The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spammer and **bypassed** listed in Exim Mail Statistics

Discussion in 'E-mail Discussions' started by Solokron, Sep 23, 2005.

  1. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I have an issue with a spammer that I have not been able to track down via logs.

    Enabled feature set:

    Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)

    Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

    Silently Discard all FormMail-clone requests with a bcc: header in the subject line

    Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

    The SMTP Tweak is enabled.

    Enabled: Verify the existance of email senders.

    Enabled: Discard emails for users who have exceeded their quota instead of keeping them in the queue.

    log_selector = +all


    What concerns me is viewing mail delivery stats via WHM I see a listing for
    Deliveries by transport
    -----------------------
    Volume Messages
    **bypassed** 158KB 7



    Even with log_selector = +all I am not able to track this spammer down.


    Provided below is the mail headers reported to us.

    Return-path: <claywhiting0@meineke.com>
    Received: from defapp07.gatewaydefender.com (unverified [207.180.209.127]) by buckeye-express.com
    (Rockliffe SMTPRA 6.1.20) with ESMTP id <B0015165024@mail.buckeye-express.com> for <genoxxxx@buckeye-express.com>;
    Fri, 23 Sep 2005 06:59:31 -0400
    Received: from yyyyyyyyy.com (Not Verified[xx.xx.xx.xx]) by defapp07.gatewaydefender.com
    id <BK10fbc4eb>; Fri, 23 Sep 2005 06:59:30 -0400
    Received: (qmail 27788 invoked by uid 46782); Sun, 25 Sep 2005 15:46:54 +0200 (CEST)
    Message-Id: <20050925154654.27788.qmail@yyyyyyyyy.com>
    From: "Meira Branson" <claywhiting0@meineke.com>
    To: "genoxxxx" <genoxxxx@buckeye-express.com>
    Date: Sun, 25 Sep 2005 15:46:54 +0200 (CEST)
    Subject: Mom was used by her son
    Mime-Version: 1.0
    Content-Type: text/plain


    I expect more header information as a result of my above enabled features but with **bypassed** appearing in Exim Mail Statistics I am concerned they may be indeed bypassing the system.

    The domain as expected does not exist on the system. No new accounts on server look questionable. phpbbversion check scan has been ran and versions older than 16 have been disabled +5 days.

    I also run mail-watch on the server which has not reported any accounts.

    I have ran the following with no results:

    grep '20050925154654.27788' /var/log/exim_mainlog
    grep 'meineke.com' /var/log/exim_mainlog
    grep 'genoxxxx@buckeye-express.com' /var/log/exim_mainlog
    grep 'mom was used by her son' /var/log/exim_mainlog
    grep -r 'genoxxxx@buckeye-express.com' /home/*


    This is racking my brain as I cannot track this email down and I hope it is not a new exploit in exim.
     
  2. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I should also mention server's formmail* helpdesk* cgiemail* real* are all disabled in /usr/local/cpanel/cgi-sys
     
  3. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Because these are not appearing in exim I can only suspect these are by a trojanned machine smarthosting through this server.

    We run rootkithunter and tripwire twice a day and they have not found anything though so this out to be fun.
     
  4. IberHosting

    IberHosting Well-Known Member

    Joined:
    Jun 1, 2005
    Messages:
    124
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    If 207.180.209.127 is not your IP, other is using a fake mail to spam, from account@servername.com, then you got all error mails from the failed mails.
     
  5. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Nonsense. That is gatewaydefender.com

     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That email isn't originating from a cPanel server running exim. Either the headers are forged or the initial Received line (read them backwards) clearly shows this:

    Received: (qmail 27788 invoked by uid 46782); Sun, 25 Sep 2005 15:46:54 +0200 (CEST)

    So, it appears to be a joe-job of sorts if that is indeed the original header of the actual spam email.
     
  7. sv1

    sv1 Well-Known Member

    Joined:
    Aug 31, 2003
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    Any update Solokron?
     
  8. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Which is why I suspect a trojan is installed bypassing and not utilizing exim.

    I don't know why they would joe-job the server but that is possible as well.

