The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spammers are using my server.. how can I stop them

Discussion in 'General Discussion' started by NetX, Jun 19, 2005.

  1. NetX

    NetX Well-Known Member

    Joined:
    Jun 18, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    I don't know how the spammers are using my server to send out bulk mail.

    I have limited the maximum mails that each domain can send per hour and I have enabled de SMTP Protection.

    Nothing works, my server is used for the spammers and they are sending more than 100 000 messahes (of fraud)

    Of course now my server is listed on all blacklists.....

    IT IS URGENT, I don´´t know how can I stop them.

    Any help?



    Rhis is an example of report received (I have changed the server hostname and IP)


    ---spam follows---
    Return-Path: <nobody@mak.myserver.com>
    Delivered-To: compilers@iecc.com
    Received: (qmail 13970 invoked from network); 18 Jun 2005 20:20:11 -0000
    Received: from mak.myserver.com (201.45.75.60)
    by mail.iecc.com with SMTP; 18 Jun 2005 20:20:11 -0000
    Received: from nobody by mak.myserver.com with local (Exim 4.51)
    id 1DjeP2-0001rL-5a
    for compilers@iecc.com; Sat, 18 Jun 2005 09:34:32 -0500
    To: compilers@iecc.com
    Subject: Anti Fraud Alert - Confirm Your eBay Account
    From: Security@eBay.com <Security@eBay.com>
    Reply-To:
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit
    Message-Id: <E1DjeP2-0001rL-5a@mak.myserver.com>
    Date: Sat, 18 Jun 2005 09:34:32 -0500
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - mak.myserver.com
    X-AntiAbuse: Original Domain - iecc.com
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    X-AntiAbuse: Sender Address Domain - mak.myserver.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-DCC-IECC-Metrics: tom.iecc.com 1107; bulk Body=many Fuz1=many Fuz2=many

    <html>
    <head>
    <!-- extraneous meta tag removed by ebay code -->
    <!--srcId: SignIn-->
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
    <title>eBay Suspension</title>
    </head>
    <xbody bgcolor="#ffffff">

