The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

help! spammer using formail to send bbc spams!

Discussion in 'E-mail Discussions' started by jacksony, Mar 10, 2006.

  1. jacksony

    jacksony Well-Known Member
    PartnerNOC

    Joined:
    Nov 30, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    there is a spammer i don't know who but he has used my customer form to send spam like

    "PDSC****PDSC****PDSC****PDSC****PDSC****PDSC****PDSC****PDSC

    Investors Alert
    Home Run Stock of the Year!

    Produce Safety and Security International, INC. (OTCDSC.PK)

    Ticker Symbol: PDSC.PK Buy Aggressively
    Last Trade: +0.093
    10d AVG Vol: +1,811,732
    Target: +0.67 !!..."

    using BBC i guess. I check my header in mail queue, it gives this header:
    "1FHszQ-00033l-LH-H
    apc 32060 501
    <apc@webserver2.mydomain.sg>
    1142040832 0
    -ident apc
    -received_protocol local
    -body_linecount 19
    -auth_id apc
    -auth_sender apc@webserver2.mydomain.sg
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    NY jackson@mydomain.sg
    NN sales@mydomain.sg/virtual_aliases_nostar
    2
    sales@mydomain.sg
    frekiforbes@aol.com

    117P Received: from apc by webserver2.mydomain.sg with local (Exim 4.52)
    id 1FHszQ-00033l-LH; Sat, 11 Mar 2006 09:33:52 +0800
    017T To: sales@mydomain.sg
    024 Subject: Sales Enquries
    018 MIME-Version: 1.0
    045 Content-type: text/plain; charset=iso-8859-1
    013* From: glance
    031F From: glance@webserver2.mydomain.sg
    079 Content-Type: multipart/alternative; boundary=dd948b208d920bf39bc62183f8cdd905
    018 MIME-Version: 1.0
    047 Subject: you out ence to morrow it will be too
    025* bcc: frekiforbes@aol.com
    050I Message-Id: <E1FHszQ-00033l-LH@webserver2.mydomain.sg>
    038 Date: Sat, 11 Mar 2006 09:33:52 +0800"

    what can I do to prevent him to do it again?
     
  2. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    First, suspend account apc for now ,as thats the origin account. Second, check his domlogs to see the script getting exploited. Third, install a mod_security ruleset that bans bcc:

    As seen in the headers, a simple
    SecFilter "bcc:\x20"
    SecFilter "Bcc:\x20"
    SecFilter "bcc:"

    should fix it. First, suspend the account, restart Apache, and flush the mail queue, controlling the issue, then investigate.
     
  3. jacksony

    jacksony Well-Known Member
    PartnerNOC

    Joined:
    Nov 30, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Thank you! btw is it should be as it is my own account. thank you very much! I will try it now. what should i check domlogs for?
     
  4. jacksony

    jacksony Well-Known Member
    PartnerNOC

    Joined:
    Nov 30, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    btw someone else advised me to add these:

    SecFilterSelective POST_PAYLOAD "Bcc:"
    SecFilterSelective POST_PAYLOAD "Bcc:\x20"
    SecFilterSelective POST_PAYLOAD "cc:"
    SecFilterSelective POST_PAYLOAD "cc:\x20"
    SecFilterSelective POST_PAYLOAD "bcc:"
    SecFilterSelective POST_PAYLOAD "bcc:\x20"
    SecFilterSelective POST_PAYLOAD "bcc: "

    SecFilterSelective THE_REQUEST "Bcc:"
    SecFilterSelective THE_REQUEST "Bcc:\x20"
    SecFilterSelective THE_REQUEST "cc:"
    SecFilterSelective THE_REQUEST "cc:\x20"
    SecFilterSelective THE_REQUEST "bcc:"
    SecFilterSelective THE_REQUEST "bcc:\x20"
    SecFilterSelective THE_REQUEST "bcc: "

    edit /etc/httpd/conf/modsec.conf
    just below: the line SecFilterEngine On
    add SecFilterScanPOST On


    Will it make the protection more secure? or what additional protection will it gives?
     
  5. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    There are a at least two current threads here discussing this exact issue. There's lots of info on rulesets in those. No need to repeat it all here :)
     
Loading...

Share This Page