dm.cgi - Dark Mailer program

[handsonhosting]

Hey Folks,

Over the past 3 days we've been hit pretty hard with a dm.cgi script running on servers. It's not just one or two servers with the program running, but so far we've counted 10 servers that have had the script running.

The dm.cgi file is a program that sends out mass mail (Dark Mailer). As a result, we would likely end up on a black list quickly if we were not on top of it as we are currently.

I've searched google, and while I find lots of places that offer it to download, there's no real documentation that I can find. I know that it uses a direct SMTP connection, thus bypassing rules etc, so I'm looking to find out if anyone has had experience with it and sucessfuly blocked it on their servers (other than using mod_security).

Any help would be appreciated.

[ramprage]

Shoot me an email of PM, I have something that can help

[handsonhosting]

Thanks in advance,

Message sent to PM.

[lloyd_tennison]

I believe chirpy's firewall can do it.

See:

# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). This adds the
# protection as WHM > Tweak Settings > SMTP Tweaks, which are lost when using a
# firewall configuration script

and

# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for web scripts) then enable this option too

[handsonhosting]

Hi Lloyd,

Thanks for the feedback.

Yeah, we've been experimenting enabling that on a number of servers. We've had the CSF running for quite some time on our machines, but that option has been marked as OFF as we weren't sure how it would affect other sites on the machine with eCommerce Software sending mail etc.

I guess at this point, we'll enable it and see if we are experiencing any differences.

Never received anything from Ramprage yet, so I'll enable the other for the moment.

Thanks again for the comments and the help toward a solution.

[linuxserverguy]

Hi Lloyd,

Thanks for the feedback.

Yeah, we've been experimenting enabling that on a number of servers. We've had the CSF running for quite some time on our machines, but that option has been marked as OFF as we weren't sure how it would affect other sites on the machine with eCommerce Software sending mail etc.

I guess at this point, we'll enable it and see if we are experiencing any differences.

Never received anything from Ramprage yet, so I'll enable the other for the moment.

Thanks again for the comments and the help toward a solution.

Apologies for digging old thread but I was curious, Did CSF help you in blocking dm.cgi dark.cgi scripts?