The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP-Nuke WebMail Spam

Discussion in 'E-mail Discussions' started by LiNUxG0d, May 11, 2005.

  1. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Hey all,

    Being the main abuse agent for the webhost I work for, I started receiving a rash of spam complaints recently. I analyzed a header and saw as follows:

    Code:
    Received: from nobody by peach.ourcompany.com with local (Exim 4.50)
        id 1DTbWA-0000uG-4H; Thu, 05 May 2005 04:15:34 -0400
    
    To:
    Subject: HELLO
    From: steve_williams22@web.de <steve_williams22@web.de>
    X-Priority: 1 (Highest)
    CC:
    Mime-Version: 1.0
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit
    X-Mailer: RLSP Mailer
    Message-Id: <E1DTbWA-0000uG-4H@peach.ourcompany.com>
    Date: Thu, 05 May 2005 04:15:34 -0400
    X-AntiAbuse: This header was added to track abuse, please include it with
    any abuse report
    X-AntiAbuse: Primary Hostname - peach.ourcompany.com
    X-AntiAbuse: Original Domain - cox.net
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    X-AntiAbuse: Sender Address Domain - peach.ourcompany.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Alright, now, the headers show: "X-Mailer: RLSP Mailer"

    Tracking back, this is a PHP-Nuke WebMail Module header. So, what's happening is users are signing up for accounts to PHP-Nuke sites and then sending mail using the SMTP facilities.

    Technically, if you have PHPSuExec enabled, you should be good to track back the sender; if you don't though, you could just issue a warning to all users and locate the `libmail.php` files and change their modes to 000.

    This way, users have to give it attention or else they will not be able to take advantage of it.

    It's a poor solution, I know, however it gets the job done. It beats going through every one of those PHP Admin areas and disabling the WebMail module.

    This is what I did to resolve it (as root or wheel with sudo):

    Code:
    <?
    $findarray = `find /home/*/public_html/ -name 'libmail.php'`;
    $findlist = explode("\n",$findarray);
    
    foreach ($findlist as $path) {
    
            $path = trim($path);
    
            if ($path) {
    
                    $chmod = `chmod 000 $path`;
            }
    }
    ?>
    At worse, someone will find this fix unacceptable and whip up a better one. :)

    Just a heads up to everyone! :)

    Jamie S.
    Kiosk.ws
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  3. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Awesome!

    I was searching online and found nothing... guess I should have tried some better google searches. ;)

    I still think it's nice that I post it up because I would consider this widespread enough. :)

    Thanks for the reply man!

    Jamie
     
Loading...

Share This Page