Gone on to long (caps lock edit)

[AlaskanWolf]

I am getting very very sick and tired of people signing up (spammers) and using exim or sendmail to send millions of *($#@*()$#*()$#*Q()*()$@#(*)$#@(*)$(*) spam!!!

Now dont tell me \"nothing can be done\" thats ridiculatios, specially with cpanel, I would think if someone did their job right, just maybe the headers that are sent out would include the script thats being used to send it out.

In the last week, we have had quite a hell of a time with abuse complaints, 100% of them from people on our servers using exim directly with their scripts.

[Edited on 12/12/01 by MichaelShanks]

[AlaskanWolf]

doubt the version that cpanel uses has such a fix, which i know formmail is likely not the source of the problem...

from Matt Wrights site


Security Update -- Version 1.9 -- August 3, 2001
Any users who are using the popular version 1.6 or the recently released version 1.7/1.8, should upgrade immediately. The new version prevents unwanted anonymous spamming through your implementation of FormMail and also prevents unwanted access to environment variables. If you are having problems receving e-mail and using the redirect variable, version 1.9 should cure that as well. The new script has two extra arrays you must now define, but will not affect current forms or the way they appear after having been submitted.
UPGRADE IMMEDIATELY!

[Kiwi]

I fully agree. Same problem here.

[rpmws]

I have a dedicate machine in my office, running Linux and on a 21 inch screen sitting 2 feet to the left of me. All that machine does is run SSH and \"tail -f exim_mainlog\" .. I have the text size on 20. I try to watch ot as much as possible BUT the other day I left for 1 hour for lunch. When I got back loads were 15% and a grep on the log returned over 900,000 emails in 1 hour (or so). I hate it. I can\'t sleep either. Some help would be great.

[Domenico]

Strange, I have the same but everyone that tries to relay gets refused...

Or are you talking about people actually sign up and pay you to abuse it afterwards?

What about a disclaimer that they agree not to spam or else... ?

[Edited on 12/11/01 by Domenico]

[AlaskanWolf]

What we are talking about Domenico, is not SMTP users, but rather users that signup for our services, and use a script to send out emails. Since the script is local (on the server) exim and sendmail accept it as trusted, in other words, its just another way for spammers to take advantage of a server, 100000x worse then finding an open relay somewhere.

For anyone who cares, I found a gut wrenching way to find certain words in a file, this is only good in post-spam invesigations, meaning the user already sent all the spam they needed off your server, now your getting in THOUSANDS of spam complaints

IE: the spammer sent an email to john@kjdke.com

and its very likely this script they have is in the /home directory since they can put anything anywhere else....

grep -r john /home/* (RET)

or even

grep -r kjdke.com /home/* (RET)

this will take along time, after all, its going though every file in the /home directory searching for this one word. I found it very effective today and found a spammer.

Another good one it run is in your dom-logs, since alot of everything would be posted in there

grep -r WHATTEVER /path-to-domlogs-folder/* (RET)


xxxxxxxxxxxxxxxx
Come on Cpanel, this is a serious issue and it needs to be dealt with. You want to see how useless the headers are in a case like this?

X-Coding-System: nil
Return-Path: <nobody@wolf.thehideout.net>
Delivered-To: flax@aristotle.algonet.se
Received: (qmail 5569 invoked from network); 11 Dec 2001 02:56:49 +0100
Received: from unknown (HELO wolf.thehideout.net) (64.71.165.226)
by angel.algonet.se with SMTP; 11 Dec 2001 02:56:49 +0100
Received: from nobody by wolf.thehideout.net with local (Exim 3.33 #1)
id 16Dc6X-0008Is-00; Mon, 10 Dec 2001 17:53:09 -0800
To: whatever@whateer.com
From: God@%random5.com ()
Subject: Free Bible Cd! Now Including The Audio Bible!
Message-Id: <E16Dc6X-0008Is-00@wolf.thehideout.net>
Date: Mon, 10 Dec 2001 17:53:09 -0800
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - wolf.thehideout.net
X-AntiAbuse: Original Domain - aristotle.algonet.se
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
X-AntiAbuse: Sender Address Domain - wolf.thehideout.net



xxxxxxxxxxxxxxxxxx

Funny how this line is ALWAYS 99 99 99 99

X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]

[rpmws]

[quote:bb48a8b66f]Strange, I have the same but everyone that tries to relay gets refused...

Or are you talking about people actually sign up and pay you to abuse it afterwards?

What about a disclaimer that they agree not to spam or else... ?

[Edited on 12/11/01 by Domenico] [/quote:bb48a8b66f]

Yes we are talking about signups. I had 2 in a month kill me. Both were long time clients that had given up on making any money on their sites so they decided to go out with a bang.

