help! spammer using formail to send bbc spams!

jacksony

Well-Known Member
PartnerNOC
Nov 30, 2005
77
1
158
there is a spammer i don't know who but he has used my customer form to send spam like

"PDSC****PDSC****PDSC****PDSC****PDSC****PDSC****PDSC****PDSC

Investors Alert
Home Run Stock of the Year!

Produce Safety and Security International, INC. (OTCDSC.PK)

Ticker Symbol: PDSC.PK Buy Aggressively
Last Trade: +0.093
10d AVG Vol: +1,811,732
Target: +0.67 !!..."

using BBC i guess. I check my header in mail queue, it gives this header:
"1FHszQ-00033l-LH-H
apc 32060 501
<[email protected]>
1142040832 0
-ident apc
-received_protocol local
-body_linecount 19
-auth_id apc
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
NY [email protected]
NN [email protected]/virtual_aliases_nostar
2
[email protected]
[email protected]

117P Received: from apc by webserver2.mydomain.sg with local (Exim 4.52)
id 1FHszQ-00033l-LH; Sat, 11 Mar 2006 09:33:52 +0800
017T To: [email protected]
024 Subject: Sales Enquries
018 MIME-Version: 1.0
045 Content-type: text/plain; charset=iso-8859-1
013* From: glance
031F From: [email protected]
079 Content-Type: multipart/alternative; boundary=dd948b208d920bf39bc62183f8cdd905
018 MIME-Version: 1.0
047 Subject: you out ence to morrow it will be too
025* bcc: [email protected]
050I Message-Id: <[email protected]>
038 Date: Sat, 11 Mar 2006 09:33:52 +0800"

what can I do to prevent him to do it again?
 

HostMerit

Well-Known Member
Oct 24, 2004
164
0
166
New Jersey, USA
cPanel Access Level
DataCenter Provider
First, suspend account apc for now ,as thats the origin account. Second, check his domlogs to see the script getting exploited. Third, install a mod_security ruleset that bans bcc:

As seen in the headers, a simple
SecFilter "bcc:\x20"
SecFilter "Bcc:\x20"
SecFilter "bcc:"

should fix it. First, suspend the account, restart Apache, and flush the mail queue, controlling the issue, then investigate.
 

jacksony

Well-Known Member
PartnerNOC
Nov 30, 2005
77
1
158
Thank you! btw is it should be as it is my own account. thank you very much! I will try it now. what should i check domlogs for?
 

jacksony

Well-Known Member
PartnerNOC
Nov 30, 2005
77
1
158
btw someone else advised me to add these:

SecFilterSelective POST_PAYLOAD "Bcc:"
SecFilterSelective POST_PAYLOAD "Bcc:\x20"
SecFilterSelective POST_PAYLOAD "cc:"
SecFilterSelective POST_PAYLOAD "cc:\x20"
SecFilterSelective POST_PAYLOAD "bcc:"
SecFilterSelective POST_PAYLOAD "bcc:\x20"
SecFilterSelective POST_PAYLOAD "bcc: "

SecFilterSelective THE_REQUEST "Bcc:"
SecFilterSelective THE_REQUEST "Bcc:\x20"
SecFilterSelective THE_REQUEST "cc:"
SecFilterSelective THE_REQUEST "cc:\x20"
SecFilterSelective THE_REQUEST "bcc:"
SecFilterSelective THE_REQUEST "bcc:\x20"
SecFilterSelective THE_REQUEST "bcc: "

edit /etc/httpd/conf/modsec.conf
just below: the line SecFilterEngine On
add SecFilterScanPOST On


Will it make the protection more secure? or what additional protection will it gives?