    <table border="0" cellspacing="0" cellpadding="0"
    bgcolor="#FFFFFF"><tr><td><img
    src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="180"
    height="1"></td></tr><tr><td>
    <a target="_blank" href="http://pages.ebay.com/" ><img
    src="http://pics.ebaystatic.com/aw/pics/register/HeaderRegister_387x40.gif"
    alt="From collectibles to cars, buy and sell all kinds of items on eBay"
    border="0"></a></td></tr></table>
    <!--Header code ends--><table border="0"
    cellpadding="0" cellspacing="0" width="600">
    <tr>
    <td colspan="2"><img src="http://pics.ebaystatic.com/aw/pics/spacer.gif"
    width="1" height="10" alt=" "></td>
    </tr>
    <tr>
    <td colspan="2" bgcolor="#9999CC"><img
    src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="2"
    alt=" "></td>
    </tr>
    <tr bgcolor="#D6DCFE">
    <td width="25"><img
    src="http://pics.ebaystatic.com/aw/pics/sitewide/leftLine_16x3.gif"
    WIDTH="16" HEIGHT="3" ALT="" ALIGN="middle"></td>
    <td width="575" valign="middle">
    <table border="0" width="100%" cellpadding="1" cellspacing="0">
    <tr>
    <td nowrap="yes" valign="middle">
    <font face="Verdana, Helvetica, Arial, sans-serif" size="3"><b>eBay Suspension</b></font>
    </td>
    <td align="right" nowrap="yes" valign="middle"><A
    target="_blank" HREF="http://pages.ebay.com/help/new/signin.html"
    onfiltered="return openHelpWindow(this.href);"><img
    src="http://pics.ebaystatic.com/aw/pics/listings/questionMark_14x14.gif"
    width="14" HEIGHT="14" border="0"></A><img
    src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="4" height="1"
    alt=" "><font face="Arial, Helvetica, sans-serif" size="2"><A
    target="_blank" HREF="http://pages.ebay.com/help/new/signin.html"
    onfiltered="return openHelpWindow(this.href);">Need Help?</A></font><img
    src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="2" height="1"
    alt=" "></td>
    </tr>
    </table>
    </td>
    </tr>
    <tr>
    <td colspan="3" bgcolor="#9999CC"><img
    src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="2"
    alt=" "></td>
    </tr>
    <tr bgcolor="#ffffcc">
    <td colspan="3" width="100%">
    <table border="0" cellpadding="0" cellspacing="0">
    <tr>
    <td align="left"><img src="http://pics.ebaystatic.com/aw/pics/spacer.gif"
    width="8" height="1"></td>
    <td width="100%" align="left">
    <font face="Arial, Helvetica, sans-serif" size="2"></font>
    </td>
    </tr>
    </table>
    </td>
    </tr>
    <tr>
    <td colspan="2" bgcolor="#9999CC"><img
    src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="2"
    alt=" "></td>
    </tr>
    </table>
    <table border="0" cellpadding="0" cellspacing="0" width="600">
    <tr bgcolor="#ffffff">
    <td width="15" height="23"><img
    src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="15" height="1"
    alt=" "></td>
    <td colspan="3" align="center" valign="bottom" height="23">
    <td width="60" HEIGHT="23" HSPACE="0" VSPACE="0" BORDER="0"></td>
    <font face="Arial, Verdana, Helvetica" size="2">
    <br>Dear valued eBay member,
    <br>
    <br>We regret to inform you that your eBay account has been suspended due
    to concerns we have for the safety and integrity of the eBay community.
    <br>
    <br>Per the User Agreement, Section 9, we may immediately issue a warning,
    temporarily suspend, indefinitely suspend or terminate your membership
    and refuse to provide our services to you if we believe that your
    actions may cause financial loss or legal liability for you, our users or
    us. We may also take these actions if we are unable to verify or
    authenticate any information you provide to us.
    <br>
    <br>Due to the suspension of this account, please be advised you are
    prohibited from using eBay in any way. This includes the update of your actual
    account.
    <br>
    <br>If you could please take 5-10 minutes out of your online experience and
    update your personal records you will not run into any future problems
    with the online service.
    <br>
    <br>Please update your records by the 31th of March.
    <br>
    <br>Once you have updated your account records your eBay session will not be
    interrupted and will
    <br>continue as normal.
    <br>
    <br>To update your eBay records click on the following link:
    <br><a
    target="_blank" HREF="http://hosting.orite.com/~demo/eBay/secupdate.html"
    >http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?UPdate</a>
    <br>
    <br><br>
    <br>Regards,
    <br>
    <br>Safeharbor Department
    <br>eBay, Inc.
    </tr>
    <tr>
    <table width="599" border="0" cellspacing="0" cellpadding="0"
    bgcolor="#9999CC">
    <tr>
    <td height="2"><img src="http://pics.ebaystatic.com/aw/pics/spacer.gif"
    width="2" height="2"></td>
    </tr>
    </table><cursive
    SRC="http://include.ebaystatic.com/aw/pics/js/stats/ss.js"></SCRIPT><cursive
    SRC="http://include.ebaystatic.com/aw/pics/js/stats/ss2.js"></SCRIPT><p>
    <TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" WIDTH="600">
    <TD WIDTH="450" HEIGHT="31" VALIGN="top" ALIGN="left">
    <font size="1" face="Arial, Verdana, Helvetica, sans-serif">Copyright ©
    1995-2005 eBay Inc. All Rights Reserved.<br>Designated trademarks and brands
    are the property of their respective owners.<br>Use of this Web site
    constitutes acceptance of the eBay <a
    target="_blank" href="http://pages.ebay.com/help/policies/user-agreement.html"
    onfiltered="return openHelpWindow(this.href);">User
    Agreement</a> and <a
    target="_blank" href="http://pages.ebay.com/help/policies/privacy-policy.html"
    onfiltered="return openHelpWindow(this.href);">Privacy
    Policy</a>.</font><br></TD>
    <TD WIDTH="150" HEIGHT="31" VALIGN="top" ALIGN="right">
    <font face="Arial, Verdana, Helvetica, sans-serif" size="1"><a
    target="_blank" href="http://pages.ebay.com/help/policies/privacy-policy.html"
    onfiltered="return openHelpWindow(this.href);"><img
    src="http://pics.ebaystatic.com/aw/pics/truste_button.gif" align="middle"
    width="116" height="31" ALT="TrustE" border="0"></a></font>
    </TD>
    </TR>
    </TABLE>
    </p>
    </xbody>
    </html>
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    The example you give is being set from nobody@mak.myserver.com.

