The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DT_formmail

Discussion in 'E-mail Discussions' started by peterquast, Nov 18, 2003.

  1. peterquast

    peterquast Member

    Joined:
    Apr 19, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I really need help... I am getting thousands of spam reports from AOL daily, all with the:
    X-Mailer: DT_formmail

    Is anyone else having this problem ?
    AOL is going to block my servers... please help.



    Return-Path: <ws9211aQuLXOiAutoPK@msn.com>
    Received: from rly-yb03.mx.aol.com (rly-yb03.mail.aol.com [172.18.146.3]) by air-yb04.mail.aol.com (v97.8) with ESMTP id MAILINYB43-1873fba377569; Tue, 18 Nov 2003 10:16:57 -0500
    Received: from server791.dnslive.net (server791.dnslive.net [66.78.26.32]) by rly-yb03.mx.aol.com (v97.7) with ESMTP id MAILRELAYINYB31-1873fba377569; Tue, 18 Nov 2003 10:15:02 -0500
    Received: from nobody by server791.dnslive.net with local (Exim 4.24)
    id 1AM7ZE-00041q-7w; Tue, 18 Nov 2003 10:15:00 -0500
    To: <Undisclosed Recipients>
    jpwree@aol.com
    Subject: Dating a Cheater? Find Out
    From: ws9211aQuLXOiAutoPK@msn.com
    Reply-To: email@server791.dnslive.net
    X-Mailer: DT_formmail
    Message-Id: <E1AM7ZE-00041q-7w@server791.dnslive.net>
    Date: Tue, 18 Nov 2003 10:15:00 -0500
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server791.dnslive.net
    X-AntiAbuse: Original Domain - aol.com
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    X-AntiAbuse: Sender Address Domain - msn.com
    X-AOL-IP: 66.78.26.32
    Content-Type: text/plain; charset="US-ASCII"
    Content-Transfer-Encoding: 7bit

    email: ws9211aQuLXOiAutoPK@msn.com
    DAbqBgJFZm30550:
    Here's How U Catch Cheaters
    URL= http://www.0-cost-free-stuff.com
    realname: ws9211
     
  2. peterquast

    peterquast Member

    Joined:
    Apr 19, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    follow up...

    I just logged into the server, and went here

    /usr/local/cpanel/cgi-sys

    here is what is listed


    -rwxr-xr-x 4 root wheel 560264 Sep 23 20:22 formmail.cgi*
    -rwxr-xr-x 4 root wheel 560264 Sep 23 20:22 FormMail.cgi*
    -rwxr-xr-x 1 root wheel 560264 Sep 23 20:22 FormMail-clone.cgi*
    -rwxr-xr-x 4 root wheel 560264 Sep 23 20:22 formmail.pl*
    -rwxr-xr-x 4 root wheel 560264 Sep 23 20:22 FormMail.pl*

    is this right ?
    should there be 5 version of formmail in there ?
    they are all dated sep 23, so, it must have been from cpanel...
     
  3. RaveKnights

    RaveKnights Well-Known Member

    Joined:
    Nov 5, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Some Where Out There!
    do a

    locate DT_formmail

    on your server see if it comes up and remove it.

    Also let your client know it has been removed for security purposes
     
  4. peterquast

    peterquast Member

    Joined:
    Apr 19, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    thats just it...

    running that command brings up nothing...

    that is the mystery... I have no idea what could be wrong...
     
  5. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    I had this problem and I did this

    cd /home
    grep -r DT_formmail *

    This should search everything in /home including inside files, if I remember, also while I did this I turned on SMTP Tweak in Tweak Security which queue everything up for out goign email.

    This is the command I did I am sure, I did have to look in my history to find the command but 99.9% sure they the commands I did

    Regards,
    Garry
     
    #5 silvernetuk, Nov 19, 2003
    Last edited: Nov 19, 2003
  6. peterquast

    peterquast Member

    Joined:
    Apr 19, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    so, did this work ?

    did you find a file called DT_formmail ?

    also I dont understand what you said about SMTP Tweak in Tweak Security ... can you explain further ??

    :)

    thanks.
     
  7. RaveKnights

    RaveKnights Well-Known Member

    Joined:
    Nov 5, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Some Where Out There!
    Hi,

    inside the WHM I think it was 8.0 and above that the security tweak was added.

    also you can disable formmail inside Tweak Settings

    FormMail-clone cgi / uncheck it if it is checked and save settings.

    This keeps users from having acces to formmail inside cpanel.
     
  8. peterquast

    peterquast Member

    Joined:
    Apr 19, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    but, will this fix the specific problem I am having ??

    is everyone just disabling formmail ?

    what about the reaction from all the clients of mine that are using it ?

    should we just give up totally on formmail ?
     
  9. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    This is not a FormMail-clone cgi issue as far as I am aware.

    Before running this command you may want to check out the manual for the command grep you can do this by typing
    man grep at a command line to exit it is q

    By running the below command I take no responsibility.

    Before running this command you may want to check out the manual for the command grep you can do this by typing
    man grep at a command line to exit it is q

    Using the grep command above it search within the files looking for DT_formmail we found the problem and got rid of the scripts that used this DT_formmail

    It is no good looking for a file called DT_formmail as we found out, but by using grep it look within the files at the coding.

    As for this SMTP Tweak, we turn it on to stop out going mail to be sent out from the server so it just queued up in the mail queue, which stopped the spam being sent out, while we was looking for the problem, then I went into the mail queue deleted the spam emails, disable the SMTP Tweak and delivered the emails and that was that.

    Note by using the grep command it will take some time depending how many accounts you have for it to search.

    Regards,
    Garry

    By running the above command I take no responsibility!
     
    #9 silvernetuk, Nov 19, 2003
    Last edited: Nov 19, 2003
  10. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    C-Panel should be using a secure formmail script to prevent spammers from highjacking a server. Here is one that will do the trick...Anyone at C-panel want to include this script in future distros? It has been well documented that spammers scan servers looking for the open relays that Matt Wright 's scripts and other are a spammers dream.

    http://nms-cgi.sourceforge.net/

    Replace your scripts with this one,

    The only lines that needs editing are as follows.

    @referers = qw(domain.com www.domain.com);
    @allow_mail_to = qw(someone@domain.com);

    The script allows only the domain to be used to relay and email address of where to send the reults of the form.
     
  11. peterquast

    peterquast Member

    Joined:
    Apr 19, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    THANK YOU silvernetuk.

    I just wanted to tell you that your advice worked.

    The script that was causing this spamming is called

    formmail.php
    and it contained that coding inside it...

    and there was at least one copy of this script on every server that was getting blasted.

    Thank you for the help, you really saved me :)
     
  12. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    No problems, glad it sorted :D

    Regards,
    Garry
     
  13. internethosting

    internethosting Well-Known Member

    Joined:
    Aug 18, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    I just wanted to say thank you for this command. I didn't use it for the same reason everyone else did, but I used it to look for a special script. I had a user sending EBAY SPAM (Trying to get Ebay Users Info). The spammer was using a php script, so it was nearly impossible to know what of the 490 accounts was doing it. I used this command, with the word Support@Ebay.com, and it found that script within 10 minutes. I got the script, the email list ,etc ,etc. Your a life saver!
    Thanks
    Tim -



     

Share This Page