Elxis CMS Forum
Support => Elxis 4.x/5.x DEV => Topic started by: StefanSultanov on August 09, 2014, 11:18:47
-
Here is what I started to receive after attempting to send an email through ul.find@webrilliant.co.uk.
This is a mailbox associated with my Elxis Nautilus website.
I found the user in my users list and deactivated it.
What else can I do to protect myself and the website users?
How can I get my email back?
Can somebody tell where is the security problem and what is this hack trying to do?
My guess is that this is a register form abuse because of the end of the letter.
But I don't understand the 90% of the stuff below.
Thanks!
-----Original Message-----
From: Mail Delivery System [mailto:Mailer-Daemon@mx2.tmdhosting.com]
Sent: 05 August 2014 20:42
To: ul.find@webrilliant.co.uk
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
blocec@mai1webrilliant.co.uk.com
Unrouteable address
------ This is a copy of the message, including all the headers. ------
Return-path: <ul.find@webrilliant.co.uk>
Received: from node01.tmdhosting960.com ([96.127.149.146])
by mx2.tmdhosting.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.82)
(envelope-from <ul.find@webrilliant.co.uk>)
id 1XEkc0-0008MO-P4
for blocec@mai1webrilliant.co.uk.com; Tue, 05 Aug 2014 14:41:36 -0500
Received: from webrilli by node01.tmdhosting960.com with local (Exim 4.80.1)
(envelope-from <ul.find@webrilliant.co.uk>)
id 1XEkby-002USd-Bm
for blocec@mai1webrilliant.co.uk.com; Tue, 05 Aug 2014 14:41:30 -0500
To: carpinteyroefj guangjopYB <blocec@mai1webrilliant.co.uk.com>
Subject: Thanks for your registration
X-PHP-Script: webrilliant.co.uk/index.php for 172.246.129.194
Message-ID: <1407267690.53e1336a30c66@webrilliant.co.uk>
Date: Tue, 05 Aug 2014 19:41:30 +0000
From: weBrilliant <ul.find@webrilliant.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Priority: 3 (Normal)
X-Mailer: Elxis
X-Filter-ID: XtLePq6GTMn8G68F0EmQvRiAZ+OFBhryaT36k5IcHckooM7gjDG9+uwvmJ1RDthSHf4jovUvm6rI
QYj/B8ilQijr8ldiVvphkWLZaJXPc3cy5rkJmqDXlXeef/moQKIdmGq6cDch1rMLmmv2at8Ugju+
l0kwMLVeJoOItqLgg2uAFIbyFgFecVFv/oAIeL16cioqCyhrmrdH/MebE1a9dytpS3qLzRcOYGlx
N1VZQ2mF+C+0kSeYgwEOKvbTSB1Pp9CtRfxwaoAOYtdvOWOg42jw+t/110i0HaNue90mYyize6mC
wLQnGk4Jp5smQ86ja6zIAWFWsKizcqI4E4vxgNQw6aQDwaIVx5cgeEK5/IP+AA79EmSNFcZ8CQ1x
G4ksdIpGudSqgEWaSY66l6bJq3Y0uGR0zSHZr9rycOHFaeL+AA79EmSNFcZ8CQ1xG4kswd6AMv9A
rB97IDkao3/W+DH6fIGOp7H+coEuOJI1lzDJB3Wt13L3S8lMvkGdbqIQ3ezaDG7J5Ng4LGJ5iTPY
AsaX+r6ixwB0YYdHZBWp0q2DwIE7VKe+bqpcdCns72R12jjW9lSsy6k7zg67a4qx+D89xyAL8C19
114p89B4en0UtMylXjQDkfiRPBrijvkYBRF7r3iO3J23HtlvYtKejHoyfYu9lweeX6paO3xk0ufT
YdXjm/yKtlaWOS3qvMOU3u39Oa5pQ6PVXOzJb8RS+w==
X-Report-Abuse-To: spam@mx1.tmdhosting.com
X-Filter-Fingerprint: cPaH8lomer6UwsJ3BnJDyri+a9F8Cz9xU5Eppfgr9lG0VFDyP20las9Mq1v6nXmfrqKtWpHLpkE8
c09GKJn2t+jqMglu6J93qAPIr7FHQKxMqRJTan78INzQLlEGX/jFRST5X0bRoOLYozD+qqgg13U4
H51jyCSmLdA2hPaiVpwYWaeThsiFlmPt/lOSmjPejUtZCrCA5xZfNcrdWiqIUGqK95LAXg+Ea3Jb
F9WwpaZ//Un1C5ivAWoOksRE8XtOBc3fpptcx+aMzF1itCfRdryQJ+FQ4VYDamGx4IEKQOie9Xyf
0LSMk3TACEF6SjSOCg8pb0HPP71cUnHuLzXnvxl9lToU+hR8nZ2Fxr8tkW1Q9znJfzzAlw8Fqu55
+6PCmycP/wG77NTikYgIz/txjvgSbrLGdgl0K+oRW9whnAv7ohCaFzQpgQwxJ1ZhWbnCpqBLMuuv
f2kMv+ce19uuFzEvuGslKTrRIXcXpFg5ivY=
X-Originating-IP: 96.127.149.146
X-SpamExperts-Domain: tmdhosting960.com
X-SpamExperts-Username: 96.127.149.146
Authentication-Results: tmdhosting.com; auth=pass smtp.auth=96.127.149.146
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.69)
X-Recommended-Action: accept
Hi carpinteyroefj guangjopYB
Thank you for registering at weBrillian= t
Please click the link below to activate your account.
htt=
p://webrilliant.co.uk/user/activate.html?c=3Dd49b86253ed6440c69b2485735932=
11e69880cf8
Regards
weBrilliant
http://webril=
liant.co.uk
_____________________________________=
__________________________
Please do not reply to this message as it= was sent only for informational purposes.
-
I don't see anything wrong... There is no security breach, just a usual user registration. You have enabled users registration and so someone got registered with name carpinteyroefj guangjopYB and email blocec [at] mai1webrilliant.co.uk.com. That e-mail address does not exist and so you got a return by your mail server to the sender account (ul.find [at] webrilliant.co.uk). The user off course inserted into the database as he was registered. But if he didn't clicked the activation link (which he didn't as the email he gave was wrong) he never got activated. BTW his IP address is listed in stop forum spam (http://www.stopforumspam.com/ipcheck/172.246.129.194) which means that he is a spammer. If you don't want users to register in your site then disable user registration.
Suggestion: Don't write email addresses in clear text in public because you will get alot of spam! So edit your message and remove or change the email addresses.
-
Thank you!