The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Urgent! - Can't trace spammer!

Discussion in 'General Discussion' started by phantom, Jul 25, 2004.

  1. phantom

    phantom Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Hi,
    We have a spammer on one of our servers and we cannot figure out who it is. All of the emails are going out as nobody@servername.ourdomain.com
    There is no ip in the headers.

    Is there anyway to tell who is doing it by the email ID?

    Example: E1BoplI-0003Nj-Iv@servername.ourdomain.com

    We tried tailing all of the exim logs.
    Put a check in " do not allow mail to be sent as nobody"
    Unchecked mailman

    They are still coming in.

    We tailed all of the logs files including all of the exim log files
    and we cannot find anything to see who is doing this.

    Anyone have any suggestions on how to figure out who is doing this?

    Thanks!
     
  2. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    grep E1BoplI-0003Nj-Iv /var/log/exim_*

    will take some time, but should provide a few clues
     
  3. phantom

    phantom Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    We found out who did it. In the email headers, it shows the directory of where the emails were sent from which reveiled the username. This person was using php bulk mailer and the email was made to look like it was sent from US Bank. The URL actually took them to another host in which the page was a clone of the US Bank longin page. So we're thinking it was some sort of scam to get US Bank customer account numbers and/or credit card numbers.

    This person will not get away with it. The moron's IP was logged when signing up for our hosting and it was not a proxy. It came from some school in Illinois so this person wil not be hard to track down.

    The bad news is that our server got blocked by a few major ISP's and blacklisted. It will be ok once we contact all of thse places and explain what happened.

    Anyway, we just added a new feature to our billing system. When people sign up for a hosting account, this new system calls the phone number used during the order. When someone answers, an automated system asks them if they made the purchase. 1 = Yes and 2 = No.

    If they press 1, the account is created.
    If they press 2, the account does not get created.

    That should put an end to fraud...hopefully.

    Thanks Richy for taking the time to reply to the thread and for doing it so quickly.
     
  4. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia


    This sounds like a great solution, you wanna share with us how you implemented this new anti fraud solution ?
     
  5. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    This is not a great solution for people who are deaf.. FYI.

    Brenden
     
  6. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    That's true, but then if they are deaf, wouldn't they either have a phone specially made for the deaf? Or not have a phone?

    I like the idea. Wanna share it with us? ;)
     
  7. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Heh.. ;)

    Yeah but they would still have problems hearing what it is saying.. push 1 or 2. I am talking about those who were born deaf and did not acquire language with sound. Therefore they would not be able to understand anything on the phone. Calling back would cause them to be on the "discard" list.

    Brenden
     
  8. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    But how would they know to pick up the phone if they couldn't hear it ringing?
     
  9. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    Yeah the deaf wouldnt be able to hear the ring tone !
    Anyway I guess its a great way to double check the automatic set up process and if nobody is home or the are deaf or have the music playing to loud to hear anything or are still on dial up and what ever other reasons , the system , as I understood it, wouldnt automatically setup the account on the server , but hopefully you could still do this manually after double checking the order. Either way , I guess its a great concept ! :D
    So lets hear the ins and outs from the inventor ! ;)
     
    #9 gorilla, Jul 26, 2004
    Last edited: Jul 26, 2004
  10. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    I'm just being fecetious. I do think it's a good idea. I do hope that it does not cancel the order if the phone is not answered or if the person is deaf or if the number is accidentally typed wrong or whatever. Also, what happens if the number is in a different country? Still okay?
     
  11. daniel.eriksson

    Joined:
    Jan 18, 2004
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1

    This is entirely untrue. Deaf people have a callcenter they get called up from via telex or something else, maybe internet by now. In other words, The system speaks to an operator, the operator writes to the deaf person and he tells her what to do.

    My two cents.

    Br,

    Daniel
     
  12. fct_tom

    fct_tom Registered

    Joined:
    Jul 21, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Deafness issues

    Most of you seem to have some very strange concepts of what happens as far as deaf persons and telephony. I am deaf and have been since the age of six years old.

    To clear some things up:

    1.) Phone ringing

    There are systems available for the deaf and hearing impaired that can cover an individual device or cover the entire home. Basically when the the phone rings it sends a signal to a transmitter which causes a light (or several lights) to flash or for a bed shaker or pager to go off.

    2.) Relay calls/callcenter

    This scencario would NOT work because while there are voice to text and text to voice relays the automated system would be calling the client directly. In order to use the relay system the caller must first call the relay number and then have them call the deaf/hearing impaired person. Yes, there are internet based relay services now, hoewver these still require contacting relay before contacting the other person, its simply an IP phone direct to the relay center.

