The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam report I absolutely do not understand

Discussion in 'E-mail Discussions' started by driverC, Feb 13, 2008.

  1. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    I have been in this industry for 4 years managing my servers alone. However, today I got a spam report that looks like something I have never seen before in my entire life.

    Note: The spam is neither comming from an address on my server nor being sent to an address on my server... How is it using my IP then ?? I tried to check for open relays but found none... Do you have any idea what and how they are doing:

    MIME element (message/feedback-report)
    Encapsulated message (message/rfc822)
    Headers of embedded message (message/rfc822)
    From fakesender@hotmail.com Wed Feb 13 02:37:08 2008
    X-Apparently-To: recipient@yahoo.com via 209.191.91.172; Wed, 13 Feb 2008 02:44:39 -0800
    X-Originating-IP: [MY.SERVERS.IP.ADDRESS]
    Return-Path: < fakesender@hotmail.com>
    Authentication-Results: mta139.mail.re4.yahoo.com from=hotmail.com; domainkeys=neutral (no sig)
    Received: from MY.SERVERS.IP.ADDRESS (HELO my.servers.hostname) (MY.SERVERS.IP.ADDRESS)
    by mta139.mail.re4.yahoo.com with SMTP; Wed, 13 Feb 2008 02:42:56 -0800
    Received: from sdcbc (112.23.180.123)
    by my.servers.hostname; Wed, 13 Feb 2008 04:37:08 -0600
    Message-ID: < 006e01c4df02$fc9cb4e8$c7eb8875@sdcbc>
    Reply-To: < someaddress@bellsouth.net>
    From: < fakesender@hotmail.com>
    To: < recipient@yahoo.com>
    Subject: =?koi8-r?B?Qm9vc3QgeW91ciBzZXh1YWwg?=
    =?koi8-r?B?cG93ZXIgbm93IQ==?=
    Date: Wed, 13 Feb 2008 04:37:08 -0600
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary=" ----=_NextPart_000_006F_01C48875.C7EBB4E8"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1158
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    Content-Length: 777
     
  2. ckh

    ckh Well-Known Member

    Joined:
    Dec 6, 2003
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Phoenix, AZ
    cPanel Access Level:
    DataCenter Provider
    It almost looks like it was sent from the spamming server, 112.23.180.123, to an email address on your server in which someone is forwarding the spam to their Yahoo email address and then reporting it as spam. Since your server forwarded it to the yahoo server, they are rightfully saying it was sent from your server. However, if I'm correct in all this, then it would have been forwarded by the receivers request and shouldn't have been reported.

    I'd check the forwarders out and delete it, then send the client a stern email.

    Just wanted to add that an email account doesn't have to be set up on the server for this to happen, they just need to specify an email address for the domain and then the forwarding email address.
     
    #2 ckh, Feb 13, 2008
    Last edited: Feb 13, 2008
  3. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    This can't really be the case because if it was it would reference the email address hosted on my server in the "Received" header like this:

    Received: from [12.23.34.45] (port=2211 helo=user)
    by server.myserver.com with esmtpa (Exim 4.68)
    (envelope-from <spammerspecifiedfrom@address.com>)
    id 1JPhaB-000468-9w
    for user@hosted-on-myserver.com; Thu, 14 Feb 2008
     
  4. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    ok, are you sure you haven't open relays? how did you checked it out?
     
  5. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    I used some scanners available on the internet... I am getting more of these reports now. Here is one from AOL..

    As you can see the header that is printed bold does not have an Exim ID. I did look at /var/log/exim_mainlog and there is no entry for that time !!!!

    This looks like he is not sending this using Exim but he has a worm installed on my server that is sending this spam. I really hope he has no root privileges (Chkrootkit and RKHunter find nothing unusual). Unfortunately this server is having so many accounts on it that restoring from a backup would take days and would hurt me seriously. Especially since I am paying my rent with the money I make with this server. So as you can imagine a quick reformat is not an easy decision for me...not at all. Any ideas ?? How do I locate the worm ? Maybe he is just running a program with user privileges or something.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's most likely going to be a script exploit that's been uploaded through a vulnerable PHP script on the server which is sending out the spam using a forged header. One of the simplest ways to prevent that from happening is to block outgoing email to remote port 25 except from exim. You can do this in WHM > Security Center > SMTP Tweak. Then it's a matter of trawling through the accounts and scripts on the server for the exploit.
     
  7. niatech

    niatech Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    By limiting port 25 to exim only, would that not stop legitimate PHP mailing scripts from working?
     
  8. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    No because they use Exim...
     
Loading...

Share This Page