The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BCC headers used for spamming

Discussion in 'General Discussion' started by netlook, Nov 17, 2005.

  1. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Blocking BCC headers in EXIM

    Is there any way to bloc BCC with EXIM on outgoing mail?

    Thanks.
     
    #1 netlook, Nov 17, 2005
    Last edited: Nov 18, 2005
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    If you have mod_security enabled you can deny the POST of anything that resembles BCC :)
     
  3. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    I think it is temporary solution, so I'm looking for something harder. :cool:
     
  4. Dathorn_ADT

    Dathorn_ADT Active Member

    Joined:
    Nov 16, 2002
    Messages:
    41
    Likes Received:
    1
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I've tried to create similar rules as well with no luck.
     
  5. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    It's not working
     
  6. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Suddenly I am seeing an very large amount of this kind of spam leaving our server and it seems to be coming from several accounts and is going to AOL. Natually AOL has blocked one of our servers so that has to be dealt with in the usual wonderful way AOL does it.


    Can someone post a quick mod_security rule to put in to stop this or anything else ?. Would
    this BCC thing be fixed in EXIM config instead ?

    I cant really tell at this point where its coming from so I have some work to do but if there is a quick way to stop some of this BCC stuff I would appreciate a quick reply here.

    Thanks !

    :p
     
  7. VCServer

    VCServer Active Member

    Joined:
    Nov 19, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Hello :)

    I had the same problem masses emails with bcc @aol was on dispatched. With the following configuration the problem was fixed with me:

    You can limit the number of recipients as follows: Open the Exim Configuration Editor and switch to Advanced Mode. In the very first edit box, enter the following lines and click Save:
    Code:
    recipients_max = 5
    recipients_max_reject = true
    Perhaps also helps you. :)
     
  8. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I just had 3 servers in the last 2 days get blocked from AOL. Can't help but wonder if it's the formmail? or other email based form scripts?
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Most often, it's because users are forwarding their domain email to their AOL account including any spam or viruses that has been sent there. AOL treat you as the spammer and block you. Stupid of them, but there you go.
     
  10. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    yep ..noticed that. But all of a sudden I am seeing this one servers where the /etc/valiases folder hasn't changed in a year.

    Yahoo just blocked another box of mine as well. It's all of a sudden I am seeing this.
     
  11. metal_cd

    metal_cd Member

    Joined:
    Jan 21, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1

    Is this a solution that would not limit other users, do scripts ever legitimately use this function to send out bcc. Just want to know how limiting this would be
    Thanks
     
  12. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
  13. astopy

    astopy Well-Known Member

    Joined:
    Apr 3, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    If you're asking if there are legitimate uses for the BCC header, of course there are - I use it all the time. Completely disabling the use of BCC like some people in this thread seem to be thinking about is a horrible idea and wouldn't solve the problem (the spammers could just shift to using the To header, not as subtle but it'd work). Limiting the number of recipients per message would work to an extent, but would cause problems for those with legitimate mailing lists (not to mention the fact that the spammers could simply adjust their scripts to send a larger number of messages each with fewer recipients).

    The only viable solution is to secure your scripts, and add a mod_security rule to stop this kind of attack.
     
  14. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    We are seeing many of these. Our mod security is killing these off

    Via: 1.1 WS2243
    mod_security-message: Access denied with code 403. Pattern match "Bcc:" at POST_PAYLOAD.
    mod_security-action: 403

    264
    email=ntipyreen%0D%0AContent-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0AMIME-Version%3A+1.0%0AContent-Transfer-Encoding%3A+7bit%0ASubject%3A+with+a+malicious+glance.+es%2C+see%0Abcc%3A+beacon5919%40aol.com%0A%0Af283a555dbb7ff85224eb62d099db883%0D%0A.%0D%0A

    mod_security-message: Access denied with code 403. Pattern match "Bcc:" at POST_PAYLOAD.
    mod_security-action: 403

    297
    email=said%0D%0AContent-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0AMIME-Version%3A+1.0%0AContent-Transfer-Encoding%3A+7bit%0ASubject%3A+the+ramblers+gradually+descended%0Abcc%3A+bbarnholtz%40aol.com%0A%0Adf34cfc3ef2a899ea64aea7117f96594%0D%0A.%0D%0A&Submit=arie5554%
     
  15. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Can you post your filter rule which does it ?
     
  16. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    I looked though my rules when i posted and could not remember which ones those are. I have many. If i find them ill post them.
     
  17. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Here is it,

    SecFilter "Bcc:"
    SecFilter "Bcc:\x20"
     
  18. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Is that the actual full string in the modsec conf file ?. Seems kinda short.
     
  19. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    This is what i have. Try it and test it out.
     
  20. elitewebninja

    elitewebninja Active Member

    Joined:
    Jan 2, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Atlanta Ga!
    This completely wipes out the BCC field from any email that's sent through the server. That means your customers emails, if they BCC anyone through outlook, the mail will not get to the BCC recipient.

    Is there anyway to limit this to just a script that's being executed? Like if a script has more than 20 bcc email addresses, then those will be discarded?

    Does anyone know what the \x20 means? Does that mean no more than 20 BCC's on a chain?

    SecFilter "Bcc:\x20" = ?

    This is something I REALLY need. Form exploitations are a CONSTANT battle for us, so any help would be appreciated.
     
Loading...

Share This Page