LiNUxG0d

Well-Known Member
Jun 25, 2003
206
1
168
Gatineau, Quebec, Canada
Hey all,

Being the main abuse agent for the webhost I work for, I started receiving a rash of spam complaints recently. I analyzed a header and saw as follows:

Code:
Received: from nobody by peach.ourcompany.com with local (Exim 4.50)
    id 1DTbWA-0000uG-4H; Thu, 05 May 2005 04:15:34 -0400

To:
Subject: HELLO
From: [email protected] <[email protected]>
X-Priority: 1 (Highest)
CC:
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: RLSP Mailer
Message-Id: <[email protected]>
Date: Thu, 05 May 2005 04:15:34 -0400
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - peach.ourcompany.com
X-AntiAbuse: Original Domain - cox.net
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - peach.ourcompany.com
X-Source:
X-Source-Args:
X-Source-Dir:
Alright, now, the headers show: "X-Mailer: RLSP Mailer"

Tracking back, this is a PHP-Nuke WebMail Module header. So, what's happening is users are signing up for accounts to PHP-Nuke sites and then sending mail using the SMTP facilities.

Technically, if you have PHPSuExec enabled, you should be good to track back the sender; if you don't though, you could just issue a warning to all users and locate the `libmail.php` files and change their modes to 000.

This way, users have to give it attention or else they will not be able to take advantage of it.

It's a poor solution, I know, however it gets the job done. It beats going through every one of those PHP Admin areas and disabling the WebMail module.

This is what I did to resolve it (as root or wheel with sudo):

Code:
<?
$findarray = `find /home/*/public_html/ -name 'libmail.php'`;
$findlist = explode("\n",$findarray);

foreach ($findlist as $path) {

        $path = trim($path);

        if ($path) {

                $chmod = `chmod 000 $path`;
        }
}
?>
At worse, someone will find this fix unacceptable and whip up a better one. :)

Just a heads up to everyone! :)

Jamie S.
Kiosk.ws
 

LiNUxG0d

Well-Known Member
Jun 25, 2003
206
1
168
Gatineau, Quebec, Canada
Awesome!

I was searching online and found nothing... guess I should have tried some better google searches. ;)

I still think it's nice that I post it up because I would consider this widespread enough. :)

Thanks for the reply man!

Jamie