MERCURYMAIL\Logs\MERCURYS.LOG Timeout : 20 Relay : 0 Strict_Relay : 1 8BitMime : 1 Interface : 83.136.81.6 Allow_Illegals : 0 SMTP_Authentication : 1 Auth_File : c:\programs\xampp\mercurymail\auth.pwd Killfile : C:\Programs\xampp\mercurymail\killfile.txt Session_logging : C:\Programs\xampp\MERCURYMAIL\Logs\sessionlogs Session_logmode : 1 Compliance_Settings : 432 Maximum_Failed_Rcpts : 3 Max_Relay_Attempts : 2 SSL_Mode : 0 ST_Blacklisting : 288 No_VRFY : 1 SMTP_ConnFlags : 0

Thomas R. Stephenson

posted Apr 7 '09 at 6:12 pm

Relay : 0
Strict_Relay : 1
8BitMime : 1
Interface : 83.136.81.6
Allow_Illegals : 0
SMTP_Authentication : 1
Auth_File : c:\programs\xampp\mercurymail\auth.pwd

Ok, the relaying is turned off and you are allowing relaying via authorized connections. Now you need to see what you have entered in the "Allow" section under connection control. If you checked the "Connections may relay through this server" control for any IP address Mercury will allow connections from this IP address to relay no matter what these settings say.

<blockquote>Relay : 0 Strict_Relay : 1 8BitMime : 1 Interface : 83.136.81.6 Allow_Illegals : 0 SMTP_Authentication : 1 Auth_File : c:\programs\xampp\mercurymail\auth.pwd</blockquote>Ok, the relaying is turned off and you are allowing relaying via authorized connections.&nbsp;&nbsp; Now you need to see what you have entered in the "Allow" section under connection control.&nbsp; If you checked the "Connections may relay through this server" control for any IP address Mercury will allow connections from this IP address to relay no matter what these settings say.

Sammy123

posted Apr 7 '09 at 6:43 pm

i dont have any allow entry at connection control ..... it drives me mad that some spammers abuse my mailserver :( , i checked everything i can imagine that would allow that :(

maybe its the MercuryE smtp end to end client ? without it i cant send any mail and i read in some tutorials that i need it ?! isnt the smtp server supposed to send the mail ?

i dont have any allow entry at connection control ..... it drives me mad that some spammers abuse my mailserver :( , i checked everything i can imagine that would allow that :(maybe its the MercuryE smtp end to end client ? without it i cant send any mail and i read in some tutorials that i need it ?! isnt the smtp server supposed to send the mail ?&nbsp;

Thomas R. Stephenson

posted Apr 7 '09 at 7:24 pm

i don't have any allow entry at connection control ..... it drives me
mad that some spammers abuse my mail server :( , i checked everything i
can imagine that would allow that :(

If you have no allows under connection conmtrol then I suspect that someone with the authorization username and password is sending via MercuryS

maybe its the MercuryE smtp
end to end client ? without it i cant send any mail and i read in some
tutorials that i need it ?! isnt the smtp server supposed to send the
mail ?

The SMTP function is split. MercuryS receives the mail; MercuryE (or MercuryC) sends the mail. Mail can also be received in the mail queue directly as a 101 file. Mail received via the queue is not tested for relaying since it's obviously comming from the local system.

<blockquote>i don't have any allow entry at connection control ..... it drives me mad that some spammers abuse my mail server :( , i checked everything i can imagine that would allow that :(</blockquote>If you have no allows under connection conmtrol then I suspect that someone with the authorization username and password is sending via MercuryS <blockquote>maybe its the MercuryE smtp end to end client ? without it i cant send any mail and i read in some tutorials that i need it ?! isnt the smtp server supposed to send the mail ?&nbsp;</blockquote>The SMTP function is split.&nbsp; MercuryS receives the mail; MercuryE (or MercuryC)&nbsp; sends the mail.&nbsp; Mail can also be received in the mail queue directly as a 101 file. &nbsp; Mail received via the queue is not tested for relaying since it's obviously comming from the local system.

