The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mysterious Spam originating from our server?

Discussion in 'General Discussion' started by ronan675, Feb 23, 2006.

  1. ronan675

    ronan675 Member

    Joined:
    Mar 26, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I have been recieving almost 2000 AOL notifications of spam emails each day since I signed up to their feedback loop service but I am at a loss as to where they are originating from.

    The server is very well secured with apf,bdf,mod_sec etc and is running the latest release version of Cpanel. An example header is included below. There are a number of strange things about the header. First of all it seems to be missing all Anti-abuse headers and secondly it's got qmail style message id's which is obviously impossible for a Cpanel / Exim server. All the messages are basically the same content but the domain name in the message body seems to change every few days and the subject line also changes slightly.

    I have run numerous scans of the server with rkhunter, chkrootkit etc and they came up with nothing. I can't see any strange processes running and mod_sec appears to successfully blocking numerous BCC form injection attacks which were causing most of our spam issues lately. I just cannot figure out where this is originating from so any ideas would be appreciated as it's getting annoying now. :confused:

    -------- Original Message --------
    X-AOL-UID: 193.1787634993
    X-AOL-DATE: Thu, 23 Feb 2006 1:07:55 AM Eastern Standard Time
    Return-Path: <kennymanley6@evotec.net>
    Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm01.mail.aol.com (vx) with ESMTP id MAILINXM11-60643fd5136385; Thu, 23 Feb 2006 01:07:55 -0500
    Received: from xeon.OURSERVERHOSTNAME (xeon.OURSERVERHOSTNAME [OURSERVERIP]) by rly-xm04.mx.aol.com (vx) with ESMTP id MAILRELAYINXM42-60643fd5136385; Thu, 23 Feb 2006 01:07:50 -0500
    Received: (qmail 23207 invoked by uid 13339); Fri, 24 Feb 2006 05:28:58 +0200 (CEST)
    Message-Id: <20060224052858.23207.qmail@mxqd.xeon.OURSERVERHOSTNAME>
    From: "Lashonna Hanes" <kennymanley6@evotec.net>
    To: <Undisclosed Recipients>
    Date: Fri, 24 Feb 2006 05:28:58 +0200 (CEST)
    Subject: Bringingx another feelings to daughter
    Mime-Version: 1.0
    Content-Type: text/plain
    X-AOL-IP: OUR SERVER IP

    That day I invitedd my co-workers and together we used my daughter in allw her entersa inb http://wisenen.net/?kqlm at once
     
  2. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Check to make sure no one has their email automatically being forwarded to AOL. Low scoring spam that slips through can be a pain if the user then flags it as spam. I have the same problem, and AOL just went to my DC and complained - even after they told me it would not be a problem over the phone. :)
     
  3. ronan675

    ronan675 Member

    Joined:
    Mar 26, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I checked this and none of my users are forwarding to AOL addresses. :confused:

     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    What about any netscape forwarders (I can't remember if its netscape.com or netscape.net). I vaguely recall seeing some of the AOL messages we received and they would mention a netscape address and sure enough, the user would have an e-mail address forwarding to a netscape address.

    I'm really not sure, but it might give you something else to look for.
     
  5. ronan675

    ronan675 Member

    Joined:
    Mar 26, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Just checked this and there are no netscape forwarders either. It's very strange. Also the number of notifications increased today which would indicate more spam was being sent. I still cannot find anything in the exim logs. Very strange. :confused:


     
  6. mike25

    mike25 Well-Known Member

    Joined:
    Aug 29, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Raleigh NC, USA
    Check your mail queue for large queues of failed messages. If you cat and grep through /var/exim_mainlog for the queue sometimes the log will show the directory of orgin on the server. If you see the exim processes running live you can also then check the /proc directory for the PID of the exim process that you belive is sending spam. If you are able to discover which account the spam is coming from I would then go to /usr/local/apache/domlogs and the cat that domains access log and grep for POST. My guess would be that you will locate a problem PHP script. Even with BCC rules in place some spammers are able to get through incsecure PHP mailing scripts. I wish I knew how so I could beef up my mod_sec rules.
     
  7. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You're right, mike25. Now, finding that bad/insecure php/cgi script(s) is the best possible solution to stop SPAM originating from your server. One of our clients was hit hard with a spammer who used bad/insecure Php and cgi scripts to deliver thousands of messages a day. Our client tried every possible way to stop that SPAM, but without much success. We installed a script that helped pinpoint the bad/insecure scripts. The spammer was prevented from using our client's server any further.
     
  8. escv123

    escv123 Registered

    Joined:
    Jan 4, 2005
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Can you post your solution here ?

    Could you post your solution here ?

     
  9. iperhosting.com

    Joined:
    Apr 8, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Sorry for my english, the solutions exists?

    Than'ks
    Alex
     
  10. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Under Tweak Settings enable:"Track the origin of messages sent though the mail server by adding the X-Source headers" and in the "Exim Configuration Editor" add "log_selector = +arguments +subject" in the first entry box in the "Advanced Settings".

    This should provide more information for you to trace the spam. Turning on phpSuExec (and suExec) is a good idea as well.
     
  11. iperhosting.com

    Joined:
    Apr 8, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1

    With phpSuExec script running? Example phpbbforum, my script ecc.. ecc...

    Thank's
     
  12. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Many of you are missing the key element of the spam. "qmail". You cannot tail log files or enable exim features to track down mail that is utilizing qmail. This is a script that is utilizing its own qmail to send email. We have seen this before and tracking down the script is necessary.
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You're quite correct. It's also not qmail, but a spoofed header line. The spam script simply connects out on port 25 and sends the spam directly, bypassing exim completely. The only way to track it down directly is to watch port 25 connections and traffic or enable the SMTP Tweak/firewall blocking to disallow sending via port 25 to force users and script so use the sendmail/exim binary as they really ought to.
     
Loading...

Share This Page