Had a Spammer on my Server Yesterday - Somehow Could Send Way Over their Limit

pr0gr4mm3r

Member
Aug 25, 2006
16
0
151
Hello, I had a spammer yesterday that sent out 7000 emails in one hour. It was actually more serious then typical spam - it was a Nigerian scam letter. How were they able to go way beyond their limit when I have it set to not allow more than 300 emails to be sent per hour in my configuration?
 

pr0gr4mm3r

Member
Aug 25, 2006
16
0
151
Yes, I do. I was proud of myself that I was able to stop it. The server was under a load of ~34, so I was barely able to shell in, but I was able to get in, stop exim and clear the queue. I was impressed with my newbie linux skills. :D

Here is a copy of the email that still had a couple thousand destinations in the queue before I deleted it.

'reseller' was the account name, and resellerdomains.org was the domain used.

1GGHZH-0000bM-Qv-H
reseller 32038 500
<[email protected]>
1156434991 0
-ident reseller
-received_protocol local
-body_linecount 53
-auth_id reseller
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
-sender_set_untrusted

... COUPLE THOUSAND EMAILS REMOVED ...

031 User-Agent: SquirrelMail/1.4.6
018 MIME-Version: 1.0
044 Content-Type: text/plain;charset=iso-8859-1
032 Content-Transfer-Encoding: 8bit
023 X-Priority: 3 (Normal)
019 Importance: Normal

1GGHZH-0000bM-Qv-D
Dear Friend,

I am Mr. John Michael, Auditor General Natwest Bank Group UK, and I live
in the United Kingdom. I am writing you the mail as an opportunity in my
office that will be of immense benefit to both of us.

In my department, I discovered an abandoned sum of £10.5 million British
Pounds Sterling Ten million five hundred thousand British Pounds) in an
account that belongs to one of our foreign customers Late Mr. Morris
Thompson an American who unfortunately lost his life in the plane crash of
Alaska Airlines Flight 261 which crashed on January 31 2000,
Including his wife and only daughter. You shall read more about the crash
on visiting this site.

http://www.cnn.com/2000/US/02/01/alaska.airlines.list/

Since I got information about his death, I have been expecting his next of
kin or relatives to come over and claim his money because I cannot release
it unless somebody applies for it as next of kin or relation to the
deceased as indicated in our banking guidelines.

Unfortunately I learnt that his supposed next of kin being his only
Daughter died along with him in the plane crash leaving nobody with the
Knowledge of this fund behind for the claim.

It is therefore upon this discovery that in my department now decided to
make business with you and release the money to you as the next of kin or
beneficiary of the funds for safety keeping and subsequent disbursement
since nobody is coming for it and I do not want this money to go back into
Government treasury as unclaimed Funds.

The banking law and guidelines here stipulates that such money remained
after some time the money will be transferred into banking treasury.

I agreed that 35% of this money will be for you as foreign partner, while
the balance will be for me. I will disburse the funds according to the
percentages indicated above once this money gets into your account.

Please be honest to me and trust is our watchword in this transaction.

Note: that this transaction is confidential and risk free. As soon as you
receive this mail you should contact me by email. All necessary
arrangement for the smooth release of these funds to you has been
finalized. We will discuss much in details when I do receive your
response.

If you are interested in this project contact me for further Directives,
Thank you very much and God Bless you.

Best regards,

Mr. John Michael.
+44-702-406-4325
 

deftech

Member
Jan 11, 2006
12
0
151
Ddos

We were just DDOS'd by spam. Use cpanel under tweak settings to disable the user 'nobody' from sending mails via cgi scripts.

Also make sure you don't have any exploitable cgi scripts on your website if it is hosted on the same server as exim. A clever hack can pipe commands directly into your cgi script that sends mail out, and do it a thousand times over.

This command will grep out mails from exims spool file fast and quick. I used to remove over 22000 emails once.
##This will remove certain emails from the exim spool file
grep -lir user\@domain\.com /var/spool/exim/input | xargs rm -fv

Good luck.
 
Last edited:

pr0gr4mm3r

Member
Aug 25, 2006
16
0
151
Use cpanel under tweak settings to disable the user 'nobody' from sending mails via cgi scripts.
Already had that set. They were somehow able to get around it.

Also make sure you don't have any exploitable cgi scripts on your website if it is hosted on the same server as exim. A clever hack can pipe commands directly into your cgi script that sends mail out, and do it a thousand times over.
But the mail was sent through their own user account. If they hacked a script on another account, wouldn't it show under that user account?

Thanks for that command. Hopefully I will never have to use it. :cool:
 

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
I am curious, did you have a domain max limit set per hour setup? if not, I wonder if that would have helped.
 

scoopy

Member
Aug 18, 2004
15
0
151
jayh38 said:
I am curious, did you have a domain max limit set per hour setup? if not, I wonder if that would have helped.
Nope, that does not help ;(

We recently had a similiar scammer that was able to get out about 3,000 emails in less than 1 hour... EVEN tho we have user nobody disabled and a limit set at 60 emails per domain/hour.

The email positivly identified the guilty user and that user had nothing in his files... not even his own index.html file... it was empty but for the skel files we placed there.

Is it possible that cPanel does NOT count the "CC" and "BCC" lines in the total per domain sent ?
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
scoopy said:
We recently had a similiar scammer that was able to get out about 3,000 emails in less than 1 hour... EVEN tho we have user nobody disabled and a limit set at 60 emails per domain/hour.
Did you have phpsuexec installed?

I'd suggest the SMTP tweak as well (which blocks port 25 outwards) but looks like they used your local exim to do the spamming so that's irrelevant. Don't forget that installing APF disables the SMTP tweak.