Rolf Lindby

posted Apr 7 '09 at 8:39 pm

Could you show us the log entries from MercuryS and MercuryE for a spam message that was relayed?

/Rolf

Could you show us the log entries from MercuryS and MercuryE for a spam message that was relayed? /Rolf&nbsp;

Sammy123

posted Apr 7 '09 at 11:01 pm

in the mercuryS log i dont find any of the sender or recipient email adresses , if u like i can post the log but its about 4,5 MB big ;)

now im examing MercuryE log ... be right back

damn ... doesnt configured an MercuryE log :( but now its done ..... can examine it when it happens again .... what confuses me too is that a local account that dont exists seems to answer the spammer i marked it on that screenshot http://img13.imageshack.us/img13/3341/wootf.jpg

in the mercuryS log i dont find any of the sender or recipient email adresses , if u like i can post the log but its about 4,5 MB big ;)now im examing MercuryE log ... be right back damn ... doesnt configured an MercuryE log :( but now its done ..... can examine it when it happens again .... what confuses me too is that a local account that dont exists seems to answer the spammer i marked it on that screenshot <a href="http://img13.imageshack.us/img13/3341/wootf.jpg" target="_blank" mce_href="http://img13.imageshack.us/img13/3341/wootf.jpg">http://img13.imageshack.us/img13/3341/wootf.jpg </a>

Rolf Lindby

posted Apr 8 '09 at 12:00 am

Looks to me like the server is refusing relay attempts, and that the outgoing messages probably are failed delivery notifications for non-existent local addresses from Mercury postmaster. To avoid getting those, make sure that "Accept mail for invalid local addresses" isn't checked in MercuryS configuration.

/Rolf

Looks to me like the server is refusing relay attempts, and that the outgoing messages probably are failed delivery notifications for non-existent local addresses from Mercury postmaster. To avoid getting those, make sure that "Accept mail for invalid local addresses" isn't checked in MercuryS configuration./Rolf&nbsp;

Sammy123

posted Apr 8 '09 at 12:57 am

it wasnt checked ........ really strange ....

i mean im not dreaming , this guy somehow managed to relay / send messages because the queue was filled with messages ( that i delayed as far as i saw it )

it wasnt checked ........ really strange .... i mean im not dreaming , this guy somehow managed to relay / send messages because the queue&nbsp; was filled with messages ( that i delayed as far as i saw it )

Rolf Lindby

posted Apr 8 '09 at 2:40 am

Well, the message you marked in the Mercury core window isn't really relayed, it's causing a bounce notification or some other notification from Postmaster. If you still have the message files from the queue directory you can check the contents of the outgoing messages there.

/Rolf

Well, the message you marked in the Mercury core window isn't really relayed, it's causing a bounce notification or some other notification from Postmaster. If you still have the message files from the queue directory you can check the contents of the outgoing messages there./Rolf

Sammy123

posted Apr 9 '09 at 11:34 am

only got the spam messages in the queue , im waiting that he spams again now with mercuryE logged ....

dilberts_left_nut

posted Apr 9 '09 at 2:03 pm

It is the MercS sessiom log that will show what is happening.

Sammy123

posted Apr 9 '09 at 2:57 pm

Heres the session log , seems like he managed to authencitate , but just dunno how , got 5or 6 local users and i set all different passwords with 8 characters ... can i see somewhere which users credentials he abused ? :

