Spammer and **bypassed** listed in Exim Mail Statistics

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
I have an issue with a spammer that I have not been able to track down via logs.

Enabled feature set:

Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

Silently Discard all FormMail-clone requests with a bcc: header in the subject line

Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

The SMTP Tweak is enabled.

Enabled: Verify the existance of email senders.

Enabled: Discard emails for users who have exceeded their quota instead of keeping them in the queue.

log_selector = +all


What concerns me is viewing mail delivery stats via WHM I see a listing for
Deliveries by transport
-----------------------
Volume Messages
**bypassed** 158KB 7



Even with log_selector = +all I am not able to track this spammer down.


Provided below is the mail headers reported to us.

Return-path: <[email protected]>
Received: from defapp07.gatewaydefender.com (unverified [207.180.209.127]) by buckeye-express.com
(Rockliffe SMTPRA 6.1.20) with ESMTP id <[email protected]> for <[email protected]>;
Fri, 23 Sep 2005 06:59:31 -0400
Received: from yyyyyyyyy.com (Not Verified[xx.xx.xx.xx]) by defapp07.gatewaydefender.com
id <BK10fbc4eb>; Fri, 23 Sep 2005 06:59:30 -0400
Received: (qmail 27788 invoked by uid 46782); Sun, 25 Sep 2005 15:46:54 +0200 (CEST)
Message-Id: <[email protected]>
From: "Meira Branson" <[email protected]>
To: "genoxxxx" <[email protected]>
Date: Sun, 25 Sep 2005 15:46:54 +0200 (CEST)
Subject: Mom was used by her son
Mime-Version: 1.0
Content-Type: text/plain


I expect more header information as a result of my above enabled features but with **bypassed** appearing in Exim Mail Statistics I am concerned they may be indeed bypassing the system.

The domain as expected does not exist on the system. No new accounts on server look questionable. phpbbversion check scan has been ran and versions older than 16 have been disabled +5 days.

I also run mail-watch on the server which has not reported any accounts.

I have ran the following with no results:

grep '20050925154654.27788' /var/log/exim_mainlog
grep 'meineke.com' /var/log/exim_mainlog
grep '[email protected]' /var/log/exim_mainlog
grep 'mom was used by her son' /var/log/exim_mainlog
grep -r '[email protected]' /home/*


This is racking my brain as I cannot track this email down and I hope it is not a new exploit in exim.
 

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
I should also mention server's formmail* helpdesk* cgiemail* real* are all disabled in /usr/local/cpanel/cgi-sys
 

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
Because these are not appearing in exim I can only suspect these are by a trojanned machine smarthosting through this server.

We run rootkithunter and tripwire twice a day and they have not found anything though so this out to be fun.
 

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
Nonsense. That is gatewaydefender.com

IberHosting said:
Hello,

If 207.180.209.127 is not your IP, other is using a fake mail to spam, from [email protected], then you got all error mails from the failed mails.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
That email isn't originating from a cPanel server running exim. Either the headers are forged or the initial Received line (read them backwards) clearly shows this:

Received: (qmail 27788 invoked by uid 46782); Sun, 25 Sep 2005 15:46:54 +0200 (CEST)

So, it appears to be a joe-job of sorts if that is indeed the original header of the actual spam email.
 

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
Which is why I suspect a trojan is installed bypassing and not utilizing exim.

I don't know why they would joe-job the server but that is possible as well.

chirpy said:
That email isn't originating from a cPanel server running exim. Either the headers are forged or the initial Received line (read them backwards) clearly shows this:

Received: (qmail 27788 invoked by uid 46782); Sun, 25 Sep 2005 15:46:54 +0200 (CEST)

So, it appears to be a joe-job of sorts if that is indeed the original header of the actual spam email.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
I'm actually looking at another server with the exact same problem and so I'm happy to withdraw my suggestions that it isn't from the actual server :eek:

It appears to me on the server I'm looking at that they're coming in through a vulnerable php script, most likely one of the usual candidates (phpBB or phpNuke). However, I've yet to track down which script is being used.

Have you checked that every phpBB installed on the server (if there are any) are definitely running v2.0.17, including phpNuke installations?
 

bigj

Well-Known Member
Aug 9, 2003
75
0
156
Tucson,AZ
chirpy said:
I'm actually looking at another server with the exact same problem and so I'm happy to withdraw my suggestions that it isn't from the actual server :eek:

It appears to me on the server I'm looking at that they're coming in through a vulnerable php script, most likely one of the usual candidates (phpBB or phpNuke). However, I've yet to track down which script is being used.

