The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Gone on to long (caps lock edit)

Discussion in 'General Discussion' started by AlaskanWolf, Dec 11, 2001.

  1. AlaskanWolf

    AlaskanWolf Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Fremont CA
    I am getting very very sick and tired of people signing up (spammers) and using exim or sendmail to send millions of *($#@*()$#*()$#*Q()*()$@#(*)$#@(*)$(*) spam!!!

    Now dont tell me \"nothing can be done\" thats ridiculatios, specially with cpanel, I would think if someone did their job right, just maybe the headers that are sent out would include the script thats being used to send it out.

    In the last week, we have had quite a hell of a time with abuse complaints, 100% of them from people on our servers using exim directly with their scripts.

    [Edited on 12/12/01 by MichaelShanks]
     
  2. AlaskanWolf

    AlaskanWolf Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Fremont CA
    doubt the version that cpanel uses has such a fix, which i know formmail is likely not the source of the problem...

    from Matt Wrights site


    Security Update -- Version 1.9 -- August 3, 2001
    Any users who are using the popular version 1.6 or the recently released version 1.7/1.8, should upgrade immediately. The new version prevents unwanted anonymous spamming through your implementation of FormMail and also prevents unwanted access to environment variables. If you are having problems receving e-mail and using the redirect variable, version 1.9 should cure that as well. The new script has two extra arrays you must now define, but will not affect current forms or the way they appear after having been submitted.
    UPGRADE IMMEDIATELY!
     
  3. Kiwi

    Kiwi Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    I fully agree. Same problem here.
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I have a dedicate machine in my office, running Linux and on a 21 inch screen sitting 2 feet to the left of me. All that machine does is run SSH and \"tail -f exim_mainlog\" .. I have the text size on 20. I try to watch ot as much as possible BUT the other day I left for 1 hour for lunch. When I got back loads were 15% and a grep on the log returned over 900,000 emails in 1 hour (or so). I hate it. I can\'t sleep either. Some help would be great.
     
  5. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    16
    Strange, I have the same but everyone that tries to relay gets refused...

    Or are you talking about people actually sign up and pay you to abuse it afterwards?

    What about a disclaimer that they agree not to spam or else... ?

    [Edited on 12/11/01 by Domenico]
     
  6. AlaskanWolf

    AlaskanWolf Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Fremont CA
    What we are talking about Domenico, is not SMTP users, but rather users that signup for our services, and use a script to send out emails. Since the script is local (on the server) exim and sendmail accept it as trusted, in other words, its just another way for spammers to take advantage of a server, 100000x worse then finding an open relay somewhere.

    For anyone who cares, I found a gut wrenching way to find certain words in a file, this is only good in post-spam invesigations, meaning the user already sent all the spam they needed off your server, now your getting in THOUSANDS of spam complaints

    IE: the spammer sent an email to john@kjdke.com

    and its very likely this script they have is in the /home directory since they can put anything anywhere else....

    grep -r john /home/* (RET)

    or even

    grep -r kjdke.com /home/* (RET)

    this will take along time, after all, its going though every file in the /home directory searching for this one word. I found it very effective today and found a spammer.

    Another good one it run is in your dom-logs, since alot of everything would be posted in there

    grep -r WHATTEVER /path-to-domlogs-folder/* (RET)


    xxxxxxxxxxxxxxxx
    Come on Cpanel, this is a serious issue and it needs to be dealt with. You want to see how useless the headers are in a case like this?

    X-Coding-System: nil
    Return-Path: <nobody@wolf.thehideout.net>
    Delivered-To: flax@aristotle.algonet.se
    Received: (qmail 5569 invoked from network); 11 Dec 2001 02:56:49 +0100
    Received: from unknown (HELO wolf.thehideout.net) (64.71.165.226)
    by angel.algonet.se with SMTP; 11 Dec 2001 02:56:49 +0100
    Received: from nobody by wolf.thehideout.net with local (Exim 3.33 #1)
    id 16Dc6X-0008Is-00; Mon, 10 Dec 2001 17:53:09 -0800
    To: whatever@whateer.com
    From: God@%random5.com ()
    Subject: Free Bible Cd! Now Including The Audio Bible!
    Message-Id: <E16Dc6X-0008Is-00@wolf.thehideout.net>
    Date: Mon, 10 Dec 2001 17:53:09 -0800
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - wolf.thehideout.net
    X-AntiAbuse: Original Domain - aristotle.algonet.se
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
    X-AntiAbuse: Sender Address Domain - wolf.thehideout.net



    xxxxxxxxxxxxxxxxxx

    Funny how this line is ALWAYS 99 99 99 99

    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
     
  7. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    [quote:bb48a8b66f]Strange, I have the same but everyone that tries to relay gets refused...