10:35:11.312: Connection from 187.27.199.251, Mon Apr 06 10:35:11 2009<lf>
10:35:11.328: << 220 mail.rayes.de ESMTP server ready.<cr><lf>
10:35:21.359: >> EHLO User<cr><lf>
10:35:21.359: << 250-mail.rayes.de Hello User; ESMTPs are:<cr><lf>250-TIME<cr><lf>
10:35:21.359: << 250-SIZE 0<cr><lf>
10:35:21.359: << 250-8BITMIME<cr><lf>
10:35:21.359: << 250-AUTH CRAM-MD5 LOGIN<cr><lf>
10:35:21.359: << 250-AUTH=LOGIN<cr><lf>
10:35:21.359: << 250 HELP<cr><lf>
10:35:28.328: >> AUTH LOGIN<cr><lf>
10:35:28.328: << 334 VXNlcm5hbWU6<cr><lf>
10:35:32.765: >> dGVzdA==<cr><lf>
10:35:32.765: << 334 UGFzc3dvcmQ6<cr><lf>
10:35:36.406: >> dGVzdA==<cr><lf>
10:35:36.406: << 235 Authentication successful.<cr><lf>
10:35:41.421: >> RSET<cr><lf>
10:35:41.421: << 250 Command processed OK.<cr><lf>
10:35:52.937: >> MAIL FROM:<onlinejobs@gmail.com><cr><lf>
10:35:52.937: << 250 Sender OK - send RCPTs.<cr><lf>
10:35:57.437: >> RCPT TO:<martyseightysixed@yahoo.com><cr><lf>
10:35:57.437: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
10:36:03.265: >> RCPT TO:<martyventura@metrocast.net><cr><lf>
10:36:03.265: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
10:36:08.609: >> RCPT TO:<marvelis@sbcglobal.net><cr><lf>
10:36:08.609: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
10:36:13.250: >> RCPT TO:<marvincarter63@sbcglobal.net><cr><lf>
10:36:13.250: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
10:36:17.250: >> RCPT TO:<mary.suderley@nsc.com><cr><lf>
10:36:17.250: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
10:36:27.078: >> RCPT TO:<mary.vaughn@flagstar.com><cr><lf>
10:36:27.078: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
10:36:31.421: >> RCPT TO:<mary@artsbeatseats.com><cr><lf>
10:36:31.421: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
10:36:35.000: >> RCPT TO:<mary@mleziva.com><cr><lf>
10:36:35.000: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
10:36:39.281: >> RCPT TO:<mary@schmolkelaw.com><cr><lf>
10:36:39.281: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
10:36:44.062: >> RCPT TO:<mary_bahnf@yahoo.com><cr><lf>
10:36:44.062: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
10:36:49.500: >> DATA<cr><lf>
10:36:49.500: << 354 OK, send data, end with CRLF.CRLF<cr><lf>
10:36:55.062: >> Reply-To: <anthonyvassallo02@hotmail.com><cr><lf>
10:36:55.093: >> From: "GET PAID WITHOUT STRESS"<onlinejobs@gmail.com><cr><lf>
10:36:55.093: >> Subject: EARN EXTRA CASH WITHOUT QUITTING YOUR PRESENT JOB<cr><lf>
10:36:55.093: >> Date: Mon, 6 Apr 2009 09:36:12 -0700<cr><lf>
10:36:55.093: >> MIME-Version: 1.0<cr><lf>
10:36:55.093: >> Content-Type: text/plain;<cr><lf>
10:36:55.093: >> charset="Windows-1251"<cr><lf>
10:36:55.093: >> Content-Transfer-Encoding: 7bit<cr><lf>
10:36:55.093: >> X-Priority: 3<cr><lf>
10:36:55.093: >> X-MSMail-Priority: Normal<cr><lf>
10:36:55.093: >> X-Mailer: Microsoft Outlook Express 6.00.2800.1081<cr><lf>
10:36:55.093: >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081<cr><lf>
10:36:55.093: >> <cr><lf>
