This spam has me stumped

[nurseryboy]

Man, I am totally stumped on this one. I've been sitting here for almost 4 hours now trying to figure out where this is coming from, but I can not find any clues anywhere. I'd really appreciate it if someone could give me some suggestions.

All the email addresses are very similar. They include ones like:

*@replyquickly.com, *@flashreply.com, *@coolreply.com, *@replyalert.com, and so on.

They seem to come in batches, where * is the same name, no matter what the domain is. (Ex: quoteoftheday@replyquickly.com or quoteoftheday@flashreply.com)

Here's some email header that may help.

Code:

1Eao5U-0003BW-9B-H
mailnull 47 12
<>
1131773884 0
-ident mailnull
-received_protocol local
-body_linecount 106
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
quoteoftheday@replyalert.com

153P Received: from mailnull by host.myserver.com with local (Exim 4.52)
	id 1Eao5U-0003BW-9B
	for quoteoftheday@replyalert.com; Sat, 12 Nov 2005 00:38:04 -0500
041  X-Failed-Recipients: mahogany@ureach.com
031  Auto-Submitted: auto-generated
058F From: Mail Delivery System <Mailer-Daemon@host.myserver.com>
033T To: quoteoftheday@replyalert.com
059  Subject: Mail delivery failed: returning message to sender
047I Message-Id: <E1Eao5U-0003BW-9B@host.myserver.com>
038  Date: Sat, 12 Nov 2005 00:38:04 -0500

Again, any help would really be appreciated.

Thanks guys.

[jackie46]

Its coming from your own server. Either you have a spammer on board or somebody is abusing a script on your box. You need to look in your access_log, error_log to see if anyone is abusing a formmail script. Search for formmail with a 200 request. They could also be abusing the scripts in /cgi-sys/formmail*. If you dont have phpsuexec installed then it will be very hard to find them. You may also want to look at the stuck messages in the queue to see how many are sitting out there. If you have alot its more than likely that its one of your own users doing it. It could also be a php script, PHP-NUKE or some other script, php mailer that has been renamed. It could be anything!

good luck

[chirpy]

Not necessarily.

While that email is from the local server, it's from the mailer-daemon which is the mailbox of last resort if an email cannot be delivered. You really need to track down the original email that generated the mailer-daemon response. That may only be possible with the contents of the actual email.

[nurseryboy]

Hmm.. Ok. I just installed phpsuexec, and am going to see if that makes a difference. If not, I'll post the content of an email in here.

Thanks.

[chirpy]

The other thing you can do is to enable extended exim logging which will provide more information when emails are relayed through the server.

[nurseryboy]

You mean with log_selector = +all? I just enabled that last night.

The spam still seems to be coming, but I'm going to wait for a bit and see what happens.

Thanks.

[nurseryboy]

Ok.. the spam is still coming. I now have phpsuexec installed and have checked the box to prevent "nobody" from sending emails. I've looked through the emails, but I still do not see anything that shows where it's coming from. Here's one of the emails:

Code:

1EazVq-0004ID-Gw-H
mailnull 47 12
<>
1131817802 0
-ident mailnull
-received_protocol local
-body_linecount 67
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
jcgiff@replyprompt.com

147P Received: from mailnull by host.myserver.com with local (Exim 4.52)
	id 1EazVq-0004ID-Gw
	for jcgiff@replyprompt.com; Sat, 12 Nov 2005 12:50:02 -0500
042  X-Failed-Recipients: ricusick@comcast.net
031  Auto-Submitted: auto-generated
058F From: Mail Delivery System <Mailer-Daemon@host.myserver.com>
027T To: jcgiff@replyprompt.com
059  Subject: Mail delivery failed: returning message to sender
047I Message-Id: <E1EazVq-0004ID-Gw@host.myserver.com>
038  Date: Sat, 12 Nov 2005 12:50:02 -0500
1EazVq-0004ID-Gw-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  ricusick@comcast.net
    SMTP error from remote mail server after RCPT TO:<ricusick@comcast.net>:
    host gateway-r.comcast.net [204.127.198.26]: 551 not our customer

------ This is a copy of the message, including all the headers. ------

Return-path: <jcgiff@replyprompt.com>
Received: from localhost ([127.0.0.1]:58692 helo=replyprompt.com)
	by host.myserver.com with esmtp (Exim 4.52)
	id 1EazVg-0004BB-0v
	for ricusick@comcast.net; Sat, 12 Nov 2005 12:49:52 -0500
Message-Id: <10185913233.2005jbsd3322@kajp.replyprompt.com>
X-Delivered-To: ds16@replyprompt.com
Date: Sat, 12 Nov 2005 16:49:31 -0100
Received: (from nobody@aff10185913233.2005jbsd3322) by localhost (127.0.0.1) id 10185913233.2005jbsd3322 Sat, 12 Nov 2005 16:49:31 -0100
X-Sender: <jcgiff@replyprompt.com>
Mime-Version: 1.0
From: <jcgiff@replyprompt.com>
To: "Richard Cusick" <ricusick@comcast.net>
Subject: The Country Club is a way to get a  financial boast
Reply-To: <jcgiff@nelson-tel.net>
Message-ID: <sid=80971132&rid=43265&seq=3&oid=10561@replyprompt.com>
Content-Type: text/plain; charset="iso-8859-1"
X-ClamAntiVirus-Scanner: This mail is clean


Let's face it, {The Recipients Name}, who couldn't use a little extra money? 

