Urgent! - Can't trace spammer!

phantom

Well-Known Member
Sep 17, 2002
123
0
166
Hi,
We have a spammer on one of our servers and we cannot figure out who it is. All of the emails are going out as [email protected]
There is no ip in the headers.

Is there anyway to tell who is doing it by the email ID?

Example: [email protected]

We tried tailing all of the exim logs.
Put a check in " do not allow mail to be sent as nobody"
Unchecked mailman

They are still coming in.

We tailed all of the logs files including all of the exim log files
and we cannot find anything to see who is doing this.

Anyone have any suggestions on how to figure out who is doing this?

Thanks!
 

richy

Well-Known Member
Jun 30, 2003
274
1
168
grep E1BoplI-0003Nj-Iv /var/log/exim_*

will take some time, but should provide a few clues
 

phantom

Well-Known Member
Sep 17, 2002
123
0
166
We found out who did it. In the email headers, it shows the directory of where the emails were sent from which reveiled the username. This person was using php bulk mailer and the email was made to look like it was sent from US Bank. The URL actually took them to another host in which the page was a clone of the US Bank longin page. So we're thinking it was some sort of scam to get US Bank customer account numbers and/or credit card numbers.

This person will not get away with it. The moron's IP was logged when signing up for our hosting and it was not a proxy. It came from some school in Illinois so this person wil not be hard to track down.

The bad news is that our server got blocked by a few major ISP's and blacklisted. It will be ok once we contact all of thse places and explain what happened.

Anyway, we just added a new feature to our billing system. When people sign up for a hosting account, this new system calls the phone number used during the order. When someone answers, an automated system asks them if they made the purchase. 1 = Yes and 2 = No.

If they press 1, the account is created.
If they press 2, the account does not get created.

That should put an end to fraud...hopefully.

Thanks Richy for taking the time to reply to the thread and for doing it so quickly.
 

gorilla

Well-Known Member
Feb 3, 2004
694
1
168
Sydney / Australia
phantom said:
We found out who did it. In the email headers, it shows the directory of where the emails were sent from which reveiled the username. This person was using php bulk mailer and the email was made to look like it was sent from US Bank. The URL actually took them to another host in which the page was a clone of the US Bank longin page. So we're thinking it was some sort of scam to get US Bank customer account numbers and/or credit card numbers.

This person will not get away with it. The moron's IP was logged when signing up for our hosting and it was not a proxy. It came from some school in Illinois so this person wil not be hard to track down.

The bad news is that our server got blocked by a few major ISP's and blacklisted. It will be ok once we contact all of thse places and explain what happened.

Anyway, we just added a new feature to our billing system. When people sign up for a hosting account, this new system calls the phone number used during the order. When someone answers, an automated system asks them if they made the purchase. 1 = Yes and 2 = No.

If they press 1, the account is created.
If they press 2, the account does not get created.

That should put an end to fraud...hopefully.

Thanks Richy for taking the time to reply to the thread and for doing it so quickly.


This sounds like a great solution, you wanna share with us how you implemented this new anti fraud solution ?
 

tAzMaNiAc

Well-Known Member
Feb 16, 2003
558
0
166
Sachse, TX
gorilla said:
This sounds like a great solution, you wanna share with us how you implemented this new anti fraud solution ?
This is not a great solution for people who are deaf.. FYI.

Brenden
 

tAzMaNiAc

Well-Known Member
Feb 16, 2003
558
0
166
Sachse, TX
Heh.. ;)

Yeah but they would still have problems hearing what it is saying.. push 1 or 2. I am talking about those who were born deaf and did not acquire language with sound. Therefore they would not be able to understand anything on the phone. Calling back would cause them to be on the "discard" list.

Brenden
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
tAzMaNiAc said:
Therefore they would not be able to understand anything on the phone. Calling back would cause them to be on the "discard" list.
But how would they know to pick up the phone if they couldn't hear it ringing?
 

gorilla

Well-Known Member
Feb 3, 2004
694
1
168
Sydney / Australia
casey said:
But how would they know to pick up the phone if they couldn't hear it ringing?
Yeah the deaf wouldnt be able to hear the ring tone !
Anyway I guess its a great way to double check the automatic set up process and if nobody is home or the are deaf or have the music playing to loud to hear anything or are still on dial up and what ever other reasons , the system , as I understood it, wouldnt automatically setup the account on the server , but hopefully you could still do this manually after double checking the order. Either way , I guess its a great concept ! :D
So lets hear the ins and outs from the inventor ! ;)
 
Last edited:

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
I'm just being fecetious. I do think it's a good idea. I do hope that it does not cancel the order if the phone is not answered or if the person is deaf or if the number is accidentally typed wrong or whatever. Also, what happens if the number is in a different country? Still okay?
 
Jan 18, 2004
24
0
151
tAzMaNiAc said:
Heh.. ;)

Yeah but they would still have problems hearing what it is saying.. push 1 or 2. I am talking about those who were born deaf and did not acquire language with sound. Therefore they would not be able to understand anything on the phone. Calling back would cause them to be on the "discard" list.

Brenden

This is entirely untrue. Deaf people have a callcenter they get called up from via telex or something else, maybe internet by now. In other words, The system speaks to an operator, the operator writes to the deaf person and he tells her what to do.

My two cents.

