The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is my datacenter nuts??

Discussion in 'E-mail Discussions' started by Zazoos1, Nov 5, 2007.

  1. Zazoos1

    Zazoos1 Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I need some advice. I logged into my WHM this morning and noticed a much higher than normal mail queue. After doing some investigation, I learned that one of my clients mail accounts had been compromised and was being used to send fraudulent emails spams. I immediately re secured the user account (changed all cpanel and mail passwords) deleted remaining offensive emails from the queue and contacted the client to let him know to do his part to keep passwords secure. Unfortunately, it was not soon enough however, as about 6 hours later I was contacted by my datacenter and informed to immediately remove the user account due to spam. I wrote back and informed them of all I had learned including the IP address of the person who was logging in to send the spam was from Nigeria and all other information I had gathered to show this was simply a matter of a compromised account and that all had been amended. Their next reply was:

    -----------------------------------------------------------
    DATACENTER: "Your data shows squirrelmail is NOT configured in a secure method. These advance fee fraud spam emails were sent because of "BCC:" (blind carbon copy) setting in squirrelmail allowing sending to BCC recipients.

    NOTE: You must either disable SquirrelMail completely or reconfigure SquirrelMail to NOT allow "BCC:" addresses. You must reply in this notice to confirm which action you have taken before we can close this issue."
    -----------------------------------------------------------

    I tried to very politely point out that that's one of the sillier requests I've seen from a support technician -- disabling BCC won't prevent spamming via Squirrelmail at all, it just removes ONE of the fields they could do it with. It makes about as much sense as removing the "To:" field.

    To which they now reply:

    -----------------------------------------------------------
    DATACENTER: "BCC allows people to send spam from any web email form.

    If you keep BCC enabled on the squirrelmail, then we will have to require disabling entirely of squirrelmail to prevent continued abuse.

    BCC should never be allowed on web mail programs.

    So, either disable BCC in squirrelmail, disable squirrelmail, or remove the actual user responsible which is user *******. We cannot simply ignore the insecurity in your configuration and/or the user account responsible."
    -----------------------------------------------------------

    Now I did go ahead and disable SquirrelMail completely but cannot for the life of me see how this is really a viable solution. This effectively cripples a useful feature for my users, and will not prevent spamming at all (since a spammer could just as easily use the CC line, for example, or use Horde Webmail which is also on my server). I also tried to point out again the spamming occurred because an entire mail account was compromised, and the spammer could have just as easily used a third-party mail client, in which case SquirrelMail's BCC support would be irrelevant.

    Can anyone please weigh in? Am I wrong or is my datacenter nuts? I want so badly to fight this but feel like I am trapped into complying.
     
  2. markfrompf

    markfrompf Well-Known Member

    Joined:
    Mar 27, 2006
    Messages:
    176
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Los Angeles, CA
    Your data center is nuts!

    Is this a dedicated server, vps or shared package and is it managed or unmanaged?
     
  3. Zazoos1

    Zazoos1 Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the reply. It is a dedicated, unmanaged server. I have been with them for a year and a half - over 400 hosted accounts and no other spam complaint filed - ever.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The datacentre is just wrong. The spammer gained illicit access to the server and simply used squirrelmail as the spam vector. It could just as easily been from a script the spammer uploaded - does that mean you should not allow any scripts to run within user accounts? No.

    From what you have said, you've done what you had to in identifying how the spammer got in and warned the client - if the problem recurred you'd be wise to terminate the clients account. There's nothing more for you to do. If the hosting provider fails to understand, then you'll most likely have to move to a more reasonable one.
     
  5. Zazoos1

    Zazoos1 Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Thank you for the reply. I feel better in knowing my frustration is justified. They did allow my client to stay and I did find several options on my end to make sure my clients are more secure in the future. Funny how we sometimes have to protect them from themselves - weak password, etc.

    Thanks again.
     
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I love this part.

    NO you ignorant fool. These "advance fee fraud" spam emails were sent because either a real user is sending them (need to be stopped) and or a outside compromise has taken place. The spammer needs to be stopped first.

    Your DC is a hunk of crap! What they should suggest is that you should install some sort of brute force detection like the best one IMHO, on the net for cPanel based servers and that's Chirpy's CSF/LFD :)

    3 days ago i noticed a high mail queue and investigated further. Turns out under my nose not 1 hour earlier to my first learning. a worm made it's way into a webmail account. It changed the password and started the emails that start like this:
    Code:
    ATTENTION,
    
    How are you today? I Hope all is well with you and your family? I hope
    this mail meets you in a perfect condition.
    