10:36:55.093: >> ****PLS READ CAREFULLY & REPLY BELOW IF INTERESTED IN GETTING PAID****<cr><lf>
10:36:55.093: >> <cr><lf>
10:36:55.093: >> Pls Pardon me for not having the pleasure of knowing your mindset before making you this offer. I write to solicit your services by offering you a lucrative job in which you would be earning alot of extra cash without quitting your present job or having any problems with your employers/ employees. <cr><lf>
10:36:55.093: >> <cr><lf>
10:36:55.093: >> I work with an independent group of investors in the UK and We supply metallic materials to some clients in the US. These Clients pay for the materials via BANK WIRE TRANSFERS, but we do not have a payment receiving personnel to help us receive the funds, so we approach you to help us receive these payments in your Account.<cr><lf>
10:36:55.093: >> <cr><lf>
10:36:57.046: >> This is a 100% legit job, we deal directly with the banks so you have nothing to worry about its legitimacy. All you have to do is simply to go withdraw the funds after they have been wired to you, take a 10% as your commission and send the remaining to our Associates. You require no fee to get started, infact you can withdraw all funds in your Account so you wont think we need your money or anything contrary to our terms and conditions. All we require is where our clients can wire funds to. Below is the list of Banks available for wire transfer, so if you have an account with any of the below banks, then indicate precisely the account you have and reply with your name and phone number.<cr><lf>
10:36:59.953: >> <cr><lf>
10:36:59.953: >> PLS INDICATE CLEARLY IF YOU HAVE AN ACCOUNT WITH ANY OF THESE BANKS<cr><lf>
10:36:59.953: >> *******************************************************************************************<cr><lf>
10:36:59.953: >> 1. Any Credit Card (not a debit card)<cr><lf>
10:36:59.953: >> 2. Any Business/ Company Account<cr><lf>
10:36:59.953: >> 3. Wellsfargo Bank<cr><lf>
10:36:59.953: >> 4. Bank of the West<cr><lf>
10:36:59.953: >> 5. Compass Bank<cr><lf>
10:36:59.953: >> 6. Trustmark National Bank<cr><lf>
10:36:59.953: >> 7. Hancock Bank<cr><lf>
10:36:59.953: >> 8. First Citizens Bank<cr><lf>
10:36:59.953: >> 9. Colonial Bank<cr><lf>
10:36:59.953: >> 10. US Bank<cr><lf>
10:36:59.953: >> 11. Arvest bank<cr><lf>
10:36:59.953: >> 12. City Bank<cr><lf>
10:36:59.953: >> 13. Bank of America<cr><lf>
10:36:59.953: >> <cr><lf>
10:36:59.953: >> If you have any of these accounts, then reply with your Name, phone number and the type of account you have, so we can contact you and give you commencement modalities.<cr><lf>
10:36:59.953: >> <cr><lf>
10:36:59.953: >> Best regards<cr><lf>
10:36:59.953: >> Mr. Anthony Vassallo (recruitment officer)<cr><lf>
10:36:59.953: >> anthonyvassallo01@gmail.com<cr><lf>
10:36:59.953: >> .<cr><lf>
10:36:59.953: << 250 Data received OK.<cr><lf>
10:37:02.453: >> QUIT<cr><lf>
10:37:02.453: << 221 mail.rayes.de Service closing channel.<cr><lf>
10:37:02.453: --- Connection closed normally at Mon Apr 06 10:37:02 2009. -

