The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam email has me stumped!

Discussion in 'E-mail Discussions' started by mickalo, Nov 22, 2005.

  1. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Not sure others have been seeing these emails, but this has me stumped and not sure how to stop this. below is an email sample that alot of our customers have been receiveing from our server, and not sure how to stop it or trace the problem down to it's source:
    Code:
    Return-path: <>
    Envelope-to: mickalo@thunder-rain.com
    Delivery-date: Tue, 22 Nov 2005 16:50:24 -0600
    Received: from thunderr by justlightening.justlightening.net with local-bsmtp (Exim 4.50)
    	id 1Eegxy-00047j-3X
    	for mickalo@thunder-rain.com; Tue, 22 Nov 2005 16:50:24 -0600
    Received: from [158.80.1.70] (helo=md02.baker.edu ident=mirapoint)
    	by justlightening.justlightening.net with esmtp (Exim 4.50)
    	id 1Eegxx-00047a-Me
    	for postmaster@justlightening.justlightening.net; Tue, 22 Nov 2005 16:50:21 -0600
    Received: from mserve1.baker.edu (mserve1.baker.edu [158.80.1.67])
    	by md02.baker.edu (MOS 3.5.9-GR)
    	with ESMTP id DAX06796;
    	Tue, 22 Nov 2005 18:07:32 -0500 (EST)
    Received: from localhost (localhost)
    	by mserve1.baker.edu (MOS 3.5.9-GR)
    	with internal id DIL50784;
    	Tue, 22 Nov 2005 18:07:31 -0500 (EST)
    Date: Tue, 22 Nov 2005 18:07:31 -0500 (EST)
    From: Mail Delivery Subsystem <MAILER-DAEMON@baker.edu>
    Message-Id: <200511222307.DIL50784@mserve1.baker.edu>
    To: postmaster@justlightening.justlightening.net
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    	boundary="DIL50784.1132700851/mserve1.baker.edu"
    Subject: Returned mail: User unknown
    Auto-Submitted: auto-generated (failure)
    X-DSN-Junkmail: UCE(71)
    X-DSN-Junkmail-Status: score=71/20, host=mserve1.baker.edu
    X-DSN-Mirapoint-Virus: VIRUSDELETED;
    	host=md02.baker.edu;
    	attachment=[2.2];
    	virus=W32/Sober-Z
    X-Junkmail-Status: score=8/20, host=md02.baker.edu
    X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on 
    	justlightening.justlightening.net
    X-Spam-Level: 
    X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham 
    	version=3.0.4
    
    This is a MIME-encapsulated message
    
    --DIL50784.1132700851/mserve1.baker.edu
    
    The original message was received at Tue, 22 Nov 2005 18:07:26 -0500 (EST)
    from md02.baker.edu [158.80.1.70]
    
       ----- The following addresses had permanent delivery errors -----
    <Wthrboy917@baker.edu>
    <MAZTERDJ2000@baker.edu>
    <jeralds@baker.edu>
    <mort2004@baker.edu>
    <ozzgrant@baker.edu>
    <Powerbomb14@baker.edu>
    <feedback@baker.edu>
    <majordomo@baker.edu>
    <contact@baker.edu>
    <john.doe@baker.edu>
    <eslcpa@baker.edu>
    <eldreth@baker.edu>
    <rosethorn@baker.edu>
    <coolgirl@baker.edu>
    <DRACOM25@baker.edu>
    <Mnementh2k1@baker.edu>
    <nepears0n@baker.edu>
    <j.baune@baker.edu>
    <recoil@baker.edu>
    <Republic47@baker.edu>
    <bighead29@baker.edu>
    <seanfinley64@baker.edu>
    <kevin.warburton@baker.edu>
    <milegs@baker.edu>
    <ressen2@baker.edu>
    <PikaMike0103@baker.edu>
    <GAMEKIDz2@baker.edu>
    <lkhaight@baker.edu>
    <liquidfireDNC@baker.edu>
    <jsampera@baker.edu>
    <WATTO1FRIEND@baker.edu>
    <Slickkwo@baker.edu>
    <cindyr@baker.edu>
    <toon_2005@baker.edu>
    <Parker@baker.edu>
    <websurfertai@baker.edu>
    <mcafee53@baker.edu>
    <MJHEDGEHOG@baker.edu>
    <JJLDJ@baker.edu>
    <ALTALBOT1@baker.edu>
    <anthonysimon@baker.edu>
    <RedfishermanPI@baker.edu>
    <OhhhhYeahhhh131@baker.edu>
    <JesusIsTheMan7@baker.edu>
    <videogame22@baker.edu>
    <cyborgcommando_735@baker.edu>
    <kevin_bender@baker.edu>
    <SharmaAskumar@baker.edu>
    <MASlizard@baker.edu>
    <arnold.cox@baker.edu>
    <rocky_grisou@baker.edu>
    <stevelec@baker.edu>
    <kshastings@baker.edu>
    <tony9uk@baker.edu>
    <starfoxman@baker.edu>
    
    
    --DIL50784.1132700851/mserve1.baker.edu
    Content-Type: message/delivery-status
    