    3.) Phone devices

    Thanks to modern technology there are several very advanced TDD (Telecommunication Devices for the Deaf) out there. They range from somewhat heavy units that look like a condensed typewriter, to a lightweight, flip open screen and keyboard type device. Many of them have advanced features you would expect to find in a pda or scaled down computer.

    In general, automated systems are a hardship for persons who are deaf or hard of hearing period. Basically there is no way for an automated system to verify with a truly deaf person live time. You would have to put a notice on the site with the number that would be calling to verify and instructions to push 1 or 2 in writing when the phone rings. While not a perfect solution that should work as most do have caller ID in this day and age, or would be expecting the call immediately after signup.

    Hope this clears up some issues.

    Tom
     
    #12 fct_tom, Jul 26, 2004
    Last edited: Jul 26, 2004
  13. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
  14. knipper

    knipper Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Very good info ftc_tom. Thanks for clarifying the telephony information. This type of info is great to get out. My wife is an interpreter for the deaf, and has been doing this approx. 10 years. She had also worked in a relay service as well for several years, before she started interpreting.

    Although this won't help in the automated phone scenario, almost all of the people my wife deals with now uses some sort of mobile Instant messanger/text messenger system. So they are communicating via text, just as hearing people do on cell phones.

    Just an additional FYI.
     
    #14 knipper, Jul 26, 2004
    Last edited: Jul 26, 2004
  15. vortex2000

    vortex2000 Member
    PartnerNOC

    Joined:
    Apr 21, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Didn't work for me!

    I followed the steps of:

    grep kunlebadmose@yahoo.com /var/log/exim_*

    but it only comes up with:

    /var/log/exim_mainlog:2004-09-29 02:08:22 1CCXdT-0008K6-Vy <= kunlebadmose@yahoo.com U=nobody P=local S=1736

    Does anybody know of any other techniques to track or find who is relaying into my system?

    Thanks!
     
  16. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Now search your logs for the message ID 1CCXdT-0008K6-Vy.

    The U=nobody makes it appear to be sent from the "nobody" user which Apache tends to run as (if you aren't using phpSuExec and suExec). You'll have to check your Apache logs at /usr/locala/apache/domlogs around that time period. I'd try:

    grep kunlebadmose /usr/local/apache/domlogs/*

    to see if you can find anything "obvious". If not, try:

    grep "[29/Sep/2004:02:0]" /usr/local/apache/domlogs/* > /root/tempgrep
    grep "POST" /root/tempgrep > /root/doublechecktheseresults

    which may bring up some "interesting scripts" to double check (webmail.php , formmail.pl etc etc)
     
  17. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Here is some info i grabbed from webhostingtalk.com unfortunately i did not cut and paste the links when i cut and paste the text into notepad the other day to implement on my own server. Hope nobody kills me for not crediting them.

    Option A:
    Code:
    iptables -A OUTPUT --protocol tcp --destination-port 25 -j ACCEPT --match owner --uid-owner 0
    iptables -A OUTPUT --protocol tcp --destination-port 25 -j REJECT 
    
    to UNDO the above (if it messes something up for you)
    
    iptables -D OUTPUT --protocol tcp --destination-port 25 -j ACCEPT --match owner --uid-owner 0
    iptables -D OUTPUT --protocol tcp --destination-port 25 -j REJECT
    
    Option B:
    Code:
    # * * * * * netstat -pan | grep -v 216.180.252.225 | grep -E ":25 [ ]*EST" 2> /dev/null > /root/netstat2.out && ps -wwwwwef >> /root/netstat2.out && cat /root/netstat2.out | mail -s "outgoing port 25 caught" admin@yourdomain.com
    
    # * * * * * sleep 30 ; netstat -pan | grep -v 216.180.252.225 | grep -E ":25 [ ]*EST" 2> /dev/null > /root/netstat2.out && ps -wwwwwef >> /root/netstat2.out && cat /root/netstat2.out | mail -s "outgoing port 25 caught" admin@yourdomain.com
    
    We have a mail-relay, the server is supposed to send all outgoing email to this relay, then the relay does all the spooling. So open port 25 connections NOT to the relay (grep -v removes the relay from the results) is a dead giveaway something is up, so "if found open port 25 outgoing not to relay" "send results and a ps -wwwef to admin"
     
  18. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    We already post a notice that ALL ORDERS ARE PHONE VERIFIED. Just add on a simple tag line to that so that a deaf client could give a valid number to a hearing person to verify the account. Hassle yes, do-able? yes
     
Loading...

Share This Page