Heres the session log , seems like he managed to authencitate , but just dunno how , got 5or 6 local users and i set all different passwords with 8 characters ... can i see somewhere which users credentials he abused ? :10:35:11.312: Connection from 187.27.199.251, Mon Apr 06 10:35:11 2009&lt;lf&gt; 10:35:11.328: &lt;&lt; 220 mail.rayes.de ESMTP server ready.&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &gt;&gt; EHLO User&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250-mail.rayes.de Hello User; ESMTPs are:&lt;cr&gt;&lt;lf&gt;250-TIME&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250-SIZE 0&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250-8BITMIME&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250-AUTH CRAM-MD5 LOGIN&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250-AUTH=LOGIN&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250 HELP&lt;cr&gt;&lt;lf&gt; 10:35:28.328: &gt;&gt; AUTH LOGIN&lt;cr&gt;&lt;lf&gt; 10:35:28.328: &lt;&lt; 334 VXNlcm5hbWU6&lt;cr&gt;&lt;lf&gt; 10:35:32.765: &gt;&gt; dGVzdA==&lt;cr&gt;&lt;lf&gt; 10:35:32.765: &lt;&lt; 334 UGFzc3dvcmQ6&lt;cr&gt;&lt;lf&gt; 10:35:36.406: &gt;&gt; dGVzdA==&lt;cr&gt;&lt;lf&gt; 10:35:36.406: &lt;&lt; 235 Authentication successful.&lt;cr&gt;&lt;lf&gt; 10:35:41.421: &gt;&gt; RSET&lt;cr&gt;&lt;lf&gt; 10:35:41.421: &lt;&lt; 250 Command processed OK.&lt;cr&gt;&lt;lf&gt; 10:35:52.937: &gt;&gt; MAIL FROM:&lt;onlinejobs@gmail.com&gt;&lt;cr&gt;&lt;lf&gt; 10:35:52.937: &lt;&lt; 250 Sender OK - send RCPTs.&lt;cr&gt;&lt;lf&gt; 10:35:57.437: &gt;&gt; RCPT TO:&lt;martyseightysixed@yahoo.com&gt;&lt;cr&gt;&lt;lf&gt; 10:35:57.437: &lt;&lt; 250 Recipient OK - send RCPT or DATA.&lt;cr&gt;&lt;lf&gt; 10:36:03.265: &gt;&gt; RCPT TO:&lt;martyventura@metrocast.net&gt;&lt;cr&gt;&lt;lf&gt; 10:36:03.265: &lt;&lt; 250 Recipient OK - send RCPT or DATA.&lt;cr&gt;&lt;lf&gt; 10:36:08.609: &gt;&gt; RCPT TO:&lt;marvelis@sbcglobal.net&gt;&lt;cr&gt;&lt;lf&gt; 10:36:08.609: &lt;&lt; 250 Recipient OK - send RCPT or DATA.&lt;cr&gt;&lt;lf&gt; 10:36:13.250: &gt;&gt; RCPT TO:&lt;marvincarter63@sbcglobal.net&gt;&lt;cr&gt;&lt;lf&gt; 10:36:13.250: &lt;&lt; 250 Recipient OK - send RCPT or DATA.&lt;cr&gt;&lt;lf&gt; 10:36:17.250: &gt;&gt; RCPT TO:&lt;mary.suderley@nsc.com&gt;&lt;cr&gt;&lt;lf&gt; 10:36:17.250: &lt;&lt; 250 Recipient OK - send RCPT or DATA.&lt;cr&gt;&lt;lf&gt; 10:36:27.078: &gt;&gt; RCPT TO:&lt;mary.vaughn@flagstar.com&gt;&lt;cr&gt;&lt;lf&gt; 10:36:27.078: &lt;&lt; 250 Recipient OK - send RCPT or DATA.&lt;cr&gt;&lt;lf&gt; 10:36:31.421: &gt;&gt; RCPT TO:&lt;mary@artsbeatseats.com&gt;&lt;cr&gt;&lt;lf&gt; 10:36:31.421: &lt;&lt; 250 Recipient OK - send RCPT or DATA.&lt;cr&gt;&lt;lf&gt; 10:36:35.000: &gt;&gt; RCPT TO:&lt;mary@mleziva.com&gt;&lt;cr&gt;&lt;lf&gt; 10:36:35.000: &lt;&lt; 250 Recipient OK - send RCPT or DATA.&lt;cr&gt;&lt;lf&gt; 10:36:39.281: &gt;&gt; RCPT TO:&lt;mary@schmolkelaw.com&gt;&lt;cr&gt;&lt;lf&gt; 10:36:39.281: &lt;&lt; 250 Recipient OK - send RCPT or DATA.&lt;cr&gt;&lt;lf&gt; 10:36:44.062: &gt;&gt; RCPT TO:&lt;mary_bahnf@yahoo.com&gt;&lt;cr&gt;&lt;lf&gt; 10:36:44.062: &lt;&lt; 250 Recipient OK - send RCPT or DATA.&lt;cr&gt;&lt;lf&gt; 10:36:49.500: &gt;&gt; DATA&lt;cr&gt;&lt;lf&gt; 10:36:49.500: &lt;&lt; 354 OK, send data, end with CRLF.CRLF&lt;cr&gt;&lt;lf&gt; 10:36:55.062: &gt;&gt; Reply-To: &lt;anthonyvassallo02@hotmail.com&gt;&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; From: "GET PAID WITHOUT STRESS"&lt;onlinejobs@gmail.com&gt;&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; Subject: EARN EXTRA CASH WITHOUT QUITTING YOUR PRESENT JOB&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; Date: Mon, 6 Apr 2009 09:36:12 -0700&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; MIME-Version: 1.0&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; Content-Type: text/plain;&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; &nbsp;&nbsp;&nbsp; charset="Windows-1251"&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; Content-Transfer-Encoding: 7bit&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; X-Priority: 3&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; X-MSMail-Priority: