Tuesday, September 29, 2020

Joomla – Mail delivery failed: returning message to sender

I started getting emails several times a day from a customer’s website. The whole message was :

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

Oleg240170@mail.ru
    host mxs.mail.ru [94.100.180.104]
    SMTP error from remote mail server after end of data:
    550 spam message rejected. Please visit http://help.mail.ru/notspam-support/id?c=4-MIiXod8zc7sHtw55eQjviDdemyJDJvBOiPJah130hjLxCvG-FjARUAAADt5QAA44RPJw~~ or  report details to abuse@corp.mail.ru. Error code:
    8908E3E337F31D7A707BB03B8E9097E7E97583F86F3224B2258FE80448DF75A8AF102F630163E11B. ID:
    000000150000E5ED274F84E3.
Reporting-MTA: dns; se15.mailspamprotection.com

Action: failed
Final-Recipient: rfc822;Oleg240170@mail.ru
Status: 5.0.0
Remote-MTA: dns; mxs.mail.ru
Diagnostic-Code: smtp; 550 spam message rejected. Please visit http://help.mail.ru/notspam-support/id?c=4-MIiXod8zc7sHtw55eQjviDdemyJDJvBOiPJah130hjLxCvG-FjARUAAADt5QAA44RPJw~~ or  report details to abuse@corp.mail.ru. Error code: 8908E3E337F31D7A707BB03B8E9097E7E97583F86F3224B2258FE80448DF75A8AF102F630163E11B. ID: 000000150000E5ED274F84E3.

SubjectAccount Details for Чтоб перестроить жизнь, необходимы познания: https://drive.google.com/file/d/16WCSDEeBboOGGsZoHYaYAKoKVAtD8lmh/view?usp=sharing 📅🎊🔝 at Shockers Smoke Shop
FromShockers Smoke Shop
ToOleg240170@mail.ru
DateMon 21:01

Hello Чтоб перестроить жизнь, необходимы познания:
https://drive.google.com/file/d/16WCSDEeBboOGGsZoHYaYAKoKVAtD8lmh/view?usp=sharing

I contacted the hosting company to see if the email portion is being blasted with emails, but it wasn’t. I really didn’t want the customer to be getting these emails. Plus I didn’t want the domain becoming black listed. The hosting was eliminated as an issue.

I solved it by discovering I left the Self Registration on. Russian attackers were trying to Phish the site linking to MalWare on a Google Share. I found about 200 users tried to register, and they were all Russian. Here is what my settings were:

I hope this helps someone else out there….

Google Chrome redirect – http://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND

Had a customer call in because he was on the LA Times website and clicked on a link that caused his browser to pop-up a Microsoft warning. The warning said he was infected and  needed to pay. He hit control-alt-delete and closed chrome. He restarted his machine and called us.

I opened Chrome and looked at the start page. It was set to “http://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND”.  When I put that URL into another browser it took me to just Google. I figured the rest was unecessary and reset his home page to just be “http://www.google.com”.

I downloaded a rootkit scan tool from Bleeping Computer and ran a quick scan. We also use Vipre Anit-virus. I updated the difinitions and ran a full deep scan with Vipre. Nothing else was wrong.

I hope this helps someone else out there…

 

Remove wer5.exe With Adlice Rouge Killer

We have a customer that is having this “wer5.exe” pop-up. I never saw the pop-up; however, I was able to get the program removed using Adlice’s Rougekiller.

I tried Vipre antivirus and it didn’t find anything on the machine.

I used Malwarebytes which found 5 item.

Rougekiller found 12 items and “wer5.exe” was one of them.

I hope this helps someone else out there…