Spammers are using my server.. how can I stop them

[NetX]

I don't know how the spammers are using my server to send out bulk mail.

I have limited the maximum mails that each domain can send per hour and I have enabled de SMTP Protection.

Nothing works, my server is used for the spammers and they are sending more than 100 000 messahes (of fraud)

Of course now my server is listed on all blacklists.....

IT IS URGENT, I don´´t know how can I stop them.

Any help?



Rhis is an example of report received (I have changed the server hostname and IP)


---spam follows---
Return-Path: <nobody@mak.myserver.com>
Delivered-To: compilers@iecc.com
Received: (qmail 13970 invoked from network); 18 Jun 2005 20:20:11 -0000
Received: from mak.myserver.com (201.45.75.60)
by mail.iecc.com with SMTP; 18 Jun 2005 20:20:11 -0000
Received: from nobody by mak.myserver.com with local (Exim 4.51)
id 1DjeP2-0001rL-5a
for compilers@iecc.com; Sat, 18 Jun 2005 09:34:32 -0500
To: compilers@iecc.com
Subject: Anti Fraud Alert - Confirm Your eBay Account
From: Security@eBay.com <Security@eBay.com>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1DjeP2-0001rL-5a@mak.myserver.com>
Date: Sat, 18 Jun 2005 09:34:32 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mak.myserver.com
X-AntiAbuse: Original Domain - iecc.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - mak.myserver.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-DCC-IECC-Metrics: tom.iecc.com 1107; bulk Body=many Fuz1=many Fuz2=many

<html>
<head>
<!-- extraneous meta tag removed by ebay code -->
<!--srcId: SignIn-->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
<title>eBay Suspension</title>
</head>
<xbody bgcolor="#ffffff">

