The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mail virus?

Discussion in 'E-mail Discussions' started by Final-Solution, Aug 21, 2003.

  1. Final-Solution

    Final-Solution Well-Known Member

    Joined:
    Jul 14, 2002
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    I've been getting messages that my mail wasnt able to send to various places for the past couple days . . but i dont send out email, only recieve it . . i got the message that i've been sending out W32.Sobig.F@mm which effects windows, but my server is running linux and my windows machine at work isnt infected . . any ideas why this would be happening? i've changed my email password just now in case someone was using it . .

    cPanel.net Support Ticket Number:
     
  2. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    If you have Matt Wright's FormMail (any version, by any name) on your server (account) it is most likely the problem. These scripts allow spammers to spam thru these scripts in turn making your account an open relay.

    I have banned any use of the scripts on my servers, offering a secure alternative to my clients.

    To find all incidences of any version of Matt Wright's FormMail on your server, use: http://cplicensing.net/extras/scripts/chkformmailver

    It takes a while, but will search out and report paths to all versions of formmail (by any name) to you via email.

    cPanel.net Support Ticket Number:
     
  3. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
  4. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    The sobig.f virus forges the "from" address so what's probably happening is that someone you know who has your email address in their address book has an infected computer and is sending infected email with your address listed in the "from" header. The virus doesn't affect your server, it affects your desk top computer. Google "sobig.f" to learn more.

    cPanel.net Support Ticket Number:
     
  5. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    What does the formmail script have to do with the sobig.f virus?

    cPanel.net Support Ticket Number:
     
  6. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    I had 900 - 1200 such mails sent using FormMail on each of my servers over 2 days. My own problem hasn't been with POP3 accounts. Since eliminating FormMail, I've had no problem at all. Obviously, this is not a cure for everyone, the source not all being with hacked formmail scripts for many. But, nevertheless, worth noteing and taking preventative measures.

    cPanel.net Support Ticket Number:
     
  7. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    It may have been your problem back then, but it is not the problem now. Why bring it up when it was unrelated to this SoBig virus the guy mentioned up there?

    The other problem is people who set their default address to send somewhere else or leave it at default. I always set my default address to :blackhole: that way none of those come back and bite me in the rear. I advise clients to do the same as well. This reduces them seeing this formmail problem and it is almost completely transparent after that.

    Some clients want it and I WILL give it to them since I know it's got it's hole patched and covered. If it happens again that another hole is found, no problem.. I disable until the next fix is released, then bring it back.

    Brenden

    cPanel.net Support Ticket Number:
     
  8. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    I brought it up because as of 2 days ago, over 4500 such messages were sent over 2 of my servers via a handfull of emails sent to multiple recipients containing the SoBig virus. All via a formmail scripts (including recent version).

    Yesterday, I noted it had all stopped, and made the post on the assumption I had cured the problem (acknowledging there are other options, as the good one you offered). Since that post however, I have seen the same problem not related to formmail... Obviously, I had only one of the routes blocked.

    cPanel.net Support Ticket Number:
     
  9. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    What do we do, just save the file as chkformmailver.pl, upload it & access it via a web browser? If that is not right how then? I am considering nixing all of our perl/cgi scripts & using a custom PHP one we designed which is MUCH better!

    cPanel.net Support Ticket Number:
     
  10. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    First, please understand that this is not a cure for the sobig virus returned emails we are getting. It's only a formmail hacking solution.

    You must open the chkformmailver.pl in a text editor, such as NotePad, and configure as instructed in the file. We did NOT choose the "chmod 000" function per the author's suggestion. Then copy to your server root and chmod 755. Then type: perl chkformmailver.pl and wait... it will write results to screen and email you a copy of the results using the email address you wrote into the script when configuring it.

    cPanel.net Support Ticket Number:
     
  11. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!

    Thanks!

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page