    Reporting-MTA: dns; mserve1.baker.edu
    Arrival-Date: Tue, 22 Nov 2005 18:07:26 -0500 (EST)
    
    Final-Recipient: RFC822; <Wthrboy917@baker.edu>
    Action: failed
    Status: 5.1.1
    Remote-MTA: X-Unix; mirapoint
    Diagnostic-Code: smtp; 550 5.1.1 User unknown
    Last-Attempt-Date: Tue, 22 Nov 2005 18:07:31 -0500 (EST)
    
    Final-Recipient: RFC822; <MAZTERDJ2000@baker.edu>
    Action: failed
    Status: 5.1.1
    Remote-MTA: X-Unix; mirapoint
    Diagnostic-Code: smtp; 550 5.1.1 User unknown
    Last-Attempt-Date: Tue, 22 Nov 2005 18:07:31 -0500 (EST)
    
    ... and goes on for all addresses above that failed.....
    
    --DIL50784.1132700851/mserve1.baker.edu
    Content-Type: message/rfc822
    
    Received: from md02.baker.edu (md02.baker.edu [158.80.1.70])
    	by mserve1.baker.edu (MOS 3.5.9-GR)
    	with ESMTP id DIL50781 (AUTH via LOGINBEFORESMTP);
    	Tue, 22 Nov 2005 18:07:25 -0500 (EST)
    Received: from xtgnj.net (cpe-24-28-82-126.austin.res.rr.com [24.28.82.126])
    	by md02.baker.edu (MOS 3.5.9-GR)
    	with SMTP id DAX06793;
    	Tue, 22 Nov 2005 18:07:18 -0500 (EST)
    From: postmaster@justlightening.justlightening.net
    To: listening@baker.edu
    Date: Tue, 22 Nov 2005 21:32:22 GMT
    Subject: Paris Hilton & Nicole Richie
    Importance: Normal
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    Message-ID: <f810e298a09348a7b@wdllw.com>
    X-Mirapoint-Virus: VIRUSDELETED;
    	host=md02.baker.edu;
    	attachment=[2.2];
    	virus=W32/Sober-Z
    X-Junkmail: UCE(71)
    X-Junkmail-Status: score=71/20, host=mserve1.baker.edu
    
    
    
    --DIL50784.1132700851/mserve1.baker.edu--
    
    was hoping someone may have some insight how to stop this from being sent through our server.

    TIA,
    Mickalo
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    It depends on how much of that header is real. I mean we get the same thing but many times I see they are using our domains as from originating sender but the IP's are not ours. Also look very carefully for any info that shows they are spoofing anything.
     
  3. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
  4. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Not sure this applies to this case but I have found that spammers have found a way to use PHP mail by adding code to the message.

    The mail server picks up the code and will send out the mail from the spammer.
    I have done much checking on this by a script I have been developing on my website.
    Samples of what the spammers were doing was emailed to me so I know how they pull this off.

    This is a problem with every app that uses some form of php form mail!

    Apps like oscommerce and many others do not run checks for possible abuse.
    Even the simple check of referrer is not done in many apps.
    A spammer can run a script on his pc to just blast mail through your server.
    Most cases I see long BCC lists being added.

    AOL has a service that helps see what they are getting from your servers.
    I found two clients that have mail scripts being abused - one is from oscommerce!

    I put out a script that I believe traps out this abuse - hope others follow my lead.
     
  5. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Form Post Hijacking
    This is what they do most of the time adding it to BCC field for poorly coded php scripts.
    Google around for

    form post hijacking php

    Anup
     
  6. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Yep and most popular php apps have this problem.

    I have had success in stopping it and have the script I am giving away free which is in operation at a website I run. I submitted it to hotscripts.com

    It's quite easy to install on any site.

    But more important is to get these open source apps and any others that use form mail to correct the code as to trap out the spam attempts.

    What spammers do is send a series of attempts to see what works on your script.

    Stuff like this is typed into the input fields:
    ------------------------------------------
    Content-Type: text/plain; charset=\"us-ascii\"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Subject: natural gravity of the
    bcc: battsl1005@aol.com

    When they find the right format it sends an almost perfect email to a list they provide.
    BCC is not they only way it's done!

    I sent an email to the lead person of osCommerce and to AOL.
    We need to stop this by getting these software people to make the needed changes.

    Vin
     
  7. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    I think this is the same thing that one of my customers has going on.

    Any suggestions for a solution to stop this?
     
  8. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    I wrote a script in php that stops it.

    It's a stand alone mail form script.

    As for all the apps out there that have mail forms in them - well we are in for one heck of a problem in the upcomming months.

    Think that most will have to patch these apps until the programmers get on the case and fix them.

    The script I wrote was first placed as a standard form on my site.
    As I noticed this strange stuff taking place I set the script to email me what was being placed into the form.

    One person suggested to filter out a crlf but this will not stop it.
    The spammers add mail header info to the message and you need to check for that.
    I filter the messages for standard lines spammers use and if found a warning message is displayed on the mail success / fail screen.

    I don't think any spammer can use this form to pass their mail.

