Urgent! - Can't trace spammer!

[phantom]

Hi,
We have a spammer on one of our servers and we cannot figure out who it is. All of the emails are going out as [email protected]
There is no ip in the headers.

Is there anyway to tell who is doing it by the email ID?

Example: [email protected]

We tried tailing all of the exim logs.
Put a check in " do not allow mail to be sent as nobody"
Unchecked mailman

They are still coming in.

We tailed all of the logs files including all of the exim log files
and we cannot find anything to see who is doing this.

Anyone have any suggestions on how to figure out who is doing this?

Thanks!

 

[richy]

grep E1BoplI-0003Nj-Iv /var/log/exim_*

will take some time, but should provide a few clues

 

[phantom]

We found out who did it. In the email headers, it shows the directory of where the emails were sent from which reveiled the username. This person was using php bulk mailer and the email was made to look like it was sent from US Bank. The URL actually took them to another host in which the page was a clone of the US Bank longin page. So we're thinking it was some sort of scam to get US Bank customer account numbers and/or credit card numbers.

This person will not get away with it. The moron's IP was logged when signing up for our hosting and it was not a proxy. It came from some school in Illinois so this person wil not be hard to track down.

The bad news is that our server got blocked by a few major ISP's and blacklisted. It will be ok once we contact all of thse places and explain what happened.

Anyway, we just added a new feature to our billing system