The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam reports from AOL

Discussion in 'General Discussion' started by 4u123, Jan 25, 2006.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Has anyone else experenced this problem with Exim ?

    We have setup a feedback loop with AOL for our IP range so they they can tell us of reported spam coming from domains on our servers.

    We are currently getting quite a lot each day but I dont think the email is originating from our servers...

    Here is an example...

    Received: from rly-yi01.mx.aol.com (rly-yi01.mail.aol.com [172.18.180.129]) by air-yi03.mail.aol.com (v108_r1_b1.2) with ESMTP id MAILINYI33-7aa43d3bbaa51; Sun, 22 Jan 2006 12:07:23 -0500
    Received: from OUR.SERVER.com (OUR.SERVER.com [OUR.ip.ip.67]) by rly-yi01.mx.aol.com (v108_r1_b1.2) with ESMTP id MAILRELAYINYI16-7aa43d3bbaa51; Sun, 22 Jan 2006 12:06:51 -0500
    Received: from [24.205.143.38] (helo=-1212051672)
    by OUR.SERVER.com with smtp (Exim 4.52)
    id 1F0ifn-0007q2-4u
    for hello@domainonourserver.com; Sun, 22 Jan 2006 17:06:39 +0000
    Received: from giantmark.com (-1220421984 [-1220145744])
    by 24-205-143-38.dhcp.psdn.ca.charter.com (Qmailv1) with ESMTP id D8AF9414AA
    for <hello@domainonOURserver.com>; Sun, 22 Jan 2006 10:59:40 -0500
    Date: Sun, 22 Jan 2006 10:59:40 -0500
    From: "Chinatowns C. Paymasters" <GFEDA@giantmark.com>
    X-Mailer: The Bat! (v2.00.5) Personal
    X-Priority: 3
    Message-ID: <5734924973.20060122105940@giantmark.com>
    To: <Undisclosed Recipients>
    Subject: Software
    MIME-Version: 1.0
    Content-Type: text/plain
    Content-Transfer-Encoding: 7bit
    X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.5; AVE: 6.17.0.2; VDF: 6.17.0.5; host: 24-205-143-38.dhcp.psdn.ca.charter.com)
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - OUR.SERVER.com
    X-AntiAbuse: Original Domain - domainonourserver.com
    X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
    X-AntiAbuse: Sender Address Domain - giantmark.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-AOL-IP: OUR.ip.ip.67

    This almost looks like its being somehow relayed through our server. I spoke to someone who said the messag ID isnt even an Exim one and it couldnt have originated from our server at all.

    A common factor in these I have identified is that the domains Ive looked into that have been reported to have been sending the spam on our servers ALL have mailto links on their main pages - now I dont know if this confuses things somewhat but I'm guessing the domain name and hostname are being spidered and then somehow spoofed or faked ? Would this make sense ?

    Incidentally, on these domains that are being reported I could find no evidence of any mailing software or vunerable scripts that could be used to send mail by third parties.
     
  2. Jimmyftw

    Jimmyftw Active Member

    Joined:
    Jan 18, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Check for any forwarders setup. We've run into cases where user's have setup their mail to forward to an aol address and they then report the mail as spam there (which since it came from our/your server last actually reports your server as sending spam) or the AOL system simply picks it up as spam.
     
  3. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    The emails being sent are spam without any doubt.
     
  4. simplybe

    simplybe Well-Known Member

    Joined:
    Nov 29, 2002
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    16
    Looks like one of your customers is forwarding their mail to aol and then reporting it as spam.

    X-AntiAbuse: Original Domain - domainonourserver.com

    that will be the domain that is forwarding. Login to their cpanel and check their forwarders and default address.
     
  5. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Thanks guys,

    Yes, I think this is the problem. Either they are forwarding all mail - or they are forwarding on individual mails to report as spam.
     
  6. kmpman

    kmpman Registered

    Joined:
    Jun 24, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    We had exactly this issue and fixed it - several customers with a forwarder on email to their AOL account. THEN they reported any spam and we got tons of the AOL loopback reports.

    We identified who it was from the headers and asked them to either use a POP account with us or simply stop reporting the spam via AOL as it was leading AOL to consider us as a spammer since ours was the last server sending the email to their account.

    All the customers did so quite happily and the loopback reports stopped completely.
     
  7. electric

    electric Well-Known Member

    Joined:
    Nov 5, 2001
    Messages:
    697
    Likes Received:
    1
    Trophy Points:
    18
    Is there a way to automatically find any forwarders that are sending emails to AOL? ie: is there a forwarding file where we can just do a "grep aol" or something to see what forwarders are configured to send to aol?

    We're getting this problem, too... and I'd like to find out what account(s) are forwarding to aol...
     
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Try this script. Just upload this script to your server, then via SSH (as root) do:

    Code:
     mv find_aol.txt find_aol.pl
    chmod 700 find_aol.pl
    ./find_aol.pl
    This will give a list of domains that have an aol.com forwarder. The format of the output is:

    <main domain name> - <domain name with forwarder> - <address that is forwarding> - <aol address>

    The <main domain name> refers to the main domain name of the account. Normally this would match <domain name with forwarder> but if <domain name with forwarder> is a parked or addon domain, then it might be different. Special cases exist for when <address that is forwarding> is referring to the domain's default box.
     

    Attached Files:

  9. electric

    electric Well-Known Member

    Joined:
    Nov 5, 2001
    Messages:
    697
    Likes Received:
    1
    Trophy Points:
    18
    That's great! Thanks!

    Do you know if it would be possible to adjust this script to automatically send out an email to the cpanel contact address and/or the @aol.com email address that is the forward target?

    This way, we can let them know that their forwarder needs to be removed within xyz hours or else we'll do it for them, etc...

    That would make it perfect!

    Oh wait.. also to make it even better.. would be to figure out what reseller owns the domain and use that contact email. We wouldn't want to send an email directly to the reseller's client...

    :)
     
    #9 electric, Feb 3, 2006
    Last edited: Feb 3, 2006
  10. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I have modified the script to include the reseller's domain name. This file is attached as find_aol2.txt. Again the same instructions apply:

    Code:
    mv find_aol2.txt find_aol2.pl
    chmod 700 find_aol2.pl
    ./find_aol2.pl
    This time the syntax of the output is:

    <reseller domain name> - <main domain name> - <domain name with forwarder> - <address that is forwarding> - <aol address>

    As far as actually writing the users, I believe this would be better served if this was done by yourself. We use this script to collect the AOL forwarders, and then we have another script that connects with our billing system and parses the output from this script and retrieves the e-mail address and other information from the billing system. Our billing system is an in-house developed project. You would likely need to develop your own script to interact with your billing system. Or you may just need to write each individual account separately.
     

    Attached Files:

Loading...

Share This Page