PHP-Nuke WebMail Spam

[LiNUxG0d]

Hey all,

Being the main abuse agent for the webhost I work for, I started receiving a rash of spam complaints recently. I analyzed a header and saw as follows:

Code:

Received: from nobody by peach.ourcompany.com with local (Exim 4.50)
    id 1DTbWA-0000uG-4H; Thu, 05 May 2005 04:15:34 -0400

To:
Subject: HELLO
From: steve_williams22@web.de <steve_williams22@web.de>
X-Priority: 1 (Highest)
CC:
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: RLSP Mailer
Message-Id: <E1DTbWA-0000uG-4H@peach.ourcompany.com>
Date: Thu, 05 May 2005 04:15:34 -0400
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - peach.ourcompany.com
X-AntiAbuse: Original Domain - cox.net
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - peach.ourcompany.com
X-Source:
X-Source-Args:
X-Source-Dir:

Alright, now, the headers show: "X-Mailer: RLSP Mailer"

Tracking back, this is a PHP-Nuke WebMail Module header. So, what's happening is users are signing up for accounts to PHP-Nuke sites and then sending mail using the SMTP facilities.

Technically, if you have PHPSuExec enabled, you should be good to track back the sender; if you don't though, you could just issue a warning to all users and locate the `libmail.php` files and change their modes to 000.

This way, users have to give it attention or else they will not be able to take advantage of it.

It's a poor solution, I know, however it gets the job done. It beats going through every one of those PHP Admin areas and disabling the WebMail module.

This is what I did to resolve it (as root or wheel with sudo):

Code:

<?
$findarray = `find /home/*/public_html/ -name 'libmail.php'`;
$findlist = explode("\n",$findarray);

foreach ($findlist as $path) {

        $path = trim($path);

        if ($path) {

                $chmod = `chmod 000 $path`;
        }
}
?>

At worse, someone will find this fix unacceptable and whip up a better one.

Just a heads up to everyone!

Jamie S.
Kiosk.ws

[sparek-3]

There was actually a notice about this on PHP Nuke's website a couple of months ago, urging users to disable the webmail module in PHPNuke. The notice is available here:

http://phpnuke.org/modules.php?name=...ticle&sid=7081

[LiNUxG0d]

Awesome!

I was searching online and found nothing... guess I should have tried some better google searches.

I still think it's nice that I post it up because I would consider this widespread enough.

Thanks for the reply man!

Jamie