The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

strange spam problem

Discussion in 'General Discussion' started by alareach, Sep 12, 2003.

  1. alareach

    alareach Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Hi,
    Just looking for ideas or help on a 'new one' to us..

    We have a client who got a spam complaint on their main server IP. Now, the spam is NOT being sent from the server or even referencing the server/host/IP on our network as far as headers..
    But, the spammer is sending spam with an advertisement including a URL like:
    http://$hisdomain:30357

    The domain in the spam is not hosted at, or using our network for dns. The link using that odd port number is going to the server's main IP number on our network. Further investigation found that the port number (similar to the one above in my example) is accepting http connections on our box. Spamcop has been assisting us with this and suggested that the box was compromised or has a trojan. We don't really feel the box is compromised, but there may be some security flaw/hole somewhere.

    This has happened about 3 times that we know of in the past month. The problem we have is by the time the spam is reported, we try the link in the email and it is already redirected to 000.000.000.000 and not our box.

    I don't want our IP space to be blacklisted and spamcop has been good at working with us on this since the spam isn't originating from our box, but I am calling out the experts on this board for some suggestions on tracking this down.

    Thanks in advance.

    cPanel.net Support Ticket Number:
     
  2. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    I would look for any recently added accounts first. We encountered this situation on a client's box, and it wound up being a recently added account that had set up a modified BNC to listen for HTTP connections on a random port. The spam sent out would reference the link to the client's servers, which would then bounce the request out through the modified script to the ultimate location. Check the usual locations (/tmp, /var/tmp, /usr/tmp) to make sure nothing has been uploaded via an unsecured ph pscript, check the running processes to ensure that there's nothing out of the ordinary running. IMO, it's highly unlikely to be a trojan and much more likely to be someone who has just found a vulnerability in a client site (or is a spammer, signing up for an account) in a situation like this.

    cPanel.net Support Ticket Number:
     
  3. munk

    munk Member

    Joined:
    Sep 6, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Sounds like a case of collateral spam - namely when spammers fraudulently make reference to your hosts in such a way that complaints or bounces return to you.

    Unfortunately there's not a lot you can do about it but prepare for the fallout in a responsible way such as preparing a policy for it, creating documents ready to mail out to plaintiffs explaining the problem in detail and keeping a keen eye on your mail logs using perhaps a cron job to look for bounces to forged users on your network.

    I found this document very useful regarding this:
    http://www.ja.net/CERT/JANET-CERT/mail/junk/collateral.html

    cPanel.net Support Ticket Number:
     
  4. alareach

    alareach Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    This is frustrating. I thank you Annette and munk for your assistance. We are searching for the problem on the box (if it's us) right now.

    I did find out that many others are getting this as well, a quick search at Deja.com found: (warning, adult words in post on NG)

    http://groups.google.com/groups?q=m...0307072257.2d769a31@posting.google.com&rnum=8

    The URL affecting us is similar to the one in the thread above, but definately goes to the same page in the end.

    :confused:

    cPanel.net Support Ticket Number:
     
  5. munk

    munk Member

    Joined:
    Sep 6, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    :( Very annoying. I have a similar problem in that spammers use a domain I host in fraudulent 'from:' headers and I get a massive amount of traffic from arbitrary domains sending out either bounces or 'rejected because of spam' to non-existent users on that domain.

    It's very annoying in that this kind of thing could be cut down significantly if only those hosts who are responding to the spam would only use some kind of blackhole list/rbl to check first before accepting or bouncing mails - or better still attempt to verify that the sender actually exists on the 'alleged' domain it comes from before accepting mail or bouncing it.

    Luckily I haven't had any complaints as yet (which is surprising considering the number of mails that appear to have been sent by the spammers). If I did get any I would simply explain to them that this is not a mail from our domain, if you look at the headers carefully you can see this, etc etc. I think any sane RBL server admin would not put you on a blacklist just because a spurious reference to your domain/servers is made - only if the mail actually came from a server/domain you admin might they do that.

    cPanel.net Support Ticket Number:
     
  6. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    free.dv6.net is in fact the very thing that was referenced in the spam complaints about our client's server. It took a bit to track it down on the system, but this was a bouncer the spambag had set up on the client's server, and was feeding the requests through to the real destination. Drop me a PM if you want some help tracking it, because what the jerk has likely done is set free.dv6.net to your server IP - they will just as quickly change it when their scripts are nuked and move on to the next victim. We wound up termpoarily setting a zone on the user's server to point free.dv6.net to localhost while we cleaned up the scripts.

    cPanel.net Support Ticket Number:
     
  7. alareach

    alareach Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Annette, PM sent...
    I am insterting this reply to help other users who may run into this as well. Anyone with spam complaints for:
    *.gordontower.com
    *.dv6.net
    should be aware, this is most likely the problem being discussed here. In fact, we saw the domain redirecting to our server yet again last night, then it was resolving to another IP just prior (at hostnoc) so this is going to become a problem for some others as well.

    cPanel.net Support Ticket Number:
     
  8. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    Those two are among the worst (lots of porn spam). Complaints will come in with http://*.domain.com:xxxx/something/ usually, where xxxx is a port number - this is generally a listening port on the abused server which relays the request off to the "real" location. Complaints like these should absolutely not be ignored.

    I sent you an email with some things to check for first. You might also check out this thread over at WHT as a tangential possibility, although the dv6.net scumbags generally use modified bouncers:
    http://www.webhostingtalk.com/showthread.php?threadid=186675

    That thread will also be of use to people getting strange spam reports about mail they can't find in their logs, especially if one of the header lines references an IP that is in the headers as mail.com but actually belongs to Kraft.

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page