Had another 3 days ago from outside using the old formmail.pl script and formating http posts with 20 email addresses at a time. It was cute but slow. I bet he didn\'t get 600 emails out before I stopped it. I hate spammers!!!!!!!!

[Edited on 12/11/01 by rpmws]

[Domenico]

Is there a LEGAL solution? I mean can these guys be prosecuted?

I have to say it didn\'t happen to us yet but it scares me a little bit.

[feanor]

Regardless of the fact that something *hopefully* is in the works - if possible - there are various ways to cut down on such individuals taking advantage of exim/sendmail in this way. And I only say \"if possible\" because ... wow, if you think about the scripting gateway you are providing and all of the programs/scripts that require such a device to talk to, it would be a gigantic catch-22 no matter what you try to do to *prevent* or deter against spam being born, server-wide.

One of my current favorite methods is to train a few cron\'d scripts on /var/spool/exim (input/msglog), grepping and generating reports on the queued files alone within /exim/input can point you to your internal abusers almost immediately, as well as those who are flodding your machine with messages from external sources. For those, it takes the offending SMTP IP/subnet in some cases :-).... and routes them to /dev/null. For the internal people, they are usually axe\'d immediately.

Exim itself has some fairly versatile filtering options as we all know... perhaps in the future we\'ll continue to see strengthened options/policies for our CPanel machines, provided the software itself continues to advance.

Until then we have to battle as best as we can, and provide as much helpful feedback as possible.

Love.

[rpmws]

Would you be willing to go into detail and share maybe that script or some examples you have found that work well for you?

[feanor]

Probably shouldn\'t.....
In interests of security and preventing a backlash of individuals that might take offense to the tasks performed by such things.

:-) I just wanted to share some general ideas.

Peace. :P

[AlaskanWolf]

not to be rude or anything, but your posts are basically worthless to everyone else if you dont want to share how or what you are doing to kill internal spammers.

As you can see this is beoming a major issue and posts like yours are not helping at all and unless you want to post what and how you do it, please dont bother since it isnt helping any of us.

[Edited on 12/12/01 by AlaskanWolf]

[MichaelShanks]

AlaskanWolf,

Please calm down, this is a civilised board for civilised people we won\'t have any trouble here.

www.exim.org

there is information on there on controlling the malicious use of cgis, basically this is not a cpanel issue per say but an overall issue in the webhosting business, there is no way you can stop a spammer short of banning all mail on your system,


host_accept_relay = +allow_address : lsearch;/etc/relayhosts : localhost

take a look at that,


#nobody as the sender seems to annoy people
local_from_check = false

also that,

a little research and patience can do wonders, may I suggest groups.google.com

Mike

[Nico]

[quote:8e092c48ab]What we are talking about Domenico, is not SMTP users, but rather users that signup for our services, and use a script to send out emails. Since the script is local (on the server) exim and sendmail accept it as trusted, in other words, its just another way for spammers to take advantage of a server, 100000x worse then finding an open relay somewhere.

For anyone who cares, I found a gut wrenching way to find certain words in a file, this is only good in post-spam invesigations, meaning the user already sent all the spam they needed off your server, now your getting in THOUSANDS of spam complaints

IE: the spammer sent an email to john@kjdke.com

and its very likely this script they have is in the /home directory since they can put anything anywhere else....

grep -r john /home/* (RET)

or even

grep -r kjdke.com /home/* (RET)

this will take along time, after all, its going though every file in the /home directory searching for this one word. I found it very effective today and found a spammer.
[/quote:8e092c48ab]


I have the same problem with Spammers. I can usually pick out who it is by taking a look at /var/log/sendmail.log
99% of the time you will see a long string of calls to sendmail for the offending user.
After I locate and confirm that they are spamming or having one of their scripts exploited I comment the following line from httpd.conf for their domain:
\'ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/\'
and restart httpd.



[Edited on 12/12/01 by Nico]

[AlaskanWolf]

I have already been to Exim MANY MANY times and put in quite a bit of other conf lines that i thought would help but the fact of the matter is that Cpanel does not help with anything in regards to trying to track a local spammer down.

Theres nothing in the logs, theres nothing in the headers, what else do you want us to do? I know for a fact what you just said will very likely not help us.

Wheres the makers of CPANEL to come up with suggestions? After all, they know the system better then me, you and this whole board combined.

I will nor will any other host \"calm\" down when as a matter of fact every cpanel hosts server is at risk.

Give me an account on YOUR system and i can easily send out a few hundred thousand emails without you even knowing about it until you get a spam complaint, and then lets see how calm you are then.