How do i track spam sent from my server?

[hostultra]

I got a spam alert from spamcop, the spam has these headers

Offending message:
Return-path: <sdlkhlfjks@riodejaneiro.net>
Envelope-to: devin@localhost
Delivery-date: Wed, 14 May 2003 06:06:37 +0900
Received: from localhost ([127.0.0.1])
by mail.distalzou.net with esmtp (Exim 3.36 #1)
id 19Fgyr-0009cY-00
for devin@localhost; Wed, 14 May 2003 06:06:37 +0900
Delivered-To: devin@telerama.com
Received: from localhost
by localhost with POP3 (fetchmail-6.2.0)
for devin@localhost (single-drop); Wed, 14 May 2003 06:06:37 +0900 (JST)
Received: (qmail 36843 invoked from network); 13 May 2003 21:01:15 -0000
Received: from unknown (HELO sargon10.shcp.ofimay.gob.mx) (148.233.228.73)
by speedbuggy.telerama.com with SMTP; 13 May 2003 21:01:15 -0000
Received: from mail.terra.cl (server2.hostultra.com [207.44.218.56])
by sargon10.shcp.ofimay.gob.mx (8.11.6/linuxconf) with SMTP id h4DL16R18318;
Tue, 13 May 2003 16:01:07 -0500
Date: Tue, 13 May 2003 16:01:07 -0500
Message-Id: <200305132101.h4DL16R18318@sargon10.shcp.ofimay.gob.mx>
From: "Jake" <sdlkhlfjks@riodejaneiro.net>
To: "xsumner@korea.com" <xsumner@korea.com>
Subject: Price Reduced: Get Norton System Works for $29.99 ($210 value) xsumner
Cc: jeanniemarie7@hotmail.com
Cc: devin@telerama.com
MIME-Version: 1.0
Content-Type: text/html


how do i find which account sent it?

[howard]

It could just be name dropping, in the hope that you get in trouble reasons for this

a) Unless you have removed them it contains none of the usual cpanel headers (e.g. the X-Antiabuse stuff)

b) the supposed server you sent to, is a open relay (see http://dsbl.org/listing?ip=148.233.228.73 and http://www.moensted.dk/spam/?addr=14...&Submit=Submit)

You could check in your logs for tuesday/wednesday to see weather you did or did not sent any mail to that address e.g. grep 2003-05-13 /var/log/exim*|grep 148.233.228

[hostultra]

Thanks for the help

The reason i got it was 207.44.218.56 is my server.
The mail does not look like it was sent from my server, mail sent from my server always have Return-path: <username&#64;server2.hostultra.com>

Running grep 2003-05-13 /var/log/exim*|grep 148.233.228 shown no results.

I have heard nothing from my isp (rackshack) yet about it, i like to have these things sorted before they check their email.

Yesterday i got a spam complaint (same spam) for an IP address that isnt even binded to any server

[howard]

yea sometime i think people just blindly accept whatever spamcop says even though it tells you to check it or people blindly forwarding mail to spamcop (although its very good at its what it does it still possible to fool it, there was a uproar on exim-users a while back since a person sent a offlist reply as well cc'ing the list that mail got to spamcop)

[hostultra]

It turns out the spam did come from my server

What this spammer done was very smart.
He ran a cgi script in his account which connected to a different smtp server to send the spam.
This means that the mail restrictions you set in cpanel have no effect and the abuse headers do not get added.
The result is when you get a spam report you have no idea which account the spam came from.
Right after he run the script he deleted it from the cgi-bin

I found it by pure luck by spotting a load of unusual processes in top and looked in his logfile and seen this

207.43.172.230 - - [14/May/2003:17:14:58 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
207.43.172.230 - - [14/May/2003:17:15:00 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
207.43.172.230 - - [14/May/2003:17:15:02 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
207.43.172.230 - - [14/May/2003:17:15:04 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
207.43.172.230 - - [14/May/2003:17:15:08 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
207.43.172.230 - - [14/May/2003:17:15:08 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $

The file /cgi-bin/18472.cgi did not exist anymore (deleted?)
But the logs there show a 200 status report which means it did exist when it was run.

