Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PHP-Nuke WebMail Spam

Discussion in 'E-mail Discussion' started by LiNUxG0d, May 11, 2005.

  1. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Gatineau, Quebec, Canada
    Hey all,

    Being the main abuse agent for the webhost I work for, I started receiving a rash of spam complaints recently. I analyzed a header and saw as follows:

    Code:
    Received: from nobody by peach.ourcompany.com with local (Exim 4.50)
        id 1DTbWA-0000uG-4H; Thu, 05 May 2005 04:15:34 -0400
    
    To:
    Subject: HELLO
    From: steve_williams22@web.de <steve_williams22@web.de>
    X-Priority: 1 (Highest)
    CC:
    Mime-Version: 1.0
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit
    X-Mailer: RLSP Mailer
    Message-Id: <E1DTbWA-0000uG-4H@peach.ourcompany.com>
    Date: Thu, 05 May 2005 04:15:34 -0400
    X-AntiAbuse: This header was added to track abuse, please include it with
    any abuse report
    X-AntiAbuse: Primary Hostname - peach.ourcompany.com
    X-AntiAbuse: Original Domain - cox.net
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    X-AntiAbuse: Sender Address Domain - peach.ourcompany.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Alright, now, the headers show: "X-Mailer: RLSP Mailer"

    Tracking back, this is a PHP-Nuke WebMail Module header. So, what's happening is users are signing up for accounts to PHP-Nuke sites and then sending mail using the SMTP facilities.

    Technically, if you have PHPSuExec enabled, you should be good to track back the sender; if you don't though, you could just issue a warning to all users and locate the `libmail.php` files and change their modes to 000.

    This way, users have to give it attention or else they will not be able to take advantage of it.

    It's a poor solution, I know, however it gets the job done. It beats going through every one of those PHP Admin areas and disabling the WebMail module.

    This is what I did to resolve it (as root or wheel with sudo):

    Code:
    <?
    $findarray = `find /home/*/public_html/ -name 'libmail.php'`;
    $findlist = explode("\n",$findarray);
    
    foreach ($findlist as $path) {
    
            $path = trim($path);
    
            if ($path) {
    
                    $chmod = `chmod 000 $path`;
            }
    }
    ?>
    At worse, someone will find this fix unacceptable and whip up a better one. :)

    Just a heads up to everyone! :)

    Jamie S.
    Kiosk.ws
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,654
    Likes Received:
    75
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
  3. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Gatineau, Quebec, Canada
    Awesome!

    I was searching online and found nothing... guess I should have tried some better google searches. ;)

    I still think it's nice that I post it up because I would consider this widespread enough. :)

    Thanks for the reply man!

    Jamie
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice