Someone spamming thru our cPanel server

[php-dawg]

I really need some help on this. There is someone sending mail out thru multiple domains, it appears, from our server. Is there any way to track the security hole down and shut them down? Here is the rejected message:

1A9foI-0001wa-F1-H
mailnull 47 12
<>
1066201866 0
-ident mailnull
-received_protocol local
-body_linecount 69
-frozen 1066228030
-localerror
XX
1
[email protected]

164P Received: from mailnull by xxxxxxxxxx with local (Exim 4.24)
id 1A9foI-0001wa-F1
for [email protected]; Wed, 15 Oct 2003 03:11:06 -0400
042 X-Failed-Recipients: [email protected]
031 Auto-Submitted: auto-generated
074F From: Mail Delivery System <[email protected]>
028T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
063I Message-Id: <[email protected]>
038 Date: Wed, 15 Oct 2003 03:11:06 -0400


1A9foI-0001wa-F1-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
(ultimately generated from [email protected])
Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [200.222.197.142] (helo=rj222197142.user.veloxzone.com.br)
by xxxx.xxxxxxxxx.com with smtp (Exim 4.24)
id 1A9foD-0001w9-Cp
for [email protected]; Wed, 15 Oct 2003 03:11:05 -0400
Received: from (HELO awm9h) [157.164.38.43] by rj222197142.user.veloxzone.com.br with SMTP; Tue, 14 Oct 2003 23:13:20 +0300
Message-ID: <[email protected]>
From: "Loren Romano" <[email protected]>
Reply-To: "Loren Romano" <[email protected]>
To: [email protected]
Subject: ANY MEDS U WANT! Prescribed Online for Free,Shipped Overnight ouvvp x
Date: Tue, 14 Oct 03 23:13:20 GMT
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_ACE.49DCEBFF_F__.0"
X-Priority: 1
X-MSMail-Priority: High


--_ACE.49DCEBFF_F__.0
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><div align=3D"left"><p><FONT COLOR=3D"#000000" SIZE=3D3 face=3D"Ari=
al, Helvetica, sans-serif"><strong>SOMA,IONAMIN</strong> ...</FONT><FONT =
COLOR=3D"#000000" BACK=3D"#ffffff" style=3D"BACKGROUND-COLOR: #ffffff" SIZ=
E=3D3 PTSIZE=3D10 FAMILY=3D"SANSSERIF" FACE=3D"Arial, Helvetica, sans-seri=
f" LANG=3D"0"> Low Price. Fast Delivery. DISCREET. </FONT><FONT COLOR=3D"=
#000000" BACK=3D"#ffffff" style=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D2 PTS=
IZE=3D10 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"0"><BR> <br>FDA Appro=
ved Medications online.<br><br></FONT><font size=3D"3"><strong><FONT COLO=
R=3D"#000000" BACK=3D"#ffffff" style=3D"BACKGROUND-COLOR: #ffffff"
PTSIZE=3D=
10 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"0">SOMA, ADIPEX, Viagra and=
MUCH MORE.</FONT><FONT COLOR=3D"#000000" BACK=3D"#ffffff" style=3D"BACKG=
ROUND-COLOR: #ffffff" PTSIZE=3D10 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=
=3D"0"></FONT></strong></font><FONT COLOR=3D"#000000" BACK=3D"#ffffff" st=
yle=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D2 PTSIZE=3D10 FAMILY=3D"SANSSERIF=
" FACE=3D"Arial" LANG=3D"0"><BR> <br>Go Online. Fill out your Prescription=
Request. That Easy.</FONT></p><p><FONT COLOR=3D"#000000" BACK=3D"#ffffff=
" style=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D2 PTSIZE=3D10 FAMILY=3D"SANSS=
ERIF" FACE=3D"Arial" LANG=3D"0">Your request will be reviewed by a License=
d US Physician. If Approved, your medication will be dispensed by a Licens=
ed US Pharmacy. <BR><br></FONT><FONT COLOR=3D"#408080" BACK=3D"#ffffff" s=
tyle=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D3 PTSIZE=3D12 FAMILY=3D"SANSSERI=
F" FACE=3D"Arial" LANG=3D"0">Requests received by 2:00 PM EST will arrive =
the very next business day.<BR> </FONT><FONT COLOR=3D"#0000ff" BACK=3D"#f=
fffff" style=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D4 PTSIZE=3D14 FAMILY=3D"=
SANSSERIF" FACE=3D"Arial" LANG=3D"0"><A HREF=3D"http://www.pillscentral.bi=
z"><br>MEDS_HERE</A></FONT><FONT COLOR=3D"#000000" BACK=3D"#ffffff"
style=3D=
"BACKGROUND-COLOR: #ffffff" SIZE=3D2 PTSIZE=3D10 FAMILY=3D"SANSSERIF" FACE=
=3D"Arial" LANG=3D"0"><BR> <BR> </FONT></p></div></HTML>rilchv cboixsligbujmszia xqdj ie gmzusin rv ktkcrdxx
nglyio s bse trc tpcdbh

--_ACE.49DCEBFF_F__.0--


Thanks for the help!

cPanel.net Support Ticket Number:

 

[Website Rob]

I do believe someone is just using your Domain name(s) as a forged From address. When sending to a non-working eMail address, their Server is kicking it back (to the From) which is why it gets delivered to you.

Unfortunately there is nothing one can doing about the forging. They can however, setup Filters to delete these types of kick-backed eMails.

cPanel.net Support Ticket Number:

 

[anand]

Originally posted by Website Rob
I do believe someone is just using your Domain name(s) as a forged From address. When sending to a non-working eMail address, their Server is kicking it back (to the From) which is why it gets delivered to you.

Unfortunately there is nothing one can doing about the forging. They can however, setup Filters to delete these types of kick-backed eMails.

cPanel.net Support Ticket Number:

How to setup these filters ?? Can i have a example please ??

cPanel.net Support Ticket Number:

 

[Website Rob]

Cpanel > E-Mail > E-mail Filtering

Some testing due to the same problem with my own Domain name being forged to AOL eMail, showed that finding the actual Subject used -- in the returned eMail -- should be used and takes awhile to kick in. I think upcp has to run, but only guessing.

cPanel.net Support Ticket Number:

 

[anand]

Originally posted by Website Rob
Cpanel > E-Mail > E-mail Filtering

Some testing due to the same problem with my own Domain name being forged to AOL eMail, showed that finding the actual Subject used -- in the returned eMail -- should be used and takes awhile to kick in. I think upcp has to run, but only guessing.

cPanel.net Support Ticket Number:

I thought more on the grounds of kicking the mails from exim itself. Basically using exim filters. I have seen a lot of mails like these on my 2 boxes, forged addresses, but every now and then the forger changed the address.

cPanel.net Support Ticket Number:

 

[php-dawg]

I had decided the same thing, but wanted to make sure I was not crazy. I could not find in the mail log where any of these emails went thru our server. The oddest part of it all is that they are using several of our customer's domain names to do this.

 

[anand]

Originally posted by php-dawg
I had decided the same thing, but wanted to make sure I was not crazy. I could not find in the mail log where any of these emails went thru our server. The oddest part of it all is that they are using several of our customer's domain names to do this.

same is the case with my box. mail bounces getting delivered to various customer domains on the box.

 

[markie]

Originally posted by php-dawg
I had decided the same thing, but wanted to make sure I was not crazy. I could not find in the mail log where any of these emails went thru our server. The oddest part of it all is that they are using several of our customer's domain names to do this.

You probably want to install http://webhosting-tools.com/view.cgi/MailMon then. We purchased this a while back and it has identified the source of the spammer from our box on at least 3 occasions. Evertime i see some strange mail leaving our servers we turn this on. It tells us the path to the script that sending the msgs so we can identify the user. I know in the past i have asked this company a number of questions and they did not reply. Their support seems hopeless but the scripts work well.

 

[anand]

Originally posted by markie
You probably want to install http://webhosting-tools.com/view.cgi/MailMon then. We purchased this a while back and it has identified the source of the spammer from our box on at least 3 occasions. Evertime i see some strange mail leaving our servers we turn this on. It tells us the path to the script that sending the msgs so we can identify the user. I know in the past i have asked this company a number of questions and they did not reply. Their support seems hopeless but the scripts work well.

Originally the mails are actually being forged and then the returns are being fired to his server. This can't be stopped actually. If someone forges your from address and sends mails, if any mail is bounced by any mail server, the bounce wil automatically find way to your server / mailbox instead of the forger.

As for using MailMon, i don't say there is anything wrong with the software, its good. But you may want to try the Mail Relayers inside WHM which stores who all is relaying from the server, all logs everything is present.