Is there a way i can block perl scripts connecting to smtp servers?

[SH-Matt]

Originally posted by hostultra
It turns out the spam did come from my server

What this spammer done was very smart.
He ran a cgi script in his account which connected to a different smtp server to send the spam.
This means that the mail restrictions you set in cpanel have no effect and the abuse headers do not get added.
The result is when you get a spam report you have no idea which account the spam came from.
Right after he run the script he deleted it from the cgi-bin

I found it by pure luck by spotting a load of unusual processes in top and looked in his logfile and seen this

207.43.172.230 - - [14/May/2003:17:14:58 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
207.43.172.230 - - [14/May/2003:17:15:00 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
207.43.172.230 - - [14/May/2003:17:15:02 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
207.43.172.230 - - [14/May/2003:17:15:04 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
207.43.172.230 - - [14/May/2003:17:15:08 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
207.43.172.230 - - [14/May/2003:17:15:08 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $

The file /cgi-bin/18472.cgi did not exist anymore (deleted?)
But the logs there show a 200 status report which means it did exist when it was run.

Is there a way i can block perl scripts connecting to smtp servers?

I had a spammer do the EXACT same thing to one of my servers! He named his script 16746.cgi instead

Mind posting the contents of that script? I'm interested to see if they're the same....

[hostultra]

i dont have the contents of the script
he deleted it from the server after it was run

the number on the script changes
our logs show the first day there was a different number

[Radio_Head]

Can I see some part of code to check if I have it on my box ?

cPanel.net Support Ticket Number:

[Website Rob]

hostultra, I'm curious -- if you don't mind sharing -- as to whether the person had been a Client of yours for awhile? I presume, from the information you have received in this post (nice touch, howard), you have already cancelled the account; no refunds, no recourse, for Spam related eMail.

cPanel.net Support Ticket Number:

[kris1351]

We need a good script that will help hosts find malicious scripts like this. There is one customer going around to hosts and doing this over and over. He has his own thread on WHT.

http://www.webhostingtalk.com/showth...hreadid=143724

cPanel.net Support Ticket Number:

[Radio_Head]

Originally posted by kris1351
We need a good script that will help hosts find malicious scripts like this. There is one customer going around to hosts and doing this over and over. He has his own thread on WHT.

http://www.webhostingtalk.com/showth...hreadid=143724

cPanel.net Support Ticket Number:

yes , but where is the code ?

cPanel.net Support Ticket Number:

[brainx]

I found this spammer.Please keep in mind and do not host this domain.He is using the following username and domain:
ghann8j9 (medistarhlth.com)

207.43.172.227 - - [03/Sep/2003:12:58:49 -0500] "POST /cgi-bin/12833.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE$
207.43.172.227 - - [03/Sep/2003:12:58:54 -0500] "POST /cgi-bin/12833.cgi HTTP/1.1" 200 2440 "-" "Mozilla/4.0 (compatible; MS$
207.43.172.227 - - [03/Sep/2003:12:58:55 -0500] "POST /cgi-bin/12833.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE$
207.43.172.227 - - [03/Sep/2003:14:18:29 -0500] "POST /cgi-bin/22265.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE$
207.43.172.227 - - [03/Sep/2003:14:18:34 -0500] "POST /cgi-bin/22265.cgi HTTP/1.1" 200 2440 "-" "Mozilla/4.0 (compatible; MS$
207.43.172.227 - - [03/Sep/2003:14:18:34 -0500] "POST /cgi-bin/22265.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE$

When i look into his account i can\'t find any of those scripts.He is deleting them very after running them.While these scripts are running you see something like this on your console:
ghann8j9 26076 3.5 0.4 3472 2160 ? R 14:18 0:00 /usr/bin/perl -w 22265.cgi

many instances of this script are running for a few seconds then terminates.

Hope this helps.
Thanks

cPanel.net Support Ticket Number:

[iisnet]

This spammer recently dropped by hosting a domain with us.

I deactivated his CGI-BIN, but he circumvented that, and I found a file called "mypage.cgi".

From the looks of it, it seems to be a spamming machine.

cPanel.net Support Ticket Number: