help! spammer using formail to send bbc spams!

**jacksony** · 03-10-2006 09:10 PM

there is a spammer i don't know who but he has used my customer form to send spam like

"PDSC****PDSC****PDSC****PDSC****PDSC****PDSC****PDSC****PDSC

Investors Alert
Home Run Stock of the Year!

Produce Safety and Security International, INC. (OTCDSC.PK)

Ticker Symbol: PDSC.PK Buy Aggressively
Last Trade: +0.093
10d AVG Vol: +1,811,732
Target: +0.67 !!..."

using BBC i guess. I check my header in mail queue, it gives this header:
"1FHszQ-00033l-LH-H
apc 32060 501
<apc@webserver2.mydomain.sg>
1142040832 0
-ident apc
-received_protocol local
-body_linecount 19
-auth_id apc
-auth_sender apc@webserver2.mydomain.sg
-allow_unqualified_recipient
-allow_unqualified_sender
-local
NY jackson@mydomain.sg
NN sales@mydomain.sg/virtual_aliases_nostar
2
sales@mydomain.sg
frekiforbes@aol.com

117P Received: from apc by webserver2.mydomain.sg with local (Exim 4.52)
id 1FHszQ-00033l-LH; Sat, 11 Mar 2006 09:33:52 +0800
017T To: sales@mydomain.sg
024 Subject: Sales Enquries
018 MIME-Version: 1.0
045 Content-type: text/plain; charset=iso-8859-1
013* From: glance
031F From: glance@webserver2.mydomain.sg
079 Content-Type: multipart/alternative; boundary=dd948b208d920bf39bc62183f8cdd905
018 MIME-Version: 1.0
047 Subject: you out ence to morrow it will be too
025* bcc: frekiforbes@aol.com
050I Message-Id: <E1FHszQ-00033l-LH@webserver2.mydomain.sg>
038 Date: Sat, 11 Mar 2006 09:33:52 +0800"

what can I do to prevent him to do it again?

**HostMerit** · 03-10-2006 09:23 PM

First, suspend account apc for now ,as thats the origin account. Second, check his domlogs to see the script getting exploited. Third, install a mod_security ruleset that bans bcc:

As seen in the headers, a simple
SecFilter "bcc:\x20"
SecFilter "Bcc:\x20"
SecFilter "bcc:"

should fix it. First, suspend the account, restart Apache, and flush the mail queue, controlling the issue, then investigate.

**jacksony** · 03-10-2006 09:33 PM

Thank you! btw is it should be as it is my own account. thank you very much! I will try it now. what should i check domlogs for?

**jacksony** · 03-10-2006 09:44 PM

btw someone else advised me to add these:

SecFilterSelective POST_PAYLOAD "Bcc:"
SecFilterSelective POST_PAYLOAD "Bcc:\x20"
SecFilterSelective POST_PAYLOAD "cc:"
SecFilterSelective POST_PAYLOAD "cc:\x20"
SecFilterSelective POST_PAYLOAD "bcc:"
SecFilterSelective POST_PAYLOAD "bcc:\x20"
SecFilterSelective POST_PAYLOAD "bcc: "

SecFilterSelective THE_REQUEST "Bcc:"
SecFilterSelective THE_REQUEST "Bcc:\x20"
SecFilterSelective THE_REQUEST "cc:"
SecFilterSelective THE_REQUEST "cc:\x20"
SecFilterSelective THE_REQUEST "bcc:"
SecFilterSelective THE_REQUEST "bcc:\x20"
SecFilterSelective THE_REQUEST "bcc: "

edit /etc/httpd/conf/modsec.conf
just below: the line SecFilterEngine On
add SecFilterScanPOST On

Will it make the protection more secure? or what additional protection will it gives?

**verdon** · 03-10-2006 11:04 PM

There are a at least two current threads here discussing this exact issue. There's lots of info on rulesets in those. No need to repeat it all here

LinkBack

Thread Tools

help! spammer using formail to send bbc spams!

Customer getting bounces from email spams he did not send.

Had a Spammer on my Server Yesterday - Somehow Could Send Way Over their Limit

Spammer using server to send? Getting tons of bounces to catch-all

How to stop spammer from using your email to send emails ?