Br,

Daniel
 

fct_tom

Registered
Jul 21, 2004
3
0
151
Deafness issues

Most of you seem to have some very strange concepts of what happens as far as deaf persons and telephony. I am deaf and have been since the age of six years old.

To clear some things up:

1.) Phone ringing

There are systems available for the deaf and hearing impaired that can cover an individual device or cover the entire home. Basically when the the phone rings it sends a signal to a transmitter which causes a light (or several lights) to flash or for a bed shaker or pager to go off.

2.) Relay calls/callcenter

This scencario would NOT work because while there are voice to text and text to voice relays the automated system would be calling the client directly. In order to use the relay system the caller must first call the relay number and then have them call the deaf/hearing impaired person. Yes, there are internet based relay services now, hoewver these still require contacting relay before contacting the other person, its simply an IP phone direct to the relay center.

3.) Phone devices

Thanks to modern technology there are several very advanced TDD (Telecommunication Devices for the Deaf) out there. They range from somewhat heavy units that look like a condensed typewriter, to a lightweight, flip open screen and keyboard type device. Many of them have advanced features you would expect to find in a pda or scaled down computer.

In general, automated systems are a hardship for persons who are deaf or hard of hearing period. Basically there is no way for an automated system to verify with a truly deaf person live time. You would have to put a notice on the site with the number that would be calling to verify and instructions to push 1 or 2 in writing when the phone rings. While not a perfect solution that should work as most do have caller ID in this day and age, or would be expecting the call immediately after signup.

Hope this clears up some issues.

Tom
 
Last edited:

knipper

Well-Known Member
Sep 4, 2001
107
0
316
Very good info ftc_tom. Thanks for clarifying the telephony information. This type of info is great to get out. My wife is an interpreter for the deaf, and has been doing this approx. 10 years. She had also worked in a relay service as well for several years, before she started interpreting.

Although this won't help in the automated phone scenario, almost all of the people my wife deals with now uses some sort of mobile Instant messanger/text messenger system. So they are communicating via text, just as hearing people do on cell phones.

Just an additional FYI.
 
Last edited:

vortex2000

Member
PartnerNOC
Apr 21, 2004
16
0
151
Didn't work for me!

I followed the steps of:

grep [email protected] /var/log/exim_*

but it only comes up with:

/var/log/exim_mainlog:2004-09-29 02:08:22 1CCXdT-0008K6-Vy <= [email protected] U=nobody P=local S=1736

Does anybody know of any other techniques to track or find who is relaying into my system?

Thanks!
 

richy

Well-Known Member
Jun 30, 2003
274
1
168
Now search your logs for the message ID 1CCXdT-0008K6-Vy.

The U=nobody makes it appear to be sent from the "nobody" user which Apache tends to run as (if you aren't using phpSuExec and suExec). You'll have to check your Apache logs at /usr/locala/apache/domlogs around that time period. I'd try:

grep kunlebadmose /usr/local/apache/domlogs/*

to see if you can find anything "obvious". If not, try:

grep "[29/Sep/2004:02:0]" /usr/local/apache/domlogs/* > /root/tempgrep
grep "POST" /root/tempgrep > /root/doublechecktheseresults

which may bring up some "interesting scripts" to double check (webmail.php , formmail.pl etc etc)
 

WestBend

Well-Known Member
Oct 12, 2003
173
0
166
Here is some info i grabbed from webhostingtalk.com unfortunately i did not cut and paste the links when i cut and paste the text into notepad the other day to implement on my own server. Hope nobody kills me for not crediting them.

Option A:
Code:
iptables -A OUTPUT --protocol tcp --destination-port 25 -j ACCEPT --match owner --uid-owner 0
iptables -A OUTPUT --protocol tcp --destination-port 25 -j REJECT 

to UNDO the above (if it messes something up for you)

iptables -D OUTPUT --protocol tcp --destination-port 25 -j ACCEPT --match owner --uid-owner 0
iptables -D OUTPUT --protocol tcp --destination-port 25 -j REJECT
Option B:
Code:
# * * * * * netstat -pan | grep -v 216.180.252.225 | grep -E ":25 [ ]*EST" 2> /dev/null > /root/netstat2.out && ps -wwwwwef >> /root/netstat2.out && cat /root/netstat2.out | mail -s "outgoing port 25 caught" [email protected]

# * * * * * sleep 30 ; netstat -pan | grep -v 216.180.252.225 | grep -E ":25 [ ]*EST" 2> /dev/null > /root/netstat2.out && ps -wwwwwef >> /root/netstat2.out && cat /root/netstat2.out | mail -s "outgoing port 25 caught" [email protected]

We have a mail-relay, the server is supposed to send all outgoing email to this relay, then the relay does all the spooling. So open port 25 connections NOT to the relay (grep -v removes the relay from the results) is a dead giveaway something is up, so "if found open port 25 outgoing not to relay" "send results and a ps -wwwef to admin"
 

RandyO

Well-Known Member
Jun 17, 2003
173
0
166
tAzMaNiAc said:
Heh.. ;)

Yeah but they would still have problems hearing what it is saying.. push 1 or 2. I am talking about those who were born deaf and did not acquire language with sound. Therefore they would not be able to understand anything on the phone. Calling back would cause them to be on the "discard" list.

Brenden
We already post a notice that ALL ORDERS ARE PHONE VERIFIED. Just add on a simple tag line to that so that a deaf client could give a valid number to a hearing person to verify the account. Hassle yes, do-able? yes