Odd email spam: Followed IP from Received headers to a PHP mailer script on some random server. Googled some text from the form and found similar sites. Are these pwned servers hacked, or dedicated spam servers?<p>The email in question included an odd detail:<p><pre><code> Received: (qmail 28723 invoked from network); 5 Feb 2013 01:56:56 -0800
Received: from m81.ninthapple.com (HELO vmi10541.localdomain) (79.143.178.81)
by [mydomain.net] with SMTP; 5 Feb 2013 01:56:55 -0800
Received: by vmi10541.localdomain (Postfix, from userid 48)
id A90CB2D80478; Tue, 5 Feb 2013 09:56:53 +0100 (CET)
To: support@[mydomain.com]
Subject: teste
X-PHP-Originating-Script: 0:thumb.php
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
X-Mailer: Microsoft Office Outlook, Build 17.551210
From: support@[mydomain.com]
Message-Id: <20130205085653.A90CB2D80478@vmi10541.localdomain>
Date: Tue, 5 Feb 2013 09:56:53 +0100 (CET)
amo
</code></pre>
See the "X-PHP-Originating-Script"? Well, if you navigate to 79.143.178.81/thumb.php you will find a spam PHP script.<p>Googling some text from this script produces other servers running it (http://www.google.com/search?q=MortoLino+-+mode*SPAMMER)<p><pre><code> http://avpv.com.br/
http://www.ovelar.com.br/xp.php
http://teste.originalsites.net/xp.php
http://www.malys-et-delys.com/fag.php
</code></pre>
Take a look around the last domain. In addition to fake banking websites, it has this gem: http://www.malys-et-delys.com/index.html<p>Do you think these servers have simply been compromised, or are they dedicated spamming machines?<p>Also, anyone understand why the Received headers mention "m81.ninthapple.com", when ninthapple.com is not even a registered domain?