Ask HN: Traced spam back to script on a pwned server, but then it gets weird Odd email spam: Followed IP from Received headers to a PHP mailer script on some random server. Googled some text from the form and found similar sites. Are these pwned servers hacked, or dedicated spam servers? The email in question included an odd detail:
See the "X-PHP-Originating-Script"? Well, if you navigate to 79.143.178.81/thumb.php you will find a spam PHP script.Googling some text from this script produces other servers running it (http://www.google.com/search?q=MortoLino+-+mode*SPAMMER)
Take a look around the last domain. In addition to fake banking websites, it has this gem: http://www.malys-et-delys.com/index.htmlDo you think these servers have simply been compromised, or are they dedicated spamming machines? Also, anyone understand why the Received headers mention "m81.ninthapple.com", when ninthapple.com is not even a registered domain? |
No comments yet