Super SPAM Flooding coming from one of my servers

[brianoz]

Is the IP listed in the bottom (ie first) AOL header one of yours? If so, it must be coming from your server.

It may be leaving your server via a PHP script which is connecting to something other than port 25 on the AOL servers, ie not using your email system at all, and also bypassing any port 25 firewall blocks you have.

Things to check - are there any scripts using sockets and generating mail headers in the account on that IP? (Also why would any traffic leave on that IP at all??) Are there any mail forwarders on that account? Are you sure the port 25 firewall rule is actually working? (for instance, installing APF bypasses the cpanel "SMTP tweak").

 

[heavypredator]

Is the IP listed in the bottom (ie first) AOL header one of yours? If so, it must be coming from your server.

its mine

Things to check - are there any scripts using sockets and generating mail headers in the account on that IP?

how can i do that? is there any tool that can detect this? //edit(sorry didnt read your message right) there is only one account but is it possible for shuch script to be ran from other ip ? i had reports of using 2 others ips as spam source. also there is 400 accounts on that server - how to find this ?

(Also why would any traffic leave on that IP at all??) Are there any mail forwarders on that account? Are you sure the port 25 firewall rule is actually working? (for instance, installing APF bypasses the cpanel "SMTP tweak").

there is one website on this ip, no mail forwarders.

 

[heavypredator]

ok i have made smtp tweak for apf firewall

i added this:

$IPT -A OUTPUT --protocol tcp -d 127.0.0.1 --dport 25 -j ACCEPT
$IPT -A OUTPUT --protocol tcp --dport 25 -m owner --uid-owner 0 -j ACCEPT
$IPT -A OUTPUT --protocol tcp --dport 25 -m owner --gid-owner 12 -j ACCEPT
$IPT -A OUTPUT --protocol tcp --dport 25 -m owner --gid-owner 32002 -j ACCEPT
$IPT -A OUTPUT --protocol tcp --dport 25 -j REJECT

to: /etc/apf/main.rules

i think it should block sending mail without my mail server directly to other servers(already confirmed working with main ip but dunno how to ask telnet to use additional ips) - but can someone confirm that this will work also for additional ips? i think it should since i dont specify main or additional ips in these rules, but need confirmationf from pros

 

[brianoz]

The correct way to do it is via a mod to the /etc/apf/conf.apf file:

##
# [Egress UID match]
# Configure user-id specific egress (outbound) port access. This is a
# more granular feature to limit the scope of egress packet flows with uid
# conditioning. Format is comma seperated and underscore seperator for ranges.
#
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"
##

# UID-Match egress (outbound) TCP ports
EG_TCP_UID="0,47:25"

The bottom line is the one I added:
EG_TCP_UID="0,47:25"

What's puzzling about the rest of it is that even if an account has that IP assigned to it, outgoing email and connections normally come from the default IP on the system, unless your version of the OS is different to mine, or I've gotten horribly confused, both of which are possible.

The only way to find scripts using socket is something like:

find /home -name '*.php' -print | xargs grep socket /dev/null

... then repeat using something else instead of "socket" (eg To:, or other mail headers). But I'd certainly start by going through the specific account on that IP with a fine tooth comb.

Have you got the headers for a sample piece of spam? If so, please post them here, obviously with names and numbers changed to preserve security/confidentiality.

 

[chae]

Well if you suspect a spammer then you can temporarily add a few rules to your mod_security ruleset for additional logging so you can later investigate.

EG:

# Find the source of scripts ending email
SecFilterSelective POST_PAYLOAD "@" "pass,log"

Hi Yah,

Added this into my mod_sec to see how it would perform and I can see the actual output reading the raw log files i.e

Content-Type: application/x-www-form-urlencoded
Host: xxxxxxxx.org.nz
Max-Forwards: 10
Pragma: no-cache
User-Agent: Opera/6.04 (Windows 98; U) [en]
Via: 1.1 xxxxxxxx.org.nz
mod_security-message: Warning. Pattern match "@" at POST_PAYLOAD

329
url=http%3A%2F%2Fclik.to%2Ftapki&author=viagra&title=order%20viagra&blog_name=cheap%20viagra&e-mail=chris%40freemail.com&excerpt=viagra%2C%0D%0Abuy%20viagra%2C%0D%0A%3Ca%20href%3D%22http%3A%2F%2Fclik.to%2Ftapki%22%3Eorder%20viagra%3C%2Fa%3E%2C%0D%0Abuy%20viagra%20online%2C%0D%0Acheap%20viagra%2C%0D%0Ageneric%20viagra&action=add
============================

==bf9b7d46==============================
Request: www.xxxxxxx.org.nz 168.176.146.95 - - [19/Jun/2006:06:49:49 -0400] "POST /cgi-bin/movabletype/mt-tb.cgi/321 HTTP/1.1" 403 179 "-" "Opera/6.02 (Windows 2000; U) [en]" - "-"
Handler: cgi-script
----------------------------------------
POST /cgi-bin/movabletype/mt-tb.cgi/321 HTTP/1.1
Accept: */*
Connection: close
Content-Length: 333
Content-Type: application/x-www-form-urlencoded
Date: Mon, 19 Jun 2006 05:59:56 GMT
Forwarded: by http://unprueba.unal.edu.co:8080 (iPlanet-Web-Proxy-Server/3.6-SP9)
Host: xxxxxx.org.nz
Pragma: no-cache
User-Agent: Opera/6.02 (Windows 2000; U) [en]
Via: 1.1 S1PS
mod_security-message: Warning. Pattern match "@" at POST_PAYLOAD

333
url=http%3A%2F%2Fclik.to%2Ftapki&author=buy%20viagra%20online&title=buy%20viagra&blog_name=viagra&e-mail=tommy%40hotmail.com&excerpt=viagra%2C%0D%0Abuy%20viagra%2C%0D%0A%3Ca%20href%3D%22http%3A%2F%2Fclik.to%2Ftapki%22%3Eorder%20viagra%3C%2Fa%3E%2C%0D%0Abuy%20viagra%20online%2C%0D%0Acheap%20viagra%2C%0D%0Ageneric%20viagra&action=add

HTTP/1.1 403 Throttled
Pragma: no-cache
Cache-Control: max-age=-25602239
Expires: Sat, 27 Aug 2005 03:05:47 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
--bf9b7d46--


Can you explain how to read this data...is this someone actually sending out spam from one my users web site forms? Someone trying to send out spam through the form? I would suspect that one now checks exim logs to see if they were actually sent ? Seems I've only 2 or 3 sites that actually log enough details to question whether they're being used for sending out SPAM.

Thanks in advance

Chae

 

[nxds]

The bottom line is the one I added:
EG_TCP_UID="0,47:25"

That syntax doesn't work. Instead try:

EG_TCP_UID="0:25,47:25"

 

[mctDarren]

is this someone actually sending out spam from one my users web site forms? Someone trying to send out spam through the form?

Yes! The code result of the post was a 403 (Forbidden) so looks as if the attempt was indeed blocked by mod_security.

 

[brianoz]

Yes! The code result of the post was a 403 (Forbidden) so looks as if the attempt was indeed blocked by mod_security.

Except, it looks like the pattern it's matching against is just "@" which is loose enough to just match email addresses being entered into contact forms. The log excerpts he posted look more like spambots trying to add themselves to blog trackbacks, a pretty standard thing that they do.

You might want to use mail header fields instead, eg To:, Bcc:, Cc: Subject: etc. There are plenty of nice pattern sets out there that you can just pick up and use.

 

[ramprage]

mod_security is catching comment spam posting, not actual email going through the server.
brianoz is correct.