Here is the deal, I just checked our mail queue and noticed that there is a very large amount of emails sitting in there. 2000+! The email is coming from the same email/person/domain going to other accounts. We don't host any of the "from" domains. Server is up-to-date, has latest of everthing and I have Exim SMTP checking to make sure that the user has a GID to send email. So what am I missing here? Here is an example of those emails: 1AgvJL-00083R-MF-H mailnull 47 12 <> 1074126275 0 -ident mailnull -received_protocol local -body_linecount 31 -frozen 1074126275 -localerror XX 1 samantha@hostdomino.com 153P Received: from mailnull by server-1.myserver.com with local (Exim 4.24) id 1AgvJL-00083R-MF for samantha@hostdomino.com; Wed, 14 Jan 2004 18:24:35 -0600 046 X-Failed-Recipients: amal_1972@rediffmail.com 031 Auto-Submitted: auto-generated 063F From: Mail Delivery System <Mailer-Daemon@server-1.myserver.com> 028T To: samantha@hostdomino.com 059 Subject: Mail delivery failed: returning message to sender 052I Message-Id: <E1AgvJL-00083R-MF@server-1.myserver.com> 038 Date: Wed, 14 Jan 2004 18:24:35 -0600 1AgvJL-00083R-MF-D This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: amal_1972@rediffmail.com SMTP error from remote mailer after RCPT TO:<amal_1972@rediffmail.com>: host mail3.rediffmail.com [203.199.83.132]: 551 Requested action not taken: mailbox full ------ This is a copy of the message, including all the headers. ------ Return-path: <samantha@hostdomino.com> Received: from nobody by server-1.myserver.com with local (Exim 4.24) id 1AgvJK-000837-Jf for amal_1972@rediffmail.com; Wed, 14 Jan 2004 18:24:34 -0600 To: amal_1972@rediffmail.com Subject: Unreal Penetrations From: Samantha <samantha@hostdomino.com> Reply-To: samantha@hostdomino.com Errors-To: <samantha@hostdomino.com> MIME-Version: 1.0 X-Mailer: AOL 6.0 for Windows US sub 10520 Content-type: text/html; charset=iso-8859-1 Message-Id: <E1AgvJK-000837-Jf@server-1.myserver.com> Date: Wed, 14 Jan 2004 18:24:34 -0600 <html><body bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000"><table border="0" cellspacing="0" cellpadding="0" align="center"><tr><td align="center"><a href="http://www.cubemagazine.net/up2/PXUGr21thzQsUXkSkjQ.html"><font size="1"><a href="http://www.cubemagazine.net/up2/PXUGr21thzQsUXkSkjQ.html">Tony showed me this site, it's fucking awesome!<p>It's got the biggest cocks you've ever seen splitting open the tiniest chicks.The pics are fucking unreal.It's also got some of the craziest penetrations.The site is out of control.You're going to love it!</a></font></a><br> <br> <a href="http://www.cubemagazine.net/up2/PXUGr21thzQsUXkSkjQ.html" target="_new"><img src="http://www.cubemagazine.net/up2/PXUGr21thzQsUXkSkjQ.png" border="0"></a></td></tr></table><p><center><font size="1"><font color="#ffffff">PXUGr21thzQsUXkSkjQ PXUGr21thzQsUXkSkjQ PXUGr21thzQsUXkSkjQ PXUGr21thzQsUXkSkjQ PXUGr21thzQsUXkSkjQ</font></font></center><p><center><font size="1"><a href="http://www.cubemagazine.net/_PXUGr21thzQsUXkSkjQ.php"><img src="http://www.cubemagazine.net/_PXUGr21thzQsUXkSkjQ/re.jpg" border="0"></a></center></body></html>
I have been in the same boat for a bit with even the same email from domain you use in your example. Let me run this list by ya.. handclass.com hateresearch.net healthmeat.com healthygoodies.com heartlessons.com hearttesting.net heatherbrown.net helphotels.net highyellow.com higod.net historyexplorer.net hogworld.net homealtars.com homeimage.net hostdomino.com hostdomino.net hotguitars.net housefront.net huggerperformance.net huntinglabs.net hypnotismtherapy.com I have tried like hell to figure this one out, how they are actually entering the queue, but to no avail. The one you posted has a bounce in it which I've definately seen but have also watched them enter the queue and get ready to send as if they origionated on the server except they are missing some parts and it seems to be forged headers with exim filling in the rest. If I tail -f var/log/exim_mainlog and watch it, they enter in 4 or 5 at a time every few seconds with U=nobody P=local and I'd almost say that there's an exploited script except I've grepped just about everything I can(not running phpsuexec, btw) and nothing comes up. And, no