The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

help! spammers faking auth to relay!

Discussion in 'General Discussion' started by Hockey Addict, Apr 16, 2003.

  1. Hockey Addict

    Hockey Addict Member

    Joined:
    Apr 8, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    We are getting hit hard by a spammer. Somehow he has managed to spoof the auth to relay through.. I thought at first it was just a customer bs'ing me when he denied sending out spam.. but now using the view exim msg in WHM I found the following and the user hockey is me for my hockey site.. No one but me has an e-mail account with the domain either... How is this happening and how do i stop it? I am running WHM 6.2.0 w/ Cpanel 6.4.0-E14 on RedHat 8.0

    195fQ1-0007ME-00-H
    hockey 32012 32012 1050470713 0
    -ident hockey
    -received_protocol local
    -body_linecount 34
    -auth_id hockey
    -auth_sender hockey@slapshot.thesportshost.com
    -local
    YY kvadnais125@aol.com
    YY kunijitakahashi@aol.com
    NY kturyna@aol.com
    NN ktz14@aol.com
    YY kuramochim@aol.com
    NN kupkak5617@aol.com
    NN kurtcsu@aol.com
    YY ladinminn@aol.com
    YY lab8731@aol.com
    NN kwaisun@aol.com
    NN laderanglr@aol.com
    YY ladyclient@aol.com
    NN ladybug4sho@aol.com
    YY ladysunschine61@aol.com
    NN ladym80084@aol.com
    NN lafingcow84@aol.com
    17
    ke8z@56e.com
    kturyna@aol.com
    kunijitakahashi@aol.com
    lafingcow84@aol.com
    kvadnais125@aol.com
    lab8731@aol.com
    kuramochim@aol.com
    ladinminn@aol.com
    ladyclient@aol.com
    kurtcsu@aol.com
    laderanglr@aol.com
    ktz14@aol.com
    ladybug4sho@aol.com
    ladysunschine61@aol.com
    ladym80084@aol.com
    kwaisun@aol.com
    kupkak5617@aol.com

    134P Received: from hockey by slapshot.thesportshost.com with local (Exim 3.36 #1)
    id 195fQ1-0007ME-00; Tue, 15 Apr 2003 22:25:13 -0700
    017T To: ke8z@56e.com
    068F From: "ProtectYourComp7@zipconz.com"
    099 Subject: Your computer is at risk! Protect it with an instant download of Norton's Firewall, 2003
    304* BCC:kturyna@aol.com,kunijitakahashi@aol.com,lafingcow84@aol.com,kvadnais125@aol.com,lab8731@aol.com,
    kuramochim@aol.com,ladinminn@aol.com,
    ladyclient@aol.com,kurtcsu@aol.com,laderanglr@aol.com,
    ktz14@aol.com,ladybug4sho@aol.com,
    ladysunschine61@aol.com,ladym80084@aol.com,kwaisun@aol.com,kupkak5617@aol.com
    059I Message-Id:
    038 Date: Tue, 15 Apr 2003 22:25:13 -0700

    195fQ1-0007ME-00-D

    <HTML><P ALIGN=CENTER><FONT SIZE=2 PTSIZE=10 FAMILY="SANSSERIF" FACE="Arial" LANG="0"><B>Don't let your system fall prey to intruders!</B>

    Make your computer invisible to hackers while online surfing the web!
    EVERY computer connected to the web is at risk of being 'hacked'. Thousands of hackers scan through millions of computers daily, looking for security holes they can exploit... If your computer is not running a firewall, <I>you</I> could be their next victim!

    <A Href ="http://www.ultra-offers.com/firewall.cgi?aid=7&oid=49&pid=110">PRIVACY PROTECTION AT ITS VERY BEST!
    </A><A Href ="http://www.ultra-offers.com/firewall.cgi?aid=7&oid=49&pid=110">DOWNLOAD NORTON FIREWALL TODAY INSTANTLY AND KEEP YOUR DATA PROTECTED</A>

    Only $19.95, for a limited time. Offer ends March 15th, act now!






    To be removed from all future mailings immediately, and permanently, <A Href ="http://ultra-offers.com/unsubscribe/unsubscribe.cfm">CLICK HERE</A>
    <P ALIGN=LEFT>




    </P></P></FONT></HTML>



    sokd
     
    #1 Hockey Addict, Apr 16, 2003
    Last edited: Apr 16, 2003
  2. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    16
    Looks like that is coming in via a formmail script... you should check your formail scripts on that site.
     
  3. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Well if that is true then the question is why is Formmail still a problem when it was supposed to have been fixed? Thats my question for today.
     
  4. Hockey Addict

    Hockey Addict Member

    Joined:
    Apr 8, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    hmmm.. not sure it can be that, all the formmail.pl and the formmail_clone.pl scripts in the cpanel/cgi-sys/ folder are chmod to 700 <http://thesportshost.com/cgi-sys/formmail.pl> It was done correctly too because clicking the link you will get "The server encountered an internal error or misconfiguration and was unable to complete your request". Rather then the little paragraph about it being a clone of Matt's Sxripts....
     
  5. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    16
    Does not have to be in the cgi-sys, could be in the cgi-bin dir, where a client placed it.

    You should search all files on thier site, for /sendmail in them... once of them is sending it.

    Also check the domlogs for the site, and see what script has been used.. alot... usually will give you good idea, where it is coming from.

    Also in cpanel admin, check latest visitors, alot of the time that will give you what has been accessed alot.

    all good places to start.
     
    #5 Faldran, Apr 16, 2003
    Last edited: Apr 16, 2003
  6. Hockey Addict

    Hockey Addict Member

    Joined:
    Apr 8, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    3 of the 5 sites that are getting the auth to use relay are mine. none have any sendmail tags infact all three sites are only vBulletin forums, nothing else. Checking the domlogs for all three domains, none come back with using any scripts to send any sort of mail except for new users to verify e-mail address and to members subscribed to a thread when a new post is made.
     
  7. fmalekpour

    fmalekpour Well-Known Member
    PartnerNOC

    Joined:
    Dec 4, 2002
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    GOD BLESS YOU,
    You saved our a**

    Thanks a million
     
  8. ivaserver

    ivaserver Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    How can i do this in SSH

    best wishes
    Ivaserver
     
  9. superiorhost

    superiorhost Well-Known Member

    Joined:
    Nov 16, 2001
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hmm,
    I don't see anything in this email that looks like a formmail sent email.
    Please show me what your seeing that you would say,, looks like a formmail sent it.

    In a formmail spam, you get the tell tell ; your submition results....

    that is not here. This looks like a direct smtp send to me. What am I missing here?

    Tim L
     
  10. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    16
    -ident hockey
    -received_protocol local
    -body_linecount 34
    -auth_id hockey
    -auth_sender hockey@slapshot.thesportshost.com
    -local


    in the above, -recieved_protocol local and the -local are both ones showing it was recieved on the machine.. normally this is formmail.pl or similar script. ( also -auth_sender is your username and the server name, which is also normal for formmail sent emails )
     
Loading...

Share This Page