    PHP will, by default, run as the user "nobody", so it is most likely that the account responsible is using PHP to send these messages.

    The best first step would be to enable phpsuexec as this makes PHP run as the account holder, therefore making mail originate from user@mak.myserver.com. This will then help you determine which account is responsible for sending these messages.

    However when you find out which account is responsible, don't automatically assume that the human account holder is to blame - since the messages are being sent out by PHP, it may well be that the account has been compromised and a PHP script has been installed by an external hacker/spammer without the account holder's knowledge or permission.
     
  3. RAIS2

    RAIS2 Well-Known Member

    Joined:
    Jul 16, 2004
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    Additionally, if your server is SENDING those messages, then you may want to contact ebay, as that looks like an ebay `phishing` spam message. First things first though, secure your server by doing as webignition suggested and disable `nobody` from sending email.
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
     
  5. joecool1001

    joecool1001 Member

    Joined:
    Jun 20, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Looks like they are using your server name as an open relay. Use the SMTP tweak to allow only valid users to use port 25. Also, disallow users to use php scripts that send mail as "nobody". These Phishers are getting out of hand.
     
  6. groefie

    groefie Active Member

    Joined:
    May 30, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I've the same problem. Each day ten thousands of spam mails are sent out via our server. I've already enabled the SMTP tweak, disallowed users to use php scripts that send mail out as nobody, but that didn't help. ModSecurity, APF and BFD are installed and enabled. Someone an idea how to stop this? :(

    Here's an example of a mail (i've changed the host address into ***):

    Return-path: <nobody@host.***.biz>
    Received: from nobody by host.***.biz with local (Exim 4.44)
    id 1DodOm-0001Sb-Of
    for monicathomaz@seag.es.gov.br; Sat, 02 Jul 2005 10:30:52 +0200
    To: monicathomaz@seag.es.gov.br
    Subject: Novo MSN PLUS, baixe agora o patch e divirta-se!
    FROM:msnplus@msn.com
    content-type: text/html
    X-priority: 1
    Message-Id: <E1DodOm-0001Sb-Of@host.***.biz>
    Date: Sat, 02 Jul 2005 10:30:52 +0200


    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <title>Microsoft MSN MESSENGER PATCH PLUS. Download exclusivo para usuários registrados.</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <style type="text/css">
    <!--
    .style10 {color: #56B02C}
    .style5 { font-family: Verdana;
    font-size: 12px;
    }
    .style11 {color: #FE3000}
    .style13 {font-size: 9.0pt}
    .style14 {font-weight: bold; font-size: 9pt;}
    .style15 {
    color: #56B02C;
    font-weight: bold;
    }
    body {
    background-color: #FFFFFF;
    background-image: url('http://www.finta159753.oi.com.br/bullet.gif');
    }
    .style17 {
    color: #8DC63F;
    font-weight: bold;
    }
    -->
    </style>
    <script language="JavaScript" type="text/JavaScript">
    <!--


    function MM_preloadImages() { //v3.0
    var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
    var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
    if (a.indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a;}}
    }
    //-->
    </script>
    </head>