    Vin
     
  9. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    I did remove the textarea field from this customers contact_us.php and this has halted the spam for now.

    I've been on osCommerce and do not see a fix there for this on their forum.
     
  10. PanelGuy

    PanelGuy Well-Known Member

    Joined:
    Oct 13, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Spam via OsCommerce

    Anyone have any other ideas on this?

    Would either of those who mentioned already writing scripts be interested in providing a link to them? Or PM one to me?
     
  11. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    I wrote a script that filters out the problem and you can find it at http://www.netbizcity.net

    Comes with two versions - one for a standard form and one for a custom form.

    This is the biggest problem to ever hit the net.
    Every way of sending mail by a form on a webpage is prone to this abuse.

    Guess they never thought of this way back when the email standard was created.

    But now with maybe 100 million email forms out there the web will be swamped with spam unless every app like osCommerce and php-nuke and you name it patches the mail scripts and every site that uses a mail form script replaces it with a safe one.

    There are a few different methods in use to stop the spam - I think mine is the best since it targets only stuff that will allow spam to pass through verses removing so many things that the user may just click off - or turning your mail into a single looooong line which is not much fun to read.

    Vin
     
  12. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    There is a updated version of oscommerce out that is supposed to fix this. Otherwise just use mod-security to block this - there is a fairly extensive thread on this, search for "bcc:".
     
  13. paint

    paint Well-Known Member

    Joined:
    Nov 10, 2002
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
  14. dr2web

    dr2web Active Member

    Joined:
    Jan 14, 2005
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Yeah I see many mentions of scripts that fix the problem, with few links.

    If you are managing a server (not just 1 site) you might want to consider re-configuring exim and whm to filter the unwanted amil attempts. One quick step to make is to prevent the user nobody from sending mail. This will start to block users from sending mail from php scripts. Or at least give you a better idea as to what script is sending it.

    The next thing that you want to do is to configure exim to actually look at the headers and filter the bad requests before letting them through. The link above that deals with exim is a good one, and I have seen it work on my server. There are more out there. I suggest finding all of the exim config suggestions and compiling your own. You might even want to go to the exim website and look at all the exim config settings and compile your own set of instructions.

    I had like 3000 of these returned mail from people using my server to relay spam. I have gotten rid of all of them. All I have now is the occasional spam message that gets through (inbound) the filters. Them guys are sneaky..
     
  15. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Not a good idea to block nobody.

    As to what scripts are prone to abuse - almost all of them.
    Very few block it.

    As to link to one that does - http://netbizcity.net/mail_script

    The problem is really a mail server problem.
    Unless they change the standard there is no way to cure this on a server level.

    Here's a breakdown of what is prone to abuse:

    HTML Mail Forms - this includes forms created in Front Page or any other painter.
    Mail scripts - 98% of all scripts have no checking at all.

    The majority of all Web Applications.

    Applications such as osCommerce and many others.
    They have mail forms to allow a customer or registered user to contact the site owner.

    Don't think for a second that having to register will stop them - it will not.

    Worse is few of these companies even have this problem on their radar screen.
    You may not see patches this year (2006) if no one makes them aware the problem is real and that they need to move on it.

    I predict spam will hit an all time high next year and may even exceed normal internet traffic in terms of bandwidth.
    Spammers are just getting started with this hole in mail security.
    By mid next year they will have figured out how to milk this for all it's worth.

    The only good thing about this seems to be hacking into servers will most likely drop off 90%.

    Not worth the time and effort for spammers if it's so easy for them to hijack a form.

    And finding one - all you need do is search on Google for contact us - easy pickings for those sending this stuff.

    Mod security or anything else server side will have no effect to stop it!!!
    This is an email server flaw - and I doubt they can do anything to stop it there.
    It has to be filtered at the input before it's sent to the mail server - no other way.

    So stop playing with ideas to block it server side or messing with preventing nobody from sending mail - you are just wasting your time and will be hurting your accounts business.


    Vin
     
    #15 vincentg, Dec 31, 2005
    Last edited: Dec 31, 2005
  16. Izzee

    Izzee Well-Known Member

    Joined:
    Feb 6, 2004
    Messages:
    469
    Likes Received:
    0
    Trophy Points:
    16
    Stop web email forms sending out as nobody@host.yourserver.tld have them sent as username@host.yourserver.tld. This will allow you to trace who sent it and nip it in the bud before it becomes an issue.

    A search for nobody@ will give lots of results about this issue and one that has the fix is a post by nisse:
    http://forums.cpanel.net/showthread.php?t=46551

    Coupled with some good mod_sec rules, also found on these forums, should help curb some of this abuse in the mean time.

    The alternate method is to compile apache with phpSuExec and have the good mod_sec rules.

    :)
     
    #16 Izzee, Dec 31, 2005
    Last edited: Dec 31, 2005
  17. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Yes - you can do that but it will not stop the problem.
    It will help a little to identify the account with the abused script.

    I prefer to avoid phpsuexec unless it's a brand new server.

    Another way to find those with abused scripts is to join AOL's Feedback Loop program.

    http://postmaster.aol.com

    Vin
     
Loading...

Share This Page