Looks like an open mail relay, not necessarily a sign that anything was "compromised". The relay needs to be secured though.
Actually, it's not an open relay. Here's the key header:
Received: from [5.46.157.196] (port=19728 helo=digitalinsight.com)
by gator745.hostgator.com with esmtp (Exim 4.80)
(envelope-from
)
id 1TaV6f-0002uS-Ra
for dcr8520(scrubbed his email)
The server accepted email for an amiga.org email address, which it is supposed to do. This is a phishing expedition. Notice the plain-text part has "amiga.org" links, but in the part which would be rendered by the email client the links are most definitely not amiga.org.
As for the email addresses purported from, that's all just data.
The original SMTP transaction went something like this:
helo digitalinsight.com
mail from:
rcpt to:
data
Received: from MAIL12.amiga.org (10.0.0.37) by amiga.org (10.0.0.50) with Microsoft SMTP id F94PRWEB; Mon, 19 Nov 2012 19:26:00 +0200
Received: from MAIL07.amiga.org (10.146.1.172) by smtp.amiga.org
(10.0.0.29) with Microsoft SMTP id CQG7P4L0; Mon, 19 Nov 2012 19:26:00 +0200
MIME-Version: 1.0
Date: Mon, 19 Nov 2012 19:26:00 +0200
From: Administrator
Reply-To: Administrator
Subject: To All Employee's - Important Address UPDATE
(and so on...)
Notice that it most likely included faked Received: headers to throw off tracking, as it did me initially as I had a kitten distracting me and making me forget the first/second/third rule(s) of whatever: headers can lie.
This is the real source of the email, from which the hostgator server dutifully accepted an email with an @amiga.org destination:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '5.46.0.0 - 5.46.255.255'
inetnum: 5.46.0.0 - 5.46.255.255
netname: AVEA
descr: AVEA Iletisim Hizmetleri A.S.
country: TR
admin-c: Aa3018-RIPE
tech-c: Aa3018-RIPE
status: ASSIGNED PA
mnt-by: AVEA-MNT
source: RIPE # Filtered
role: AVEA admin
address: Avea Iletisim Hizmetleri A.S.
address: Abdi Ipekçi Cad. No.75 Maçka / Istanbul
phone: +902124601500
fax-no: +902164606802
admin-c: AA3018-RIPE
tech-c: AA3018-RIPE
nic-hdl: Aa3018-RIPE
remarks: ************************************************************************
remarks: Please report abuse incidents ONLY to < avea_abuse_contact@avea.com.tr >
remarks: ************************************************************************
mnt-by: AVEA-MNT
source: RIPE # Filtered
% Information related to '5.46.0.0/15AS20978'
route: 5.46.0.0/15
descr: Avea Iletisim Hizmetleri A.S.
origin: AS20978
mnt-lower: AVEA-MNT
mnt-routes: AVEA-MNT
mnt-by: AVEA-MNT
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.42 (WHOIS3)
