The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

can't track spammer

Discussion in 'General Discussion' started by Secret Agent, Feb 22, 2005.

  1. Secret Agent

    Secret Agent Guest

    Having a difficult tracking a spammer. First, I do nano /var/log/maillog and for some reason it spikes up the cpu/memory load dramatically.

    The email spam forwarded to me today by anonymous receiver...
    ===

    From your server:


    Received: from server.myhostname.com ([xx.x.166.50])
    by rwcrmxc19.comcast.net (rwcrmxc19) with ESMTP
    id <20050223020031r1900pbs3fe>; Wed, 23 Feb 2005 02:00:31 +0000
    X-Originating-IP: [xx.x.166.50]
    Received: from nobody by server.myhostname.com with local (Exim 4.44)
    id 1D3lpG-0004Tv-3T
    for someuser@comcast.net; Tue, 22 Feb 2005 21:00:30 -0500
    To: someuser@comcast.net
    Subject: Account Investigation Important Notice
    From: aw-confirm@ebay.com <aw-confirm@ebay.com>
    Reply-To: aw-confirm@ebay.com
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit
    Message-Id: <E1D3lpG-0004Tv-3T@server.myhostname.com>
    Date: Tue, 22 Feb 2005 21:00:30 -0500
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server.myhostname.com
    X-AntiAbuse: Original Domain - comcast.net
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    X-AntiAbuse: Sender Address Domain - server.myhostname.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:

    <table width="713" border="0" align="center">
    <tr>
    <td width="707" height="578"><p><img
    alt="From collectibles to cars, buy and sell all kinds of items on eBay"
    src="http://pics.ebaystatic.com/aw/pics/register/HeaderRegister_387x40.gif"
    border=0></p>
    <p><font size="4" face="Times New Roman, Times, serif"><strong><font face="Verdana, Arial, Helvetica, sans-serif">Account
    Investigation Important Notice</font></strong></font></p>
    <p>&nbsp;</p>
    <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">
    <p> Dear eBay customer ,</p>
    <p>We have strong reason to believe
    that your eBay account has
    been recently compromised and it could be used by a third party without your authorization. </font><font size="2" face="Verdana, Arial, Helvetica, sans-serif">In
    order to prevent any fraudulent activity from occurring we
    are required to open an investigation into this matter.
    To
    speed up this
    process,
    you are required to verify your eBay informations by following
    the link below.</font></p>

    <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><a target="_blank" href="http://signin.ebay.com.httpn.us" >http://signin.ebay.com/eBayISAPI.dll?Signln&UserID</a></font></p>
    <p align="left"><font size="2" face="Verdana, Arial, Helvetica, sans-serif">(To
    complete the verification process you must fill in all the required
    fields)</font></p>
    <table width="97%" border="0" bgcolor="#EFEFEF">
    <tr>
    <td><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Please
    Note - If your account informations are not updated within
    the next 72 hours, then we will assume this account is fraudulent
    and will be suspended. We apologize for this inconvenience,
    but the purpose of this verification is to ensure that your
    eBay account has not been fraudulently used and to combat
    fraud.</font></td>
    </tr>
    </table>

    <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">We
    appreciate your support and understanding, as we work together
    to keep eBay a safe place to trade.</font></p>
    <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> Thank
    you for your patience and attention in this important matter.</font></p>
    <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Regards,</font></p>
    <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Ian<br>
    eBay SafeHarbor<br>
    Investigations Team</font></p>

    <p align="center"><font color="#999999" size="2" face="Verdana, Arial, Helvetica, sans-serif">Do
    not respond
    to this e-mail, as your reply will not be received.</font></p>
    <p align="center"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">Copyright 2004 eBay Inc. All Rights Reserved.<br>
    Designated trademarks and brands are the property of their respective
    owners.<br>
    eBay and the eBay logo are trademarks of eBay Inc. is located at
    Hamilton Avenue, San Jose, CA 95125</font></p>
    </td>
    </tr>
    </table>


    ====


    For me honestly this one seems a bit tricky to track down, specifically when I can't even get the maillog to load up without spiking the cpu load to 20+ (yet this is a dual xeon / 2GB memroy server too).

    Any suggestions would be nice and appreciated. Thank you.
     
  2. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    DO NOT load maillog in an editor it's big, and of course it spikes you load, as some editors need to load the whole file in memory.


    use tail fro log viewing.

    or if you don't like tail, event F3 from mc is better.

    Anyway, don;t think the logs will help you too much. You need to enable X-Source/Args/Dir on exim, so you can see what script send that email.
     
  3. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    I would grep for the message number in your log. Then see where it came from. For closer grep for the mesages that are all around it - leave off the dash and the two characters after it.

    grep 'E1D3lpG-0004Tv-3T' /var/log/exim_mainlog


    then

    grep 'E1D3lpG-0004Tv' /var/log/exim_mainlog >look_at_this_file

    and look at the file for source.
     
  4. Secret Agent

    Secret Agent Guest

    Thanks for all your help. Apparently this person did a big massive job and I got about 5 complaints today alone for the same issue.

    For some reason grep wont' work for me...

    root@server [~]# grep '1D3nri-0000Kl-EOfor' /var/log/exim_mainlog
    root@server [~]# grep '1D3nri00Klfor' /var/log/exim_mainlog

    root@server [~]#


    One of the few new complaints regarding same issue...


    From: aw-confirm@ebay.com <aw-confirm@ebay.com>
    Reply-To: aw-confirm@ebay.com
    To: victim@hotmail.com
    Subject: Account Investigation Important Notice
    Date: Tue, 22 Feb 2005 23:11:10 -0500
    MIME-Version: 1.0
    Received: from server.mydomain.com ([xx.x.166.50]) by
    mc3-f38.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 22 Feb
    2005
    20:11:05 -0800
    Received: from nobody by server.mydomain.com with local
    (Exim 4.44)id 1D3nri-0000Kl-EOfor victim@hotmail.com; Tue, 22 Feb
    2005 23:11:10 -0500
    X-Message-Info: 6sSXyD95QpX4jnbfER+dYI8GiDug4S9X7TBvV1O9kso=
    X-AntiAbuse: This header was added to track abuse, please include it
    with any abuse report
    X-AntiAbuse: Primary Hostname - server.mydomain.com
    X-AntiAbuse: Original Domain - hotmail.com
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    X-AntiAbuse: Sender Address Domain - server.mydomain.com
    X-Source: X-Source-Args: X-Source-Dir: Return-Path:
    nobody@server.mydomain.com
    X-OriginalArrivalTime: 23 Feb 2005 04:11:05.0955 (UTC)
    FILETIME=[B2098B30:01C5195D]


    Plesae give me more hints and tips. I've tried using suPHPSuexec and "prevent user nobody from sending mail..." but of course naturally it just does not bode well for the general people on a web hosting server (unless I'm lacking knowledge in this area).

    Somehow my DC tracked it down to a domain of my good customer who just happened to have a insecure vulnerable form script which the DC tech said the suspect used to send out these fraud ebay emails. He tracked it down through exim_mainlog as well but for some reason it didnt' work for me.

    I suspended the account anyway in the meantime.

    Response from my DC tech

    "fter examining both the Exim mail server logs and the Apache access logs, it looks like the attack vector is a insecure 'support' form at:

    http://customerdomain.com/ru/support.shtml "

    Please help. I would like to expand my knowledge in this area so I know for future and have it as reference. I really appreciate all your help to all who do put the effort.
     
Loading...

Share This Page