    Or are you talking about people actually sign up and pay you to abuse it afterwards?

    What about a disclaimer that they agree not to spam or else... ?

    [Edited on 12/11/01 by Domenico] [/quote:bb48a8b66f]

    Yes we are talking about signups. I had 2 in a month kill me. Both were long time clients that had given up on making any money on their sites so they decided to go out with a bang.

    Had another 3 days ago from outside using the old formmail.pl script and formating http posts with 20 email addresses at a time. It was cute but slow. I bet he didn\'t get 600 emails out before I stopped it. I hate spammers!!!!!!!!

    [Edited on 12/11/01 by rpmws]
     
  8. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    16
    Is there a LEGAL solution? I mean can these guys be prosecuted?

    I have to say it didn\'t happen to us yet but it scares me a little bit.
     
  9. feanor

    feanor Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    836
    Likes Received:
    0
    Trophy Points:
    16
    Regardless of the fact that something *hopefully* is in the works - if possible - there are various ways to cut down on such individuals taking advantage of exim/sendmail in this way. And I only say \"if possible\" because ... wow, if you think about the scripting gateway you are providing and all of the programs/scripts that require such a device to talk to, it would be a gigantic catch-22 no matter what you try to do to *prevent* or deter against spam being born, server-wide.

    One of my current favorite methods is to train a few cron\'d scripts on /var/spool/exim (input/msglog), grepping and generating reports on the queued files alone within /exim/input can point you to your internal abusers almost immediately, as well as those who are flodding your machine with messages from external sources. For those, it takes the offending SMTP IP/subnet in some cases :).... and routes them to /dev/null. For the internal people, they are usually axe\'d immediately.

    Exim itself has some fairly versatile filtering options as we all know... perhaps in the future we\'ll continue to see strengthened options/policies for our CPanel machines, provided the software itself continues to advance.

    Until then we have to battle as best as we can, and provide as much helpful feedback as possible.

    Love.
     
  10. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Would you be willing to go into detail and share maybe that script or some examples you have found that work well for you?
     
  11. feanor

    feanor Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    836
    Likes Received:
    0
    Trophy Points:
    16
    Probably shouldn\'t.....
    In interests of security and preventing a backlash of individuals that might take offense to the tasks performed by such things.

    :) I just wanted to share some general ideas.

    Peace. :P
     
  12. AlaskanWolf

    AlaskanWolf Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Fremont CA
    not to be rude or anything, but your posts are basically worthless to everyone else if you dont want to share how or what you are doing to kill internal spammers.

    As you can see this is beoming a major issue and posts like yours are not helping at all and unless you want to post what and how you do it, please dont bother since it isnt helping any of us.

    [Edited on 12/12/01 by AlaskanWolf]
     
  13. MichaelShanks

    MichaelShanks Well-Known Member
    PartnerNOC

    Joined:
    Aug 20, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    AlaskanWolf,

    Please calm down, this is a civilised board for civilised people we won\'t have any trouble here.

    www.exim.org

    there is information on there on controlling the malicious use of cgis, basically this is not a cpanel issue per say but an overall issue in the webhosting business, there is no way you can stop a spammer short of banning all mail on your system,


    host_accept_relay = +allow_address : lsearch;/etc/relayhosts : localhost

    take a look at that,


    #nobody as the sender seems to annoy people
    local_from_check = false

    also that,

    a little research and patience can do wonders, may I suggest groups.google.com

    Mike
     
  14. Nico

    Nico Well-Known Member

    Joined:
    Dec 5, 2001
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Edmond, OK
    [quote:8e092c48ab]What we are talking about Domenico, is not SMTP users, but rather users that signup for our services, and use a script to send out emails. Since the script is local (on the server) exim and sendmail accept it as trusted, in other words, its just another way for spammers to take advantage of a server, 100000x worse then finding an open relay somewhere.

