Where is this mail coming from?

[paulm]

I got a complaint today from my provider because some emails supposedly being sent from my server to aol users is spam with a copy. The odd thing is I have dealt with quite a few aol complaints before and have always been able to find the problem user/script.

The issue with this is the information I am given is very limited, I do not even get an actual message ID and I can't find anything from the complaint in any of my exim logs including to and from addresses or subject (I have extended logging on)

I have the server setup to not alow relaying and have watched the mail logs for hours with no luck, I can not find where any of this is coming from.

Return-Path: <shanayvonne@techsimple.com>
Received: from rly-md10.mx.aol.com (rly-md10.mail.aol.com [172.20.29.148]) by air-md07.mail.aol.com (v114_r3.6) with ESMTP id MAILINMD071-9304621f3a934d; Sun, 15 Apr 2007 05:43:19 -0400
Received: from srv1.mydomain.com (srv1.mydomain.com [111.222.333.444]) by rly-md10.mx.aol.com (v114_r3.6) with ESMTP id MAILRELAYINMD108-9304621f3a934d; Sun, 15 Apr 2007 05:43:05 -0400
Received: (qmail 38009 invoked by uid 25383); Mon, 16 Apr 2007 09:01:53 +0200 (CEST)
Message-Id: <20070416090153.38009.qmail@dispatchgn.srv1.mydomain.com>
From: "Lavone" <shanayvonne@techsimple.com>
To: <Undisclosed Recipients>
Date: Mon, 16 Apr 2007 09:01:53 +0200 (CEST)
Subject: Intoxicated mother swallows her son bole
Mime-Version: 1.0
Content-Type: text/plain
X-AOL IP: 111.222.333.444
X-Mailer: Unknown (No Version)

Son has mrasueed enartnces off his own stepmother with his own bole by http://ortovloc.com/?hywht
and the hee complets at herr legs toa ensure she iss being satisfied well

So to me it looks like the actual message is being sent from another server and not mine, but I have relaying closed, checked for compromise etc with no luck yet.

Any help would be greatly appreciated.

[chirpy]

This bit:

Received: (qmail 38009 invoked by uid 25383); Mon, 16 Apr 2007 09:01:53 +0200 (CEST)
Message-Id: <20070416090153.38009.qmail@dispatchgn.srv1.mydoma in.com>

Is typical of a forged header from an exploited PHP script sending email out directly to port 25 (i.e. avoiding exim) which is why it doesn't have proper headers if indeed it is coming from your server. The simplest way to prevent emails being sent out that bypass exim is to enable WHM > Tweak Security > SMTP Tweak > Enable.

However, if you use a separate script to configure iptables that won't be effective. If you run csf, you can simple enable the SMTP_BLOCK option and then restart csf. If you use APF there's a solution to that posted on the forum somewhere.

You'd then need to track down the offending script, but the above ought to stop the outgoing spam.

[paulm]

However, if you use a separate script to configure iptables that won't be effective. If you run csf, you can simple enable the SMTP_BLOCK option and then restart csf. If you use APF there's a solution to that posted on the forum somewhere..

THank you for your reply Chirpy, so by running APF this would also cause an issue correct because I do have SMTP Tweak enabled on my server and I did not know there would be a conflict with the firewall.

[internetfab]

Trying to find a spammer on one of our servers that isn't running phpsuexec who is using the same method as mentioned here.

What exactly does the SMTP block option do? Will scripts automatically be piped through exim or will every customer on the server have to use an smtp class instead of mail() function in php?

[yapluka]

I had the very same issue on a customer's server a few months back and it happened that the offending script was a php shell (r57 or c99, don't remember). This search may help :

Code:

find /home/ \( -name "*.cgi" -o -name "*.php" \) -print | xargs egrep -l 'c99shell|r57shell|WebShell|phpshell' >> /root/report.txt

Good luck

[AlexV.]

Paulm:

I think you will find this document resourceful in regards trying to track the spammer:

http://www.cpanel.net/docs/seminar/SPAM.pdf

[internetfab]

Thanks - I know how to secure a server but stopping nobody isn't possible on this server right now I'm afraid. So I'll just have to find the script and stop it for now until we have a chance to get every customer prepared for suPHP or phpsuexec.

[chirpy]

Trying to find a spammer on one of our servers that isn't running phpsuexec who is using the same method as mentioned here.

What exactly does the SMTP block option do? Will scripts automatically be piped through exim or will every customer on the server have to use an smtp class instead of mail() function in php?

Other way round. If you enable the SMTP block then clients must use the mail() function and not send email directly out to port 25 (usually using sockets). Users that send email from their PC email clients through your server won't be affected by the block.

You can also have a read of this in help tracking down outbound spam:
http://www.configserver.com/free/spammers.html#outbound

[internetfab]

Ah, yeah I've got it now I can't remember that I've used sockets to send email in my php code.. so I'm guessing it isn't that common unless you're trying to send spam.

Thanks for the documentation as well Chirpy - as always, you come through for us

Other way round. If you enable the SMTP block then clients must use the mail() function and not send email directly out to port 25 (usually using sockets). Users that send email from their PC email clients through your server won't be affected by the block.

You can also have a read of this in help tracking down outbound spam:
http://www.configserver.com/free/spammers.html#outbound