The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mailnull the highest mail sender?

Discussion in 'E-mail Discussions' started by wills, Jan 14, 2004.

  1. wills

    wills Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    202
    Likes Received:
    1
    Trophy Points:
    18
    Here is the deal, I just checked our mail queue and noticed that there is a very large amount of emails sitting in there. 2000+! The email is coming from the same email/person/domain going to other accounts. We don't host any of the "from" domains. Server is up-to-date, has latest of everthing and I have Exim SMTP checking to make sure that the user has a GID to send email. So what am I missing here? :confused:

    Here is an example of those emails:

    1AgvJL-00083R-MF-H
    mailnull 47 12
    <>
    1074126275 0
    -ident mailnull
    -received_protocol local
    -body_linecount 31
    -frozen 1074126275
    -localerror
    XX
    1
    samantha@hostdomino.com

    153P Received: from mailnull by server-1.myserver.com with local (Exim 4.24)
    id 1AgvJL-00083R-MF
    for samantha@hostdomino.com; Wed, 14 Jan 2004 18:24:35 -0600
    046 X-Failed-Recipients: amal_1972@rediffmail.com
    031 Auto-Submitted: auto-generated
    063F From: Mail Delivery System <Mailer-Daemon@server-1.myserver.com>
    028T To: samantha@hostdomino.com
    059 Subject: Mail delivery failed: returning message to sender
    052I Message-Id: <E1AgvJL-00083R-MF@server-1.myserver.com>
    038 Date: Wed, 14 Jan 2004 18:24:35 -0600


    1AgvJL-00083R-MF-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    amal_1972@rediffmail.com
    SMTP error from remote mailer after RCPT TO:<amal_1972@rediffmail.com>:
    host mail3.rediffmail.com [203.199.83.132]: 551 Requested action not taken:
    mailbox full

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <samantha@hostdomino.com>
    Received: from nobody by server-1.myserver.com with local (Exim 4.24)
    id 1AgvJK-000837-Jf
    for amal_1972@rediffmail.com; Wed, 14 Jan 2004 18:24:34 -0600
    To: amal_1972@rediffmail.com
    Subject: Unreal Penetrations
    From: Samantha <samantha@hostdomino.com>
    Reply-To: samantha@hostdomino.com
    Errors-To: <samantha@hostdomino.com>
    MIME-Version: 1.0
    X-Mailer: AOL 6.0 for Windows US sub 10520
    Content-type: text/html; charset=iso-8859-1
    Message-Id: <E1AgvJK-000837-Jf@server-1.myserver.com>
    Date: Wed, 14 Jan 2004 18:24:34 -0600


    <html><body bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000"><table border="0" cellspacing="0" cellpadding="0" align="center"><tr><td align="center"><a href="http://www.cubemagazine.net/up2/PXUGr21thzQsUXkSkjQ.html"><font size="1"><a href="http://www.cubemagazine.net/up2/PXUGr21thzQsUXkSkjQ.html">Tony showed me this site, it's fucking awesome!<p>It's got the biggest cocks you've ever seen splitting open the tiniest chicks.The pics are fucking unreal.It's also got some of the craziest penetrations.The site is out of control.You're going to love it!</a></font></a><br>
    <br>
    <a href="http://www.cubemagazine.net/up2/PXUGr21thzQsUXkSkjQ.html" target="_new"><img src="http://www.cubemagazine.net/up2/PXUGr21thzQsUXkSkjQ.png" border="0"></a></td></tr></table><p><center><font size="1"><font color="#ffffff">PXUGr21thzQsUXkSkjQ PXUGr21thzQsUXkSkjQ PXUGr21thzQsUXkSkjQ PXUGr21thzQsUXkSkjQ PXUGr21thzQsUXkSkjQ</font></font></center><p><center><font size="1"><a href="http://www.cubemagazine.net/_PXUGr21thzQsUXkSkjQ.php"><img src="http://www.cubemagazine.net/_PXUGr21thzQsUXkSkjQ/re.jpg" border="0"></a></center></body></html>
     
  2. zenpig66

    zenpig66 Active Member

    Joined:
    Nov 16, 2002
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    I have been in the same boat for a bit with even the same email from domain you use in your example. Let me run this list by ya..

    handclass.com
    hateresearch.net
    healthmeat.com
    healthygoodies.com
    heartlessons.com
    hearttesting.net
    heatherbrown.net
    helphotels.net
    highyellow.com
    higod.net
    historyexplorer.net
    hogworld.net
    homealtars.com
    homeimage.net
    hostdomino.com
    hostdomino.net
    hotguitars.net
    housefront.net
    huggerperformance.net
    huntinglabs.net
    hypnotismtherapy.com


    I have tried like hell to figure this one out, how they are actually entering the queue, but to no avail. The one you posted has a bounce in it which I've definately seen but have also watched them enter the queue and get ready to send as if they origionated on the server except they are missing some parts and it seems to be forged headers with exim filling in the rest. If I tail -f var/log/exim_mainlog and watch it, they enter in 4 or 5 at a time every few seconds with U=nobody P=local and I'd almost say that there's an exploited script except I've grepped just about everything I can(not running phpsuexec, btw) and nothing comes up. And, no process appears to be running on the server at the time these are entering to indicate a script is inputting them.