    I am using this opportunity to thank you for your great effort to our
    unfinished transaction and delivery of your winning cheque to you from
    the courier company, I am sorry for presenting and using someone else
    in your name to get this transaction  successful.
    anyway ..searched and watch the cpanel access_log and you can see where they changed the password and then started the spam campaign. One of the keywords you may want to search your cpanel access_log for Crazy browser.

    It turns out that this real user had a really weak password and on this particular server (1 of 10) was the only server that I had pop3 LFD checking off. The password was "printer" so a simple brute force dictionary attack yielded the worm / hacker webmail access.

    I took care of the problem, told the client no more easy passwords ..he changed it to "printer1" and I watched while CSF/LFD blocked 2 IPs that tried to get back in shortly after I enabled it. I am kicking myself for not having pop3 brute force detection enabled on that box. It would have easily stopped this. However I was able to learn some things.

    You may wonder why they are using this clumsy method of webmail and 50 emails at a time. If they have the user and password for webmail they could use SMTP. But I think they do this because they can use the http proxy and stay hidden and also put the mail out in small amounts so it looks like regular usage.

    Anyway ..your dumb ass data center should have been more concerned about one of your email accounts sending out these emails in the first place. Either you have a crooked user or you have a innocent user that has a password that has been guessed and is being used for the spamming like in my case. Either way ..that's issue should be of biggest concern to you and your DC. Telling you to disable BCC is besides the point. And getting that done would mean that 100 million cPanel end user domains would loose that BCC function. Doesn't begin to address weak passwords or end user email practices. And I bet they didn't suggest you use a brute force detection like Chirpy's CSF ? They don't care who is using it ..they just want to take from it's functionality which affects legal law abiding users. That's like telling people they can't have furniture and valuables in their homes because the thugs that break in may get those items if they get in. So they suggest that you remove those items so they can't be stolen or used. They should suggest that you lock your door or lock it better or change your locks or turn on your security system first.

    Fire your DC!!! with this kind logic in the suggestion they gave you,.....the next thing you should do is suggest that the DC disable their network because people are using it to hack servers inside.

    After reading what I just wrote I have decided to re-think some of it.

    It may not be your data center's fault. It may just be the idiot that answered your ticket. He needs to go back to work at Wal-Mart
     
    #6 rpmws, Nov 8, 2007
    Last edited: Nov 8, 2007
  7. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Exactaly!!!!!!!!!!

    I hit reply and took a 90 minute support call and after I finish my post and hit submit I see that Chirpy has beat me to it. He is exactaly right and basically what I was saying ..only I am long winded :(
     
  8. Zazoos1

    Zazoos1 Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    LOL, you are absolutely correct. I do feel it was the tech, not really the data center as a whole, but when I questioned their response two times, I was each told the same thing - like they thought the proper response was to back each other up rather than admit the suggestion was indeed rediculous.

    Yes, we have since blocked the ISP from Nigeria to which the IP address of the offender belonged, added brute force protection and ran a program on all our accounts to see which ones we could break into ourselves. Turns out 20+ users actually were using the password 'password' and many other obvious types. We contacted each of them and told them this was their one warning to change their passwords to something much more secure or they would need to find another host. I am not interested in spending another 12 hours cleaning up a mess the clients create by not using basic security measures. :)

    Thanks, all for the advice. I certainly do take it all to heart.
     
  9. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    we need a banned password list in WHM that will be checked against for ALL cpanel based password management :) Nick you around? hehe
     
  10. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    See if something like:

    http://bugzilla.cpanel.net/show_bug.cgi?id=6022

    might be what you are looking for. A banned password list might also be a good thing.
     
  11. Bailey

    Bailey Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Wisconsin
    Boy the wording of those responses sounds amazingly like LayeredTech....... :eek: :p :eek:

    :D Bailey
     
  12. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    I would be suprised if they would even reply to a ticket let alone follow up on a spam complaint?
     
  13. Bailey

    Bailey Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Wisconsin
    Abuse/spam complaints are one thing they do follow-up/respond on. It's just the tone of the responses above ^^^ they sound eerily LT-like.

    :D Bailey
     
  14. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    I thought *I* was the only one who had those...

    Hey! Are you stealing my clients? :)
     
  15. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    no ..but I have a couple you can have :D
     

Share This Page