The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Had a Spammer on my Server Yesterday - Somehow Could Send Way Over their Limit

Discussion in 'General Discussion' started by pr0gr4mm3r, Aug 25, 2006.

  1. pr0gr4mm3r

    pr0gr4mm3r Member

    Joined:
    Aug 25, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hello, I had a spammer yesterday that sent out 7000 emails in one hour. It was actually more serious then typical spam - it was a Nigerian scam letter. How were they able to go way beyond their limit when I have it set to not allow more than 300 emails to be sent per hour in my configuration?
     
  2. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    If spam was send as nobody@hostname then cPanel limit does not exist. Do you have copy of email which was send?
     
  3. pr0gr4mm3r

    pr0gr4mm3r Member

    Joined:
    Aug 25, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Yes, I do. I was proud of myself that I was able to stop it. The server was under a load of ~34, so I was barely able to shell in, but I was able to get in, stop exim and clear the queue. I was impressed with my newbie linux skills. :D

    Here is a copy of the email that still had a couple thousand destinations in the queue before I deleted it.

    'reseller' was the account name, and resellerdomains.org was the domain used.

    1GGHZH-0000bM-Qv-H
    reseller 32038 500
    <customerservice@resellerdomains.org>
    1156434991 0
    -ident reseller
    -received_protocol local
    -body_linecount 53
    -auth_id reseller
    -auth_sender reseller@home.agshosting.net
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    -sender_set_untrusted

    ... COUPLE THOUSAND EMAILS REMOVED ...

    031 User-Agent: SquirrelMail/1.4.6
    018 MIME-Version: 1.0
    044 Content-Type: text/plain;charset=iso-8859-1
    032 Content-Transfer-Encoding: 8bit
    023 X-Priority: 3 (Normal)
    019 Importance: Normal

    1GGHZH-0000bM-Qv-D
    Dear Friend,

    I am Mr. John Michael, Auditor General Natwest Bank Group UK, and I live
    in the United Kingdom. I am writing you the mail as an opportunity in my
    office that will be of immense benefit to both of us.

    In my department, I discovered an abandoned sum of £10.5 million British
    Pounds Sterling Ten million five hundred thousand British Pounds) in an
    account that belongs to one of our foreign customers Late Mr. Morris
    Thompson an American who unfortunately lost his life in the plane crash of
    Alaska Airlines Flight 261 which crashed on January 31 2000,
    Including his wife and only daughter. You shall read more about the crash
    on visiting this site.

    http://www.cnn.com/2000/US/02/01/alaska.airlines.list/

    Since I got information about his death, I have been expecting his next of
    kin or relatives to come over and claim his money because I cannot release
    it unless somebody applies for it as next of kin or relation to the
    deceased as indicated in our banking guidelines.

    Unfortunately I learnt that his supposed next of kin being his only
    Daughter died along with him in the plane crash leaving nobody with the
    Knowledge of this fund behind for the claim.

    It is therefore upon this discovery that in my department now decided to
    make business with you and release the money to you as the next of kin or
    beneficiary of the funds for safety keeping and subsequent disbursement
    since nobody is coming for it and I do not want this money to go back into
    Government treasury as unclaimed Funds.

    The banking law and guidelines here stipulates that such money remained
    after some time the money will be transferred into banking treasury.

    I agreed that 35% of this money will be for you as foreign partner, while
    the balance will be for me. I will disburse the funds according to the
    percentages indicated above once this money gets into your account.

    Please be honest to me and trust is our watchword in this transaction.

    Note: that this transaction is confidential and risk free. As soon as you
    receive this mail you should contact me by email. All necessary
    arrangement for the smooth release of these funds to you has been
    finalized. We will discuss much in details when I do receive your
    response.

    If you are interested in this project contact me for further Directives,
    Thank you very much and God Bless you.

    Best regards,

    Mr. John Michael.
    +44-702-406-4325
     
  4. deftech

    deftech Member

    Joined:
    Jan 11, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Ddos

    We were just DDOS'd by spam. Use cpanel under tweak settings to disable the user 'nobody' from sending mails via cgi scripts.

    Also make sure you don't have any exploitable cgi scripts on your website if it is hosted on the same server as exim. A clever hack can pipe commands directly into your cgi script that sends mail out, and do it a thousand times over.

    This command will grep out mails from exims spool file fast and quick. I used to remove over 22000 emails once.
    ##This will remove certain emails from the exim spool file
    grep -lir user\@domain\.com /var/spool/exim/input | xargs rm -fv

    Good luck.
     
    #4 deftech, Aug 25, 2006
    Last edited: Aug 25, 2006
  5. pr0gr4mm3r

    pr0gr4mm3r Member

    Joined:
    Aug 25, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Already had that set. They were somehow able to get around it.

    But the mail was sent through their own user account. If they hacked a script on another account, wouldn't it show under that user account?

    Thanks for that command. Hopefully I will never have to use it. :cool:
     
  6. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    I am curious, did you have a domain max limit set per hour setup? if not, I wonder if that would have helped.
     
  7. scoopy

    scoopy Member

    Joined:
    Aug 18, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Nope, that does not help ;(

    We recently had a similiar scammer that was able to get out about 3,000 emails in less than 1 hour... EVEN tho we have user nobody disabled and a limit set at 60 emails per domain/hour.

    The email positivly identified the guilty user and that user had nothing in his files... not even his own index.html file... it was empty but for the skel files we placed there.

    Is it possible that cPanel does NOT count the "CC" and "BCC" lines in the total per domain sent ?
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Did you have phpsuexec installed?

    I'd suggest the SMTP tweak as well (which blocks port 25 outwards) but looks like they used your local exim to do the spamming so that's irrelevant. Don't forget that installing APF disables the SMTP tweak.
     
Loading...

Share This Page