    For anyone who cares, I found a gut wrenching way to find certain words in a file, this is only good in post-spam invesigations, meaning the user already sent all the spam they needed off your server, now your getting in THOUSANDS of spam complaints

    IE: the spammer sent an email to john@kjdke.com

    and its very likely this script they have is in the /home directory since they can put anything anywhere else....

    grep -r john /home/* (RET)

    or even

    grep -r kjdke.com /home/* (RET)

    this will take along time, after all, its going though every file in the /home directory searching for this one word. I found it very effective today and found a spammer.
    [/quote:8e092c48ab]


    I have the same problem with Spammers. I can usually pick out who it is by taking a look at /var/log/sendmail.log
    99% of the time you will see a long string of calls to sendmail for the offending user.
    After I locate and confirm that they are spamming or having one of their scripts exploited I comment the following line from httpd.conf for their domain:
    \'ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/\'
    and restart httpd.



    [Edited on 12/12/01 by Nico]
     
  15. AlaskanWolf

    AlaskanWolf Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Fremont CA
    I have already been to Exim MANY MANY times and put in quite a bit of other conf lines that i thought would help but the fact of the matter is that Cpanel does not help with anything in regards to trying to track a local spammer down.

    Theres nothing in the logs, theres nothing in the headers, what else do you want us to do? I know for a fact what you just said will very likely not help us.

    Wheres the makers of CPANEL to come up with suggestions? After all, they know the system better then me, you and this whole board combined.

    I will nor will any other host \"calm\" down when as a matter of fact every cpanel hosts server is at risk.

    Give me an account on YOUR system and i can easily send out a few hundred thousand emails without you even knowing about it until you get a spam complaint, and then lets see how calm you are then.
     
  16. AlaskanWolf

    AlaskanWolf Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Fremont CA
    [quote:1c0b8a0b45]AlaskanWolf,


    host_accept_relay = +allow_address : lsearch;/etc/relayhosts : localhost

    take a look at that,

    #nobody as the sender seems to annoy people
    local_from_check = false

    [/quote:1c0b8a0b45]

    These are already in my exim.conf file

    [Edited on 12/12/01 by AlaskanWolf]
     
  17. AlaskanWolf

    AlaskanWolf Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Fremont CA
    If you cant stop a localhost from sending, then the next step is to make sure the headers are acuratte and helpful. Correct?

    Is this helpful?

    X-Coding-System: nil
    Return-Path: <nobody@wolf.thehideout.net>
    Delivered-To: flax@aristotle.algonet.se
    Received: (qmail 5569 invoked from network); 11 Dec 2001 02:56:49 +0100
    Received: from unknown (HELO wolf.thehideout.net) (64.71.165.226)
    by angel.algonet.se with SMTP; 11 Dec 2001 02:56:49 +0100
    Received: from nobody by wolf.thehideout.net with local (Exim 3.33 #1)
    id 16Dc6X-0008Is-00; Mon, 10 Dec 2001 17:53:09 -0800
    To: whatever@whateer.com
    From: God@%random5.com ()
    Subject: Free Bible Cd! Now Including The Audio Bible!
    Message-Id: <E16Dc6X-0008Is-00@wolf.thehideout.net>
    Date: Mon, 10 Dec 2001 17:53:09 -0800
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - wolf.thehideout.net
    X-AntiAbuse: Original Domain - aristotle.algonet.se
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
    X-AntiAbuse: Sender Address Domain - wolf.thehideout.net
     
  18. AlaskanWolf

    AlaskanWolf Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Fremont CA
    My concern is this, and if it worked correctly, it would look promising to look into the logs and track a user down

    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]

    Why is it set to UID/GID - [99 99] / [99 99]
     
  19. MichaelShanks

    MichaelShanks Well-Known Member
    PartnerNOC

    Joined:
    Aug 20, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    host_accept_relay = +allow_address : lsearch;/etc/relayhosts : localhost

    change this to

    host_accept_relay = +allow_address : lsearch;/etc/relayhosts

    that will stop people relaying from localhost,

    Cpanel is a tool, you tweak the tool to your own devices,

    Bascially what you want is for CGI\'s on the server to be run as the user instead of by the user \"nobody\" which is what apache runs under,

    you can do this with suExec

    http://httpd.apache.org/docs/suexec.html

    its not a nice way of doing things though,


    run

    /scripts/initsuexec

    I believe that turns it on, then you will have usernames in yyour eim log file,

    Generally if you don\'t insult and ask in a nice manner you will get an answer which will be built upon throughout the thread,

    good day
     
  20. MichaelShanks

    MichaelShanks Well-Known Member
    PartnerNOC

    Joined:
    Aug 20, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    note to backup /etc/httpd/conf/httpd.conf and then

    mv /etc/httpd/conf/httpd.conf.suexec /etc/httpd/conf/httpd.conf
     
Loading...

Share This Page