Have you checked that every phpBB installed on the server (if there are any) are definitely running v2.0.17, including phpNuke installations?
This brings up a good question about phpBB - is there any way to upgrade all the installed versions to the latest code w/o having to log into their control panel and do it that way?

bigj
 

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
Good to hear! Hopefully we can track this down.

As mentioned I have ran a phpbbversion check up to .16 about 8 days ago but not phpnuke. I have noticed by grepping out the home directories for "qmail" nuke and also phpAdsNew generally have a lot of references to qmail. Is there a ver check script available for nuke?


chirpy said:
I'm actually looking at another server with the exact same problem and so I'm happy to withdraw my suggestions that it isn't from the actual server :eek:

It appears to me on the server I'm looking at that they're coming in through a vulnerable php script, most likely one of the usual candidates (phpBB or phpNuke). However, I've yet to track down which script is being used.

Have you checked that every phpBB installed on the server (if there are any) are definitely running v2.0.17, including phpNuke installations?
 

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
If installed via cPanel you can use the add-on update module. Otherwise the following script is useful in sending out warnings and disabling out-dated forums with an .htaccess file.

http://www.cplicensing.net/files/scripts/chkphpbbver


bigj said:
This brings up a good question about phpBB - is there any way to upgrade all the installed versions to the latest code w/o having to log into their control panel and do it that way?

bigj
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
That mail() patch looks insteresting but may not help in this case because it appears to bypass the local mail server and presumably contains a remailer of its own that that wouldn't pick up.

I have the following on the check for my modified chkphpbbver:
Code:
				if($f eq "0" and $s < 17) {
So it locates all phpBB databases that are not running at 2.0.17
 

griz

Well-Known Member
Dec 29, 2001
47
0
306
re

My very similar problem, which Chirpy's been looking at for me, might (knock on wood) be solved.

We updated all versions of phpBB, and no spamcop reports so far this morning.

Note - the cpanel updater tool is great, but doesn't seem to pick up all scripts, unless they have a .addonscgi-phpBB file. Anyone who installed their own script won't have this. Before using the updater, it's necessary to ascertain which version they are running, what database they are using, and create a .addonscgi-phpBB file in the /home/$USER/ folder. At that point, you can use the cpanel script updater to keep it updated.

Griz

PS - I highly recommend Chirpy for server admin jobs. He really knows his stuff.
 

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
Just use phpbbver check. Its beautiful.

griz said:
My very similar problem, which Chirpy's been looking at for me, might (knock on wood) be solved.

We updated all versions of phpBB, and no spamcop reports so far this morning.

Note - the cpanel updater tool is great, but doesn't seem to pick up all scripts, unless they have a .addonscgi-phpBB file. Anyone who installed their own script won't have this. Before using the updater, it's necessary to ascertain which version they are running, what database they are using, and create a .addonscgi-phpBB file in the /home/$USER/ folder. At that point, you can use the cpanel script updater to keep it updated.

Griz

PS - I highly recommend Chirpy for server admin jobs. He really knows his stuff.
 

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
Still happening to this server. Latest versions of phpbb. This morning I watched netstat and sure enough a flood of connections came through port 25. I have the IPs marked and I am grepping logs at the moment.
 

scollins

Active Member
PartnerNOC
Jul 3, 2003
26
0
151
null
cPanel Access Level
DataCenter Provider
I've seen a handfull of servers with this same issue (qmail invoked, random uid and the host is always somethingrandom.realhostname.domain.com). I'm pretty good at tracking these kinds of things down but this one I must admit has me stumped. I'm runing psacct on two of these machines but I'm stilling coming up short on this one.

The header's look like they're spoofed but I'm not convinced that this is the case at all:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 48639 invoked from network); 25 Sep 2005 11:34:51 -0000
Received: from unknown (HELO realhostname.domain.com) (real-ip)
by realhostname.domain.com with SMTP; 25 Sep 2005 11:34:51 -0000
Received: (qmail 51297 invoked by uid 46219); Tue, 27 Sep 2005 18:45:54 +0200
(CEST)
Message-Id: <[email protected]>
From: "name" <[email protected]>
To: "name" <[email protected]>
Date: Tue, 27 Sep 2005 18:45:54 +0200 (CEST)
Subject: pornographic subject line
Mime-Version: 1.0
Content-Type: text/plain


The "Received: from unknown" seems very strange.
 

griz

Well-Known Member
Dec 29, 2001
47
0
306
Dang!

Nope...I just got another spam complaint and the date shows it sent out today.....seems to have slowed down.

i agree...this guy is the slickest I've ever encountered. He leaves absolutely NO footprints in the domlogs, email logs, nada.

Larry