Mail proxy: how to stop CGI mail proxies?

[astraeuz]

During last week, two of our clients' accounts got compromised (most probably due to weak passwords) and there was a CGI script installed which started sending emails to more than 200,000 email accounts. This email addresses were stored in a text file.

By the time we noticed this activity, our server got black listed on major RBLs like Barracuda, SpamCop, Spamhaus etc and it took around 2 days to cleanup

3 days later, another account compromised with same *thing* and it really is pain in the arse now dealing with this and angry clients

We've already implemented a policy to restrict users to send 100 messages/per hour/domain which is working, but it seems this *thing* bypass exim.

I guess this Open Proxy Servers a Source of Spam is what i want to explain!!

So my question is, if I've understood this right, is it possible to stop scripts like this or can we enforce mailman to use exim all the time to send messages and stop direct-mailing?

Your suggestions are highly appreciated.

[PlatinumServerM]

There's a few different precautionary measures you can take. Programs like modsecurity, tweaking the php security, mail logging, etc., all can help stop and track this.

It's an ongoing effort. It's not something that you can do one time and then it will never happen again. Spammers are always changing their methods of operation, so the security has to change with it.

[Spiral]

During last week, two of our clients' accounts got compromised (most probably due to weak passwords) and there was a CGI script installed which started sending emails to more than 200,000 email accounts. This email addresses were stored in a text file.

Without investigating your system directly, I couldn't tell you for sure
whether you are dealing with a security compromise, a brute force attack,
internal cross site scripting, or some other method of access to the
client's accounts as there are many methods of potential compromise
which would lead to the issues that you have described.

What I can tell you and many people may still not be aware of this is that
there is currently a very sophisticated hacking group operating out of
China right now using a key logging virus / trojan to infect home computers
to capture webhosting and bank login information when the victim connects
to their own accounts. The program then logs into the user's hosting
account and adds an "iframe" link to their index files and then makes a
callback and reports the collected information back to its creators who
apparently have been using the information collected for more hosting
attacks and from what I've seen making unauthorized banking transfers
and later direct logins back to the hosting account to install spamming
scripts which usually traces back to China for those connections.

This makes things difficult for the hosting provider to track down because
the compromise is actually on the client's end and there are no failed
password attempts or compromises that would be logged since the
hackers have the full login information in hand before connecting and
often use the victim's own internet connection for the initial attacks
to connect so the source IP also traces back to the victim in many
of these cases and you don't see otherwise until much later.

For those infected with this new type of attack, I'd recommend deep scans
of the victims home computer with the latest update virus and trojan
scanning software and frequent password changes.

The leading iframe modification is a nice tattle tale and has allowed us
thus far on our own networks to put in a monitoring script to watch for
that, autosuspend accounts suspected of this attack, and automatically
alert us and the infected home user their home computer may
be compromised.

By the time we noticed this activity, our server got black listed on major RBLs like Barracuda, SpamCop, Spamhaus etc and it took around 2 days to cleanup

That can be a pain but can also be reduced if you take care to deeply
monitor the mail activity of your servers (which can be automated) and
make the appropriate measures to lockdown the security of the mail system
so that it is more difficult for abusive scripts to work.

3 days later, another account compromised with same *thing* and it really is pain in the arse now dealing with this and angry clients

We've already implemented a policy to restrict users to send 100 messages/per hour/domain which is working, but it seems this *thing* bypass exim.

Chirpy's CSF firewall can help in this area if properly configured plus there
are certain modifications you can make to both Exim and Cpanel which
will further limit the problem as well.

It goes without saying that you should be running SuExec and SuPHP so
that you are better able to track the source of spamming and other
abusive scripts and also limit cross site scripting issues.

I guess this Open Proxy Servers a Source of Spam is what i want to explain!!

You should not be on this list unless you really got a bad configuration issue!

So my question is, if I've understood this right, is it possible to stop scripts like this or can we enforce mailman to use exim all the time to send messages and stop direct-mailing?

I work in security so I would tell you straight up that there is nothing that
can protect you with absolute certainty short of powering down and
unplugging your server ; With that said though, yes, there are many things
that can be done to stop these scripts, limit traffic to legitimate traffic,
and seriously harden the security of your server to make things very difficult
to very nearly impossible for the spammers behind these issues.

Now if you want any help in that department, contact me and I'll give
you a more one on one direct hand with all of that.