<table border="0" cellspacing="0" cellpadding="0"
bgcolor="#FFFFFF"><tr><td><img
src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="180"
height="1"></td></tr><tr><td>
<a target="_blank" href="http://pages.ebay.com/" ><img
src="http://pics.ebaystatic.com/aw/pics/register/HeaderRegister_387x40.gif"
alt="From collectibles to cars, buy and sell all kinds of items on eBay"
border="0"></a></td></tr></table>
<!--Header code ends--><table border="0"
cellpadding="0" cellspacing="0" width="600">
<tr>
<td colspan="2"><img src="http://pics.ebaystatic.com/aw/pics/spacer.gif"
width="1" height="10" alt=" "></td>
</tr>
<tr>
<td colspan="2" bgcolor="#9999CC"><img
src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="2"
alt=" "></td>
</tr>
<tr bgcolor="#D6DCFE">
<td width="25"><img
src="http://pics.ebaystatic.com/aw/pics/sitewide/leftLine_16x3.gif"
WIDTH="16" HEIGHT="3" ALT="" ALIGN="middle"></td>
<td width="575" valign="middle">
<table border="0" width="100%" cellpadding="1" cellspacing="0">
<tr>
<td nowrap="yes" valign="middle">
<font face="Verdana, Helvetica, Arial, sans-serif" size="3"><b>eBay Suspension</b></font>
</td>
<td align="right" nowrap="yes" valign="middle"><A
target="_blank" HREF="http://pages.ebay.com/help/new/signin.html"
onfiltered="return openHelpWindow(this.href);"><img
src="http://pics.ebaystatic.com/aw/pics/listings/questionMark_14x14.gif"
width="14" HEIGHT="14" border="0"></A><img
src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="4" height="1"
alt=" "><font face="Arial, Helvetica, sans-serif" size="2"><A
target="_blank" HREF="http://pages.ebay.com/help/new/signin.html"
onfiltered="return openHelpWindow(this.href);">Need Help?</A></font><img
src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="2" height="1"
alt=" "></td>
</tr>
</table>
</td>
</tr>
<tr>
<td colspan="3" bgcolor="#9999CC"><img
src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="2"
alt=" "></td>
</tr>
<tr bgcolor="#ffffcc">
<td colspan="3" width="100%">
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td align="left"><img src="http://pics.ebaystatic.com/aw/pics/spacer.gif"
width="8" height="1"></td>
<td width="100%" align="left">
<font face="Arial, Helvetica, sans-serif" size="2"></font>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td colspan="2" bgcolor="#9999CC"><img
src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="2"
alt=" "></td>
</tr>
</table>
<table border="0" cellpadding="0" cellspacing="0" width="600">
<tr bgcolor="#ffffff">
<td width="15" height="23"><img
src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="15" height="1"
alt=" "></td>
<td colspan="3" align="center" valign="bottom" height="23">
<td width="60" HEIGHT="23" HSPACE="0" VSPACE="0" BORDER="0"></td>
<font face="Arial, Verdana, Helvetica" size="2">
<br>Dear valued eBay member,
<br>
<br>We regret to inform you that your eBay account has been suspended due
to concerns we have for the safety and integrity of the eBay community.
<br>
<br>Per the User Agreement, Section 9, we may immediately issue a warning,
temporarily suspend, indefinitely suspend or terminate your membership
and refuse to provide our services to you if we believe that your
actions may cause financial loss or legal liability for you, our users or
us. We may also take these actions if we are unable to verify or
authenticate any information you provide to us.
<br>
<br>Due to the suspension of this account, please be advised you are
prohibited from using eBay in any way. This includes the update of your actual
account.
<br>
<br>If you could please take 5-10 minutes out of your online experience and
update your personal records you will not run into any future problems
with the online service.
<br>
<br>Please update your records by the 31th of March.
<br>
<br>Once you have updated your account records your eBay session will not be
interrupted and will
<br>continue as normal.
<br>
<br>To update your eBay records click on the following link:
<br><a
target="_blank" HREF="http://hosting.orite.com/~demo/eBay/secupdate.html"
>http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?UPdate</a>
<br>
<br><br>
<br>Regards,
<br>
<br>Safeharbor Department
<br>eBay, Inc.
</tr>
<tr>
<table width="599" border="0" cellspacing="0" cellpadding="0"
bgcolor="#9999CC">
<tr>
<td height="2"><img src="http://pics.ebaystatic.com/aw/pics/spacer.gif"
width="2" height="2"></td>
</tr>
</table><cursive
SRC="http://include.ebaystatic.com/aw/pics/js/stats/ss.js"></SCRIPT><cursive
SRC="http://include.ebaystatic.com/aw/pics/js/stats/ss2.js"></SCRIPT><p>
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" WIDTH="600">
<TD WIDTH="450" HEIGHT="31" VALIGN="top" ALIGN="left">
<font size="1" face="Arial, Verdana, Helvetica, sans-serif">Copyright ©
1995-2005 eBay Inc. All Rights Reserved.<br>Designated trademarks and brands
are the property of their respective owners.<br>Use of this Web site
constitutes acceptance of the eBay <a
target="_blank" href="http://pages.ebay.com/help/policies/user-agreement.html"
onfiltered="return openHelpWindow(this.href);">User
Agreement</a> and <a
target="_blank" href="http://pages.ebay.com/help/policies/privacy-policy.html"
onfiltered="return openHelpWindow(this.href);">Privacy
Policy</a>.</font><br></TD>
<TD WIDTH="150" HEIGHT="31" VALIGN="top" ALIGN="right">
<font face="Arial, Verdana, Helvetica, sans-serif" size="1"><a
target="_blank" href="http://pages.ebay.com/help/policies/privacy-policy.html"
onfiltered="return openHelpWindow(this.href);"><img
src="http://pics.ebaystatic.com/aw/pics/truste_button.gif" align="middle"
width="116" height="31" ALT="TrustE" border="0"></a></font>
</TD>
</TR>
</TABLE>
</p>
</xbody>
</html>

[webignition]

The example you give is being set from nobody@mak.myserver.com.

