Spammer and bypassed listed in Exim Mail Statistics

**Solokron** · 09-23-2005 06:50 PM

I have an issue with a spammer that I have not been able to track down via logs.

Enabled feature set:

Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

Silently Discard all FormMail-clone requests with a bcc: header in the subject line

Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

The SMTP Tweak is enabled.

Enabled: Verify the existance of email senders.

Enabled: Discard emails for users who have exceeded their quota instead of keeping them in the queue.

log_selector = +all

What concerns me is viewing mail delivery stats via WHM I see a listing for
Deliveries by transport
-----------------------
Volume Messages
**bypassed** 158KB 7

Even with log_selector = +all I am not able to track this spammer down.

Provided below is the mail headers reported to us.

Return-path: <claywhiting0@meineke.com>
Received: from defapp07.gatewaydefender.com (unverified [207.180.209.127]) by buckeye-express.com
(Rockliffe SMTPRA 6.1.20) with ESMTP id <B0015165024@mail.buckeye-express.com> for <genoxxxx@buckeye-express.com>;
Fri, 23 Sep 2005 06:59:31 -0400
Received: from yyyyyyyyy.com (Not Verified[xx.xx.xx.xx]) by defapp07.gatewaydefender.com
id <BK10fbc4eb>; Fri, 23 Sep 2005 06:59:30 -0400
Received: (qmail 27788 invoked by uid 46782); Sun, 25 Sep 2005 15:46:54 +0200 (CEST)
Message-Id: <20050925154654.27788.qmail@yyyyyyyyy.com>
From: "Meira Branson" <claywhiting0@meineke.com>
To: "genoxxxx" <genoxxxx@buckeye-express.com>
Date: Sun, 25 Sep 2005 15:46:54 +0200 (CEST)
Subject: Mom was used by her son
Mime-Version: 1.0
Content-Type: text/plain

I expect more header information as a result of my above enabled features but with **bypassed** appearing in Exim Mail Statistics I am concerned they may be indeed bypassing the system.

The domain as expected does not exist on the system. No new accounts on server look questionable. phpbbversion check scan has been ran and versions older than 16 have been disabled +5 days.

I also run mail-watch on the server which has not reported any accounts.

I have ran the following with no results:

grep '20050925154654.27788' /var/log/exim_mainlog
grep 'meineke.com' /var/log/exim_mainlog
grep 'genoxxxx@buckeye-express.com' /var/log/exim_mainlog
grep 'mom was used by her son' /var/log/exim_mainlog
grep -r 'genoxxxx@buckeye-express.com' /home/*

This is racking my brain as I cannot track this email down and I hope it is not a new exploit in exim.

**Solokron** · 09-23-2005 07:01 PM

I should also mention server's formmail* helpdesk* cgiemail* real* are all disabled in /usr/local/cpanel/cgi-sys

**Solokron** · 09-24-2005 02:23 AM

Because these are not appearing in exim I can only suspect these are by a trojanned machine smarthosting through this server.

We run rootkithunter and tripwire twice a day and they have not found anything though so this out to be fun.

**IberHosting** · 09-24-2005 03:02 AM

Hello,

If 207.180.209.127 is not your IP, other is using a fake mail to spam, from account@servername.com, then you got all error mails from the failed mails.

**Solokron** · 09-24-2005 04:11 AM

Nonsense. That is gatewaydefender.com

Originally Posted by IberHosting

Hello,

If 207.180.209.127 is not your IP, other is using a fake mail to spam, from account@servername.com, then you got all error mails from the failed mails.

**chirpy** · 09-24-2005 05:46 AM

That email isn't originating from a cPanel server running exim. Either the headers are forged or the initial Received line (read them backwards) clearly shows this:

Received: (qmail 27788 invoked by uid 46782); Sun, 25 Sep 2005 15:46:54 +0200 (CEST)

So, it appears to be a joe-job of sorts if that is indeed the original header of the actual spam email.

**sv1** · 09-24-2005 10:43 AM

Any update Solokron?

**Solokron** · 09-25-2005 11:37 AM

Which is why I suspect a trojan is installed bypassing and not utilizing exim.

I don't know why they would joe-job the server but that is possible as well.

Originally Posted by chirpy

That email isn't originating from a cPanel server running exim. Either the headers are forged or the initial Received line (read them backwards) clearly shows this:

Received: (qmail 27788 invoked by uid 46782); Sun, 25 Sep 2005 15:46:54 +0200 (CEST)

So, it appears to be a joe-job of sorts if that is indeed the original header of the actual spam email.

**Solokron** · 09-26-2005 03:54 PM

"20050925154654.27788.qmail@yyyyyyyyy.com"

Qmail.

**chirpy** · 09-26-2005 04:29 PM

I'm actually looking at another server with the exact same problem and so I'm happy to withdraw my suggestions that it isn't from the actual server

It appears to me on the server I'm looking at that they're coming in through a vulnerable php script, most likely one of the usual candidates (phpBB or phpNuke). However, I've yet to track down which script is being used.

Have you checked that every phpBB installed on the server (if there are any) are definitely running v2.0.17, including phpNuke installations?

**bigj** · 09-26-2005 05:35 PM

Originally Posted by chirpy

I'm actually looking at another server with the exact same problem and so I'm happy to withdraw my suggestions that it isn't from the actual server

It appears to me on the server I'm looking at that they're coming in through a vulnerable php script, most likely one of the usual candidates (phpBB or phpNuke). However, I've yet to track down which script is being used.

Have you checked that every phpBB installed on the server (if there are any) are definitely running v2.0.17, including phpNuke installations?

This brings up a good question about phpBB - is there any way to upgrade all the installed versions to the latest code w/o having to log into their control panel and do it that way?

bigj

**Solokron** · 09-26-2005 07:53 PM

Good to hear! Hopefully we can track this down.

As mentioned I have ran a phpbbversion check up to .16 about 8 days ago but not phpnuke. I have noticed by grepping out the home directories for "qmail" nuke and also phpAdsNew generally have a lot of references to qmail. Is there a ver check script available for nuke?

Originally Posted by chirpy

I'm actually looking at another server with the exact same problem and so I'm happy to withdraw my suggestions that it isn't from the actual server

It appears to me on the server I'm looking at that they're coming in through a vulnerable php script, most likely one of the usual candidates (phpBB or phpNuke). However, I've yet to track down which script is being used.

Have you checked that every phpBB installed on the server (if there are any) are definitely running v2.0.17, including phpNuke installations?

**Solokron** · 09-26-2005 11:24 PM

If installed via cPanel you can use the add-on update module. Otherwise the following script is useful in sending out warnings and disabling out-dated forums with an .htaccess file.

http://www.cplicensing.net/files/scripts/chkphpbbver

Originally Posted by bigj

This brings up a good question about phpBB - is there any way to upgrade all the installed versions to the latest code w/o having to log into their control panel and do it that way?

bigj

**Solokron** · 09-26-2005 11:39 PM

This php mail header patch looks to be worth a shot as well.

http://choon.net/php-mail-header.php

**chirpy** · 09-27-2005 10:25 AM

That mail() patch looks insteresting but may not help in this case because it appears to bypass the local mail server and presumably contains a remailer of its own that that wouldn't pick up.

I have the following on the check for my modified chkphpbbver:

Code:

				if($f eq "0" and $s < 17) {

So it locates all phpBB databases that are not running at 2.0.17

LinkBack

Thread Tools