As an independent distributor with The Country Club, you'll never have to worry about where your next check is coming from. In fact, within just two months you could be pulling down a six-figure income.

Don't let this 'Golden' opportunity pass you by. 
Kiss off your old financial worries: http://TheCountryClub.us/movie/index.cfm?id=golfpro 

Warmest Regards
James Gifford
Rolling Hills Games
The Country Club

P.S. Think you're too busy? Just 2 minutes a day can keep your business hopping. Check out our new Automated Prospecting Center on the website. 

P.P.S.  For a exciting (3) minute Country Club message call 1-800--213-9592 

-----------------------------------------------------------------------------------------
Robot Reply - Thinking about serious web marketing? Then give us a try! 
30 Day Trial, 50 quality leads for $0.00 just for trying! No Exceptions!

http://jhgiff.replyprompt.com/
-----------------------------------------------------------------------------------------

Sender's Address:
 
Sender's Email: 

To unsubscribe or change subscriber options visit:
http://replyprompt.com/z/rmv.pl?es=hszdzkzdzkzahhhp&rid=43265&seq=3

[chirpy]

To track that down further:

grep 1EazVg-0004BB-0v /var/log/exim_mainlog

[dalem]

I had this looser on one of my servers last week

see this thread http://forums.cpanel.net/showthread.php?t=43644

[nurseryboy]

Wohoo!

Thanks to both chirpy and dalem, the spammer has been eradicated. This post - http://forums.cpanel.net/showthread.php?t=43644 was very useful in helping me find who it was. The commands:

Code:

netstat -cen 2>/dev/null | grep 127.0.0.1:25

and

Code:

grep UID /etc/passwd

were especially helpful, as I was able to see which user was connecting very often through smtp and get their username. Their account has been suspended for about 15 minutes, and not one more "spam email" has come through.

Thanks again for all your help guys. I really appreciate it!

Matthew

[jackie46]

Wohoo!

Thanks to both chirpy and dalem, the spammer has been eradicated. This post - http://forums.cpanel.net/showthread.php?t=43644 was very useful in helping me find who it was. The commands:

Code:

netstat -cen 2>/dev/null | grep 127.0.0.1:25

and

Code:

grep UID /etc/passwd

were especially helpful, as I was able to see which user was connecting very often through smtp and get their username. Their account has been suspended for about 15 minutes, and not one more "spam email" has come through.

Thanks again for all your help guys. I really appreciate it!

Matthew

Thats what i said, i said it was coming from your server. I bow to the old gracious Chirpy who said NOT NECESSARILY!

[dalem]

here is the crap they are selling
http://robotreply.com/


I just love this quote on their website

We keep a very close eye on our server logs, as well as closely observe the activity on each account. We monitor incoming spam complaints

closly watched yah use some other poor souls webserver funny I dont recall allowing them access to our mail logs

[chirpy]

Thats what i said, i said it was coming from your server. I bow to the old gracious Chirpy who said NOT NECESSARILY!

This isn't a competition, it's about helping people. You've already been warned once about trolling, so please stop it.

[Lestat]

root@static [/usr/local/bin]# netstat -cen 2>/dev/null | grep 127.0.0.1:25
tcp 181 0 127.0.0.1:40146 127.0.0.1:25 ESTABLISHED 0 23484731
tcp 0 0 127.0.0.1:25 127.0.0.1:40146 ESTABLISHED 47 23484732
tcp 0 0 127.0.0.1:25 127.0.0.1:40265 ESTABLISHED 47 23516583
tcp 181 0 127.0.0.1:40265 127.0.0.1:25 ESTABLISHED 0 23516582
tcp 0 0 127.0.0.1:25 127.0.0.1:40265 ESTABLISHED 47 23516583
tcp 181 0 127.0.0.1:40265 127.0.0.1:25 ESTABLISHED 0 23516582
tcp 0 0 127.0.0.1:25 127.0.0.1:40320 ESTABLISHED 47 23546610
tcp 181 0 127.0.0.1:40320 127.0.0.1:25 ESTABLISHED 0 23546609
tcp 0 0 127.0.0.1:25 127.0.0.1:40320 ESTABLISHED 47 23546610
tcp 181 0 127.0.0.1:40320 127.0.0.1:25 ESTABLISHED 0 23546609
tcp 181 0 127.0.0.1:40419 127.0.0.1:25 ESTABLISHED 0 23575988
tcp 0 0 127.0.0.1:25 127.0.0.1:40419 ESTABLISHED 47 23575989
tcp 0 0 127.0.0.1:25 127.0.0.1:40504 ESTABLISHED 47 23606437
tcp 181 0 127.0.0.1:40504 127.0.0.1:25 ESTABLISHED 0 23606436
tcp 0 0 127.0.0.1:25 127.0.0.1:40504 ESTABLISHED 47 23606437
tcp 181 0 127.0.0.1:40504 127.0.0.1:25 ESTABLISHED 0 23606436



181 is no such user. How can I stop all the nobody emails going out? My server sends out about 1500 email every morning if not more. I have ran many things that have been posted here in the forums to try and solve my problem. But nothing. I have alot of accounts on web server and if there is a script (PHP) running some where . How do I locate it if its being executed?

[dalem]

tcp 181 0 127.0.0.1:40146 127.0.0.1:25 ESTABLISHED 0 23484731

your looking at the wrong colum the user is root (you)181 Recv-Q inbound

tcp 0 0 127.0.0.1:25 127.0.0.1:40146 ESTABLISHED 47 23484732

47 is mailman