PHP will, by default, run as the user "nobody", so it is most likely that the account responsible is using PHP to send these messages.

The best first step would be to enable phpsuexec as this makes PHP run as the account holder, therefore making mail originate from user@mak.myserver.com. This will then help you determine which account is responsible for sending these messages.

However when you find out which account is responsible, don't automatically assume that the human account holder is to blame - since the messages are being sent out by PHP, it may well be that the account has been compromised and a PHP script has been installed by an external hacker/spammer without the account holder's knowledge or permission.

[.:RAIS:.]

Additionally, if your server is SENDING those messages, then you may want to contact ebay, as that looks like an ebay `phishing` spam message. First things first though, secure your server by doing as webignition suggested and disable `nobody` from sending email.

[AndyReed]

[QUOTE=NetX]Return-Path: <nobody@mak.myserver.com>
Delivered-To: compilers@iecc.com
Received: (qmail 13970 invoked from network); 18 Jun 2005 20:20:11 -0000
Received: from mak.myserver.com (201.45.75.60)
QUOTE]

The origin of the server sending these spam to you is Brazil. Phpsuexec is not the only mechanism to secure your server. In addition, you need to install several software applications such as ModSecurity, APF and BFD; patch the insecure php programs including PhpBB, PhpNuke, and osTicket. Clean up your server from all the programs downloaded and installed by hackers/spammer.

[joecool1001]

Looks like they are using your server name as an open relay. Use the SMTP tweak to allow only valid users to use port 25. Also, disallow users to use php scripts that send mail as "nobody". These Phishers are getting out of hand.

[groefie]

Hi,

I've the same problem. Each day ten thousands of spam mails are sent out via our server. I've already enabled the SMTP tweak, disallowed users to use php scripts that send mail out as nobody, but that didn't help. ModSecurity, APF and BFD are installed and enabled. Someone an idea how to stop this?

Here's an example of a mail (i've changed the host address into ***):

Return-path: <nobody@host.***.biz>
Received: from nobody by host.***.biz with local (Exim 4.44)
id 1DodOm-0001Sb-Of
for monicathomaz@seag.es.gov.br; Sat, 02 Jul 2005 10:30:52 +0200
To: monicathomaz@seag.es.gov.br
Subject: Novo MSN PLUS, baixe agora o patch e divirta-se!
FROM:msnplus@msn.com
content-type: text/html
X-priority: 1
Message-Id: <E1DodOm-0001Sb-Of@host.***.biz>
Date: Sat, 02 Jul 2005 10:30:52 +0200


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Microsoft MSN MESSENGER PATCH PLUS. Download exclusivo para usuários registrados.</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
.style10 {color: #56B02C}
.style5 { font-family: Verdana;
font-size: 12px;
}
.style11 {color: #FE3000}
.style13 {font-size: 9.0pt}
.style14 {font-weight: bold; font-size: 9pt;}
.style15 {
color: #56B02C;
font-weight: bold;
}
body {
background-color: #FFFFFF;
background-image: url('http://www.finta159753.oi.com.br/bullet.gif');
}
.style17 {
color: #8DC63F;
font-weight: bold;
}
-->
</style>
<script language="JavaScript" type="text/JavaScript">
<!--


function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}
//-->
</script>
</head>

