The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do i track spam sent from my server?

Discussion in 'General Discussion' started by hostultra, May 14, 2003.

  1. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    I got a spam alert from spamcop, the spam has these headers

    Offending message:
    Return-path: <sdlkhlfjks@riodejaneiro.net>
    Envelope-to: devin@localhost
    Delivery-date: Wed, 14 May 2003 06:06:37 +0900
    Received: from localhost ([127.0.0.1])
    by mail.distalzou.net with esmtp (Exim 3.36 #1)
    id 19Fgyr-0009cY-00
    for devin@localhost; Wed, 14 May 2003 06:06:37 +0900
    Delivered-To: devin@telerama.com
    Received: from localhost
    by localhost with POP3 (fetchmail-6.2.0)
    for devin@localhost (single-drop); Wed, 14 May 2003 06:06:37 +0900 (JST)
    Received: (qmail 36843 invoked from network); 13 May 2003 21:01:15 -0000
    Received: from unknown (HELO sargon10.shcp.ofimay.gob.mx) (148.233.228.73)
    by speedbuggy.telerama.com with SMTP; 13 May 2003 21:01:15 -0000
    Received: from mail.terra.cl (server2.hostultra.com [207.44.218.56])
    by sargon10.shcp.ofimay.gob.mx (8.11.6/linuxconf) with SMTP id h4DL16R18318;
    Tue, 13 May 2003 16:01:07 -0500
    Date: Tue, 13 May 2003 16:01:07 -0500
    Message-Id: <200305132101.h4DL16R18318@sargon10.shcp.ofimay.gob.mx>
    From: "Jake" <sdlkhlfjks@riodejaneiro.net>
    To: "xsumner@korea.com" <xsumner@korea.com>
    Subject: Price Reduced: Get Norton System Works for $29.99 ($210 value) xsumner
    Cc: jeanniemarie7@hotmail.com
    Cc: devin@telerama.com
    MIME-Version: 1.0
    Content-Type: text/html


    how do i find which account sent it?
     
  2. howard

    howard Well-Known Member

    Joined:
    Apr 20, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    It could just be name dropping, in the hope that you get in trouble reasons for this

    a) Unless you have removed them it contains none of the usual cpanel headers (e.g. the X-Antiabuse stuff)

    b) the supposed server you sent to, is a open relay (see http://dsbl.org/listing?ip=148.233.228.73 and http://www.moensted.dk/spam/?addr=148.233.228.73&Submit=Submit)

    You could check in your logs for tuesday/wednesday to see weather you did or did not sent any mail to that address e.g. grep 2003-05-13 /var/log/exim*|grep 148.233.228
     
  3. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the help

    The reason i got it was 207.44.218.56 is my server.
    The mail does not look like it was sent from my server, mail sent from my server always have Return-path: <username@server2.hostultra.com>

    Running grep 2003-05-13 /var/log/exim*|grep 148.233.228 shown no results.

    I have heard nothing from my isp (rackshack) yet about it, i like to have these things sorted before they check their email.

    Yesterday i got a spam complaint (same spam) for an IP address that isnt even binded to any server
     
  4. howard

    howard Well-Known Member

    Joined:
    Apr 20, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    yea sometime i think people just blindly accept whatever spamcop says even though it tells you to check it or people blindly forwarding mail to spamcop (although its very good at its what it does it still possible to fool it, there was a uproar on exim-users a while back since a person sent a offlist reply as well cc'ing the list that mail got to spamcop)
     
  5. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    It turns out the spam did come from my server

    What this spammer done was very smart.
    He ran a cgi script in his account which connected to a different smtp server to send the spam.
    This means that the mail restrictions you set in cpanel have no effect and the abuse headers do not get added.
    The result is when you get a spam report you have no idea which account the spam came from.
    Right after he run the script he deleted it from the cgi-bin

    I found it by pure luck by spotting a load of unusual processes in top and looked in his logfile and seen this

    207.43.172.230 - - [14/May/2003:17:14:58 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
    207.43.172.230 - - [14/May/2003:17:15:00 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
    207.43.172.230 - - [14/May/2003:17:15:02 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
    207.43.172.230 - - [14/May/2003:17:15:04 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
    207.43.172.230 - - [14/May/2003:17:15:08 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $
    207.43.172.230 - - [14/May/2003:17:15:08 -0500] "POST /cgi-bin/18472.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 4.01; $

    The file /cgi-bin/18472.cgi did not exist anymore (deleted?)
    But the logs there show a 200 status report which means it did exist when it was run.

    Is there a way i can block perl scripts connecting to smtp servers?
     
  6. SH-Matt

    SH-Matt Registered

    Joined:
    Jul 25, 2002
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I had a spammer do the EXACT same thing to one of my servers! He named his script 16746.cgi instead

    Mind posting the contents of that script? I'm interested to see if they're the same....
     
  7. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    i dont have the contents of the script
    he deleted it from the server after it was run

    the number on the script changes
    our logs show the first day there was a different number
     
  8. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Can I see some part of code to check if I have it on my box ?

    cPanel.net Support Ticket Number:
     
  9. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    hostultra, I'm curious -- if you don't mind sharing -- as to whether the person had been a Client of yours for awhile? I presume, from the information you have received in this post (nice touch, howard), you have already cancelled the account; no refunds, no recourse, for Spam related eMail.

    cPanel.net Support Ticket Number:
     
  10. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
  11. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    yes , but where is the code ?

    cPanel.net Support Ticket Number:
     
  12. brainx

    brainx Member

    Joined:
    Jul 9, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    I found this spammer.Please keep in mind and do not host this domain.He is using the following username and domain:
    ghann8j9 (medistarhlth.com)

    207.43.172.227 - - [03/Sep/2003:12:58:49 -0500] "POST /cgi-bin/12833.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE$
    207.43.172.227 - - [03/Sep/2003:12:58:54 -0500] "POST /cgi-bin/12833.cgi HTTP/1.1" 200 2440 "-" "Mozilla/4.0 (compatible; MS$
    207.43.172.227 - - [03/Sep/2003:12:58:55 -0500] "POST /cgi-bin/12833.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE$
    207.43.172.227 - - [03/Sep/2003:14:18:29 -0500] "POST /cgi-bin/22265.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE$
    207.43.172.227 - - [03/Sep/2003:14:18:34 -0500] "POST /cgi-bin/22265.cgi HTTP/1.1" 200 2440 "-" "Mozilla/4.0 (compatible; MS$
    207.43.172.227 - - [03/Sep/2003:14:18:34 -0500] "POST /cgi-bin/22265.cgi HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE$

    When i look into his account i can\'t find any of those scripts.He is deleting them very after running them.While these scripts are running you see something like this on your console:
    ghann8j9 26076 3.5 0.4 3472 2160 ? R 14:18 0:00 /usr/bin/perl -w 22265.cgi

    many instances of this script are running for a few seconds then terminates.

    Hope this helps.
    Thanks

    cPanel.net Support Ticket Number:
     
  13. iisnet

    iisnet Active Member

    Joined:
    Oct 6, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    This spammer recently dropped by hosting a domain with us.

    I deactivated his CGI-BIN, but he circumvented that, and I found a file called "mypage.cgi".

    From the looks of it, it seems to be a spamming machine. :(

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page