    Anyway, I got fed up with it yesterday and did a basic exim rewrite which altered the to: based on filtering from the above list to the site which was being advertised :) Perhaps a shitty thing to do but I got a very fast reply to an email I sent them concerning this 'affiliate' of theirs asking me to stop clogging up their mail server;hehe They also apparently terminated his affiliate account with this particular site and when verifying the page he was advertising to, it appears so. dunno...a bit of justice in that. I'm now simply just failing them immediately with a filter in /etc/antivirus.exim so they never enter the queue which is easy enough and buys time to figure this one out.

    Wish I was actually help but you're not alone with this clown, anyway :)
     
    #2 zenpig66, Jan 14, 2004
    Last edited: Jan 14, 2004
  3. zenpig66

    zenpig66 Active Member

    Joined:
    Nov 16, 2002
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    btw; it was a script on the server in my case and I bet it is in yours, too. If you or anyone else is seeing a lot of bounced mail with any of the above email addresses I listed, feel free to PM me. I don't know if it's kosher here to post the customer contact info this one signed up with nor the ip's used to connect to the script. I got 'lucky' on the hunt this morning :)
     
  4. wills

    wills Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    202
    Likes Received:
    1
    Trophy Points:
    18
    Thanks for the reply. All of the domains that you listed do appear in our mail queue so yeah I've got someone using the mail server to spam. I've turned off all instances of mailforms so I'm not sure what else I should be looking for.

    The only difference is that I see U=mailnull P=local not nobody.

    Can you send me the exim re-write? I'll give it a shot.

    Thanks,
    Will
     
  5. zenpig66

    zenpig66 Active Member

    Joined:
    Nov 16, 2002
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    I PM'ed you some of the info like customer contact(have found that this is one used in more than one place) and how to do a crude rewrite so all of the bounces go somewhere else. The rewrite is kind of vigilante justice, though, so be careful with it;hehe

    The best way is probably to reject them instantly so that they aren't going anywhere including the queue, open up /etc/antivirus.exim and find a filter that is already created that you can just expanded on. You should see it near the top # These messages are now being sent with a <> envelope sender,...
    I made the filter look like this..
    Code:
    if $header_from: contains "@sexyfun.com"
    or $header_from: contains "@handclass.com"
    or $header_from: contains "@hateresearch.net"
    or $header_from: contains "@healthmeat.com"
    or $header_from: contains "@healthygoodies.com"
    or $header_from: contains "@heartlessons.com"
    or $header_from: contains "@hearttesting.net"
    or $header_from: contains "@heatherbrown.net"
    or $header_from: contains "@helphotels.net"
    or $header_from: contains "@highyellow.com"
    or $header_from: contains "@higod.net"
    or $header_from: contains "@historyexplorer.net"
    or $header_from: contains "@hogworld.net"
    or $header_from: contains "@homealtars.com"
    or $header_from: contains "@homeimage.net"
    or $header_from: contains "@hostdomino.com"
    or $header_from: contains "@hostdomino.net"
    or $header_from: contains "@hotguitars.net"
    or $header_from: contains "@housefront.net"
    or $header_from: contains "@huggerperformance.net"
    or $header_from: contains "@huntinglabs.net"
    or $header_from: contains "@hypnotismtherapy.com"
    then
    #  fail text "This message has been rejected since it has\n\
    #            the signature of a known virus in the header."
      seen finish
    endif
    if error_message and $header_from: contains "Mailer-Daemon@"
    then
      # looks like a real error message - just ignore it
      finish
    endif
    
    There might be a better way to do it but it rejects all mail with those email address in the from: instantly. I commented out the fail text because since the mail was to be rejected completely, there's no point in writing anything in the header :) You may want to make sure you are using /etc/antivirus.exim as you system wide filter by going to the 'exim configuration editor' in WHM and you should see System filter file (leave blank to disable): with /etc/antivirus.exim there.

    Anyway, I'm curious if this guys actually on your server.

    good luck
     
  6. wills

    wills Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    202
    Likes Received:
    1
    Trophy Points:
    18
    The person that you mentioned in your pm was on the server. He is now deleted and I can tell that the mail server is no longer generating all of those emails.

    Thank you for all of your help. As soon as you mentioned that name the red flag went up :)
     

Share This Page