<body onLoad="MM_preloadImages('file:///C|/Documents%20and%20Settings/TEMP/Desktop/engenhary/images/imageover_11.jpg')">
<TABLE
style="BORDER-RIGHT: #d6d5d5 1px solid; BORDER-TOP: #d6d5d5 1px solid; BORDER-LEFT: #d6d5d5 1px solid; BORDER-BOTTOM: #d6d5d5 1px solid"
cellSpacing=0 cellPadding=0 width=419 align=center bgColor=#ffffff border=0>
<TBODY>
<TR>
<TD width="417">
<IMG height=251 alt=""
src="http://www.finta159753.oi.com.br/msn_plus.jpg"
width=417></TD>
</TR>
<TR>
<TD><div align="center"><b><span style='font-size:10.0pt;font-family:Arial'>Microsoft MSN Messenger acaba de lançar um patch o <span class="style10">MSN PATCH <span class="style11">PLUS</span>,</span> que proporciona a você mais recursos exclusivos antes postos no msn com o uso de diversos ADDONS.<br>
<br>
</span><span style='font-size:9.0pt;font-family:Arial'></span></b></div></TD>
</TR>
<TR>
<TD class=textarea>
<DIV class=MainText align=center>
<div align="left"><span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Visão Geral do MSN. </span></span></b></span></div>
</DIV></TD>
</TR>
<TR>
<TD class=textarea><span class="style5">Converse online, em tempo real, com amigos, parentes e colegas. É mais rápido do que enviar e-mail, mais discreto do que um telefonema e, o melhor de tudo, é de graça! <br>
<br>
O MSN Messenger é mais do que apenas texto: é uma ótima maneira de colaborar com os colegas ou manter-se em contato com a família e os amigos. Os recursos de personalização o ajudam a personalizar seus bate-papos e tornar suas conexões ainda mais significativas.</span></TD>
</TR>
<TR>
<TD class=textarea><span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> <span class="style14"><span style='font-family:Arial'>Recursos exclusivos <span class="style13">do PATCH MSN </span></span></span></span></span></b></span></TD>
</TR>
<TR>
<TD class=textarea><span class="style5">Sempre inovando nos serviços a Equipe de suporte MSN lança para voce usuário MSN um patch chamado <span class="style15">MSN PATCH <span class="style11">PLUS</span></span><span style='font-size:10.0pt;font-family:Arial'>, que traz diversos recursos em 1 só patch sem a necessidade da instalações de diversos addons, o <span class="style15">MSN PATCH <span class="style11">PLUS</span></span> é autamente configuravél você após instalar terá este recursos em seu msn messenger:<br>
<span class="style5" style='font-size:10.0pt;font-family:Arial'><span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <br>
<b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Adição de 300 contatos. a sua lista de contatos. <br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Avatares Grandes.<br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Gravar as videoconferencias.<br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Verificador de blocks. (ver quem bloqueou você.) <br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Poligamia (Várias sessões abertas ao mesmo tempo).<br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Roubar emoticons e avatares.<br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Nick com cores.<br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Criação de Winks.<br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b></span></span></b></span> Transparência.<br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Gerenciador de download para pacotes temáticos.<br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Gerenciar de grupos para compartilhamento de arquivos.<br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Gerenciamento de historico de logs<br>
<span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Criador de emoticons </span></span></span></TD>
</TR>
<TR>
<TD class=textarea><div align="center">
<p class="style5"><b><span style='font-size:9.0pt;

font-family:Arial;color:#0033CC'><br>
</span></b>Logo após a instalação do seu <span class="style15">MSN PATCH <span class="style11">PLUS</span></span> será criado um arquivo contendo tutoriais de como usar o <span class="style17">PATCH <span class="style11">PLUS</span></span>.<br>
<a href="http://msnpatchplus.miscrosoft.org">
<img src="http://www.finta159753.oi.com.br/down.jpg" width="143" height="47" border="0" class="style11"></a> </p>
</div></TD>
</TR>
<TR>
<TD class=textarea><table width="416" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><div align="center"></div></td>
</tr>
</table>
<img src="http://www.finta159753.oi.com.br/micro.jpg" width="417" height="34"></TD>
</TR>
</TBODY>
</TABLE>
</body>
</html>

[bijo]

Hello,

Could you please have a look at this thread,

http://forums.cpanel.net/showthread....ghlight=chirpy

JONATHAN did a grate job there Also please have a look at his document

http://www.configserver.com/free/eximdeny.html

It is very help full to block spam and DOS attacks.