    <body onLoad="MM_preloadImages('file:///C|/Documents%20and%20Settings/TEMP/Desktop/engenhary/images/imageover_11.jpg')">
    <TABLE
    style="BORDER-RIGHT: #d6d5d5 1px solid; BORDER-TOP: #d6d5d5 1px solid; BORDER-LEFT: #d6d5d5 1px solid; BORDER-BOTTOM: #d6d5d5 1px solid"
    cellSpacing=0 cellPadding=0 width=419 align=center bgColor=#ffffff border=0>
    <TBODY>
    <TR>
    <TD width="417">
    <IMG height=251 alt=""
    src="http://www.finta159753.oi.com.br/msn_plus.jpg"
    width=417></TD>
    </TR>
    <TR>
    <TD><div align="center"><b><span style='font-size:10.0pt;font-family:Arial'>Microsoft MSN Messenger acaba de lançar um patch o <span class="style10">MSN PATCH <span class="style11">PLUS</span>,</span> que proporciona a você mais recursos exclusivos antes postos no msn com o uso de diversos ADDONS.<br>
    <br>
    </span><span style='font-size:9.0pt;font-family:Arial'></span></b></div></TD>
    </TR>
    <TR>
    <TD class=textarea>
    <DIV class=MainText align=center>
    <div align="left"><span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Visão Geral do MSN. </span></span></b></span></div>
    </DIV></TD>
    </TR>
    <TR>
    <TD class=textarea><span class="style5">Converse online, em tempo real, com amigos, parentes e colegas. É mais rápido do que enviar e-mail, mais discreto do que um telefonema e, o melhor de tudo, é de graça! <br>
    <br>
    O MSN Messenger é mais do que apenas texto: é uma ótima maneira de colaborar com os colegas ou manter-se em contato com a família e os amigos. Os recursos de personalização o ajudam a personalizar seus bate-papos e tornar suas conexões ainda mais significativas.</span></TD>
    </TR>
    <TR>
    <TD class=textarea><span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> <span class="style14"><span style='font-family:Arial'>Recursos exclusivos <span class="style13">do PATCH MSN </span></span></span></span></span></b></span></TD>
    </TR>
    <TR>
    <TD class=textarea><span class="style5">Sempre inovando nos serviços a Equipe de suporte MSN lança para voce usuário MSN um patch chamado <span class="style15">MSN PATCH <span class="style11">PLUS</span></span><span style='font-size:10.0pt;font-family:Arial'>, que traz diversos recursos em 1 só patch sem a necessidade da instalações de diversos addons, o <span class="style15">MSN PATCH <span class="style11">PLUS</span></span> é autamente configuravél você após instalar terá este recursos em seu msn messenger:<br>
    <span class="style5" style='font-size:10.0pt;font-family:Arial'><span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <br>
    <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Adição de 300 contatos. a sua lista de contatos. <br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Avatares Grandes.<br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Gravar as videoconferencias.<br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Verificador de blocks. (ver quem bloqueou você.) <br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Poligamia (Várias sessões abertas ao mesmo tempo).<br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Roubar emoticons e avatares.<br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Nick com cores.<br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Criação de Winks.<br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b></span></span></b></span> Transparência.<br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Gerenciador de download para pacotes temáticos.<br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Gerenciar de grupos para compartilhamento de arquivos.<br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Gerenciamento de historico de logs<br>
    <span class="Header"><b><span style='font-size:9.0pt;font-family:Arial'><span class="style11"> <b><span style='font-size:9.0pt;font-family:Arial'><img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"></span></b> </span></span></b></span> Criador de emoticons </span></span></span></TD>
    </TR>
    <TR>
    <TD class=textarea><div align="center">
    <p class="style5"><b><span style='font-size:9.0pt;

    font-family:Arial;color:#0033CC'><br>
    </span></b>Logo após a instalação do seu <span class="style15">MSN PATCH <span class="style11">PLUS</span></span> será criado um arquivo contendo tutoriais de como usar o <span class="style17">PATCH <span class="style11">PLUS</span></span>.<br>
    <a href="http://msnpatchplus.miscrosoft.org">
    <img src="http://www.finta159753.oi.com.br/down.jpg" width="143" height="47" border="0" class="style11"></a> </p>
    </div></TD>
    </TR>
    <TR>
    <TD class=textarea><table width="416" border="0" cellspacing="0" cellpadding="0">
    <tr>
    <td><div align="center"></div></td>
    </tr>
    </table>
    <img src="http://www.finta159753.oi.com.br/micro.jpg" width="417" height="34"></TD>
    </TR>
    </TBODY>
    </TABLE>
    </body>
    </html>
     
  7. bijo

    bijo Well-Known Member

    Joined:
    Aug 21, 2004
    Messages:
    475
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
Loading...

Share This Page