process appears to be running on the server at the time these are entering to indicate a script is inputting them. Anyway, I got fed up with it yesterday and did a basic exim rewrite which altered the to: based on filtering from the above list to the site which was being advertised Perhaps a shitty thing to do but I got a very fast reply to an email I sent them concerning this 'affiliate' of theirs asking me to stop clogging up their mail server;hehe They also apparently terminated his affiliate account with this particular site and when verifying the page he was advertising to, it appears so. dunno...a bit of justice in that. I'm now simply just failing them immediately with a filter in /etc/antivirus.exim so they never enter the queue which is easy enough and buys time to figure this one out. Wish I was actually help but you're not alone with this clown, anyway
btw; it was a script on the server in my case and I bet it is in yours, too. If you or anyone else is seeing a lot of bounced mail with any of the above email addresses I listed, feel free to PM me. I don't know if it's kosher here to post the customer contact info this one signed up with nor the ip's used to connect to the script. I got 'lucky' on the hunt this morning
Thanks for the reply. All of the domains that you listed do appear in our mail queue so yeah I've got someone using the mail server to spam. I've turned off all instances of mailforms so I'm not sure what else I should be looking for. The only difference is that I see U=mailnull P=local not nobody. Can you send me the exim re-write? I'll give it a shot. Thanks, Will
I PM'ed you some of the info like customer contact(have found that this is one used in more than one place) and how to do a crude rewrite so all of the bounces go somewhere else. The rewrite is kind of vigilante justice, though, so be careful with it;hehe The best way is probably to reject them instantly so that they aren't going anywhere including the queue, open up /etc/antivirus.exim and find a filter that is already created that you can just expanded on. You should see it near the top # These messages are now being sent with a <> envelope sender,... I made the filter look like this.. Code: if $header_from: contains "@sexyfun.com" or $header_from: contains "@handclass.com" or $header_from: contains "@hateresearch.net" or $header_from: contains "@healthmeat.com" or $header_from: contains "@healthygoodies.com" or $header_from: contains "@heartlessons.com" or $header_from: contains "@hearttesting.net" or $header_from: contains "@heatherbrown.net" or $header_from: contains "@helphotels.net" or $header_from: contains "@highyellow.com" or $header_from: contains "@higod.net" or $header_from: contains "@historyexplorer.net" or $header_from: contains "@hogworld.net" or $header_from: contains "@homealtars.com" or $header_from: contains "@homeimage.net" or $header_from: contains "@hostdomino.com" or $header_from: contains "@hostdomino.net" or $header_from: contains "@hotguitars.net" or $header_from: contains "@housefront.net" or $header_from: contains "@huggerperformance.net" or $header_from: contains "@huntinglabs.net" or $header_from: contains "@hypnotismtherapy.com" then # fail text "This message has been rejected since it has\n\ # the signature of a known virus in the header." seen finish endif if error_message and $header_from: contains "Mailer-Daemon@" then # looks like a real error message - just ignore it finish endif There might be a better way to do it but it rejects all mail with those email address in the from: instantly. I commented out the fail text because since the mail was to be rejected completely, there's no point in writing anything in the header You may want to make sure you are using /etc/antivirus.exim as you system wide filter by going to the 'exim configuration editor' in WHM and you should see System filter file (leave blank to disable): with /etc/antivirus.exim there. Anyway, I'm curious if this guys actually on your server. good luck
The person that you mentioned in your pm was on the server. He is now deleted and I can tell that the mail server is no longer generating all of those emails. Thank you for all of your help. As soon as you mentioned that name the red flag went up