     
  9. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    "20050925154654.27788.qmail@yyyyyyyyy.com"

    Qmail.
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I'm actually looking at another server with the exact same problem and so I'm happy to withdraw my suggestions that it isn't from the actual server :eek:

    It appears to me on the server I'm looking at that they're coming in through a vulnerable php script, most likely one of the usual candidates (phpBB or phpNuke). However, I've yet to track down which script is being used.

    Have you checked that every phpBB installed on the server (if there are any) are definitely running v2.0.17, including phpNuke installations?
     
  11. bigj

    bigj Well-Known Member

    Joined:
    Aug 9, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Tucson,AZ
    This brings up a good question about phpBB - is there any way to upgrade all the installed versions to the latest code w/o having to log into their control panel and do it that way?

    bigj
     
  12. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Good to hear! Hopefully we can track this down.

    As mentioned I have ran a phpbbversion check up to .16 about 8 days ago but not phpnuke. I have noticed by grepping out the home directories for "qmail" nuke and also phpAdsNew generally have a lot of references to qmail. Is there a ver check script available for nuke?


     
  13. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    If installed via cPanel you can use the add-on update module. Otherwise the following script is useful in sending out warnings and disabling out-dated forums with an .htaccess file.

    http://www.cplicensing.net/files/scripts/chkphpbbver


     
  14. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That mail() patch looks insteresting but may not help in this case because it appears to bypass the local mail server and presumably contains a remailer of its own that that wouldn't pick up.

    I have the following on the check for my modified chkphpbbver:
    Code:
    				if($f eq "0" and $s < 17) {
    So it locates all phpBB databases that are not running at 2.0.17
     
  16. griz

    griz Well-Known Member

    Joined:
    Dec 29, 2001
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    re

    My very similar problem, which Chirpy's been looking at for me, might (knock on wood) be solved.

    We updated all versions of phpBB, and no spamcop reports so far this morning.

    Note - the cpanel updater tool is great, but doesn't seem to pick up all scripts, unless they have a .addonscgi-phpBB file. Anyone who installed their own script won't have this. Before using the updater, it's necessary to ascertain which version they are running, what database they are using, and create a .addonscgi-phpBB file in the /home/$USER/ folder. At that point, you can use the cpanel script updater to keep it updated.

    Griz

    PS - I highly recommend Chirpy for server admin jobs. He really knows his stuff.
     
  17. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Just use phpbbver check. Its beautiful.

     
  18. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Still happening to this server. Latest versions of phpbb. This morning I watched netstat and sure enough a flood of connections came through port 25. I have the IPs marked and I am grepping logs at the moment.
     
  19. scollins

    scollins Active Member
    PartnerNOC

    Joined:
    Jul 3, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    null
    cPanel Access Level:
    DataCenter Provider
    I've seen a handfull of servers with this same issue (qmail invoked, random uid and the host is always somethingrandom.realhostname.domain.com). I'm pretty good at tracking these kinds of things down but this one I must admit has me stumped. I'm runing psacct on two of these machines but I'm stilling coming up short on this one.

    The header's look like they're spoofed but I'm not convinced that this is the case at all:

    Return-Path: <x@x>
    Delivered-To: x@x
    Received: (qmail 48639 invoked from network); 25 Sep 2005 11:34:51 -0000
    Received: from unknown (HELO realhostname.domain.com) (real-ip)
    by realhostname.domain.com with SMTP; 25 Sep 2005 11:34:51 -0000
    Received: (qmail 51297 invoked by uid 46219); Tue, 27 Sep 2005 18:45:54 +0200
    (CEST)
    Message-Id: <20050927184554.51297.qmail@fakename.realhostname.domain.com>
    From: "name" <x@x>
    To: "name" <x@x>
    Date: Tue, 27 Sep 2005 18:45:54 +0200 (CEST)
    Subject: pornographic subject line
    Mime-Version: 1.0
    Content-Type: text/plain


    The "Received: from unknown" seems very strange.
     
  20. griz

    griz Well-Known Member

    Joined:
    Dec 29, 2001
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Dang!

    Nope...I just got another spam complaint and the date shows it sent out today.....seems to have slowed down.

    i agree...this guy is the slickest I've ever encountered. He leaves absolutely NO footprints in the domlogs, email logs, nada.

    Larry
     
Loading...

Share This Page