Normal&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; X-Mailer: Microsoft Outlook Express 6.00.2800.1081&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; &lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; ****PLS READ CAREFULLY &amp; REPLY BELOW IF INTERESTED IN GETTING PAID****&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt;&nbsp; &lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; Pls Pardon me for not having the pleasure of knowing your mindset before making you this offer. I write to solicit your services by offering you a lucrative job in which you would be earning alot of extra cash without quitting your present job or having any problems with your employers/ employees. &lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; &lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; I work with an independent group of investors in the UK and We supply metallic materials to some clients in the US. These Clients pay for the materials via BANK WIRE TRANSFERS, but we do not have a payment receiving personnel to help us receive the funds, so we approach you to help us receive these payments in your Account.&lt;cr&gt;&lt;lf&gt; 10:36:55.093: &gt;&gt; &lt;cr&gt;&lt;lf&gt; 10:36:57.046: &gt;&gt; This is a 100% legit job, we deal directly with the banks so you have nothing to worry about its legitimacy. All you have to do is simply to go withdraw the funds after they have been wired to you, take a 10% as your commission and send the remaining to our Associates. You require no fee to get started, infact you can withdraw all funds in your Account so you wont think we need your money or anything contrary to our terms and conditions. All we require is where our clients can wire funds to. Below is the list of Banks available for wire transfer, so if you have an account with any of the below banks, then indicate precisely the account you have and reply with your name and phone number.&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt;&nbsp; &lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; PLS INDICATE CLEARLY IF YOU HAVE AN ACCOUNT WITH ANY OF THESE BANKS&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; *******************************************************************************************&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 1. Any Credit Card (not a debit card)&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 2. Any Business/ Company Account&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 3. Wellsfargo Bank&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 4. Bank of the West&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 5. Compass Bank&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 6. Trustmark National Bank&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 7. Hancock Bank&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 8. First Citizens Bank&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 9. Colonial Bank&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 10. US Bank&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 11. Arvest bank&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 12. City Bank&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; 13. Bank of America&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt;&nbsp; &lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt;&nbsp;&nbsp;&nbsp;&nbsp; If you have any of these accounts, then reply with your Name, phone number and the type of account you have, so we can contact you and give you commencement modalities.&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt;&nbsp; &lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; Best regards&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; Mr. Anthony Vassallo (recruitment officer)&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; anthonyvassallo01@gmail.com&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &gt;&gt; .&lt;cr&gt;&lt;lf&gt; 10:36:59.953: &lt;&lt; 250 Data received OK.&lt;cr&gt;&lt;lf&gt; 10:37:02.453: &gt;&gt; QUIT&lt;cr&gt;&lt;lf&gt; 10:37:02.453: &lt;&lt; 221 mail.rayes.de Service closing channel.&lt;cr&gt;&lt;lf&gt; 10:37:02.453: --- Connection closed normally at Mon Apr 06 10:37:02 2009. -

PaulW

posted Apr 9 '09 at 3:07 pm

[quote user="Sammy123"]Heres the session log , seems like he managed to authencitate , but just dunno how , got 5or 6 local users and i set all different passwords with 8 characters ... can i see somewhere which users credentials he abused ? [/quote]

test

It's all base64 encoded in the log, so please change it now! And it's never a good idea to have the password the same as the username.

[quote user="Sammy123"]Heres the session log , seems like he managed to authencitate , but just dunno how , got 5or 6 local users and i set all different passwords with 8 characters ... can i see somewhere which users credentials he abused ? [/quote] test It's all base64 encoded in the log, so please change it now!&nbsp; And it's never a good idea to have the password the same as the username. &nbsp;

Thomas R. Stephenson

posted Apr 9 '09 at 5:56 pm

Heres the session log , seems like he managed to authenticate , but
just dunno how , got 5or 6 local users and i set all different
passwords with 8 characters ... can i see somewhere which users
credentials he abused ? :

You need to use some sort of base64 decoder to translate the strings. I used CubedLabs Encode/Decode for this. It's pretty easy to guess this one since the username and password are the same and the user "test" is quite common.

10:35:11.312: Connection from 187.27.199.251, Mon Apr 06 10:35:11 2009<lf>
10:35:11.328: << 220 mail.rayes.de ESMTP server ready.<cr><lf>
10:35:21.359: >> EHLO User<cr><lf>
10:35:21.359: << 250-mail.rayes.de Hello User; ESMTPs are:<cr><lf>250-TIME<cr><lf>
10:35:21.359: << 250-SIZE 0<cr><lf>
10:35:21.359: << 250-8BITMIME<cr><lf>
10:35:21.359: << 250-AUTH CRAM-MD5 LOGIN<cr><lf>
10:35:21.359: << 250-AUTH=LOGIN<cr><lf>
10:35:21.359: << 250 HELP<cr><lf>
10:35:28.328: >> AUTH LOGIN<cr><lf>
10:35:28.328: << 334 VXNlcm5hbWU6<cr><lf>

VXNlcm5hbWU6 = Username:

10:35:32.765: >> dGVzdA==<cr><lf>

dGVzdA== = test

10:35:32.765: << 334 UGFzc3dvcmQ6<cr><lf>

UGFzc3dvcmQ6 = Password:

10:35:36.406: >> dGVzdA==<cr><lf>

dGVzdA== = test

10:35:36.406: << 235 Authentication successful.<cr><lf>

<blockquote>Heres the session log , seems like he managed to authenticate , but just dunno how , got 5or 6 local users and i set all different passwords with 8 characters ... can i see somewhere which users credentials he abused ? :</blockquote>You need to use some sort of base64 decoder to translate the strings.&nbsp; I used CubedLabs Encode/Decode for this. It's pretty easy to guess this one since the username and password are the same and the user "test" is quite common. <blockquote>10:35:11.312: Connection from 187.27.199.251, Mon Apr 06 10:35:11 2009&lt;lf&gt; 10:35:11.328: &lt;&lt; 220 mail.rayes.de ESMTP server ready.&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &gt;&gt; EHLO User&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250-mail.rayes.de Hello User; ESMTPs are:&lt;cr&gt;&lt;lf&gt;250-TIME&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250-SIZE 0&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250-8BITMIME&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250-AUTH CRAM-MD5 LOGIN&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250-AUTH=LOGIN&lt;cr&gt;&lt;lf&gt; 10:35:21.359: &lt;&lt; 250 HELP&lt;cr&gt;&lt;lf&gt; 10:35:28.328: &gt;&gt; AUTH LOGIN&lt;cr&gt;&lt;lf&gt; 10:35:28.328: &lt;&lt; 334 VXNlcm5hbWU6&lt;cr&gt;&lt;lf&gt;</blockquote>VXNlcm5hbWU6 = Username: <blockquote>10:35:32.765: &gt;&gt; dGVzdA==&lt;cr&gt;&lt;lf&gt;</blockquote>dGVzdA== = test <blockquote>10:35:32.765: &lt;&lt; 334 UGFzc3dvcmQ6&lt;cr&gt;&lt;lf&gt;</blockquote>UGFzc3dvcmQ6 = Password: <blockquote>10:35:36.406: &gt;&gt; dGVzdA==&lt;cr&gt;&lt;lf&gt;</blockquote>dGVzdA== = test <blockquote>10:35:36.406: &lt;&lt; 235 Authentication successful.&lt;cr&gt;&lt;lf&gt;</blockquote><blockquote>&nbsp;</blockquote>

Related Topics

Pending draft

Confirm move posts

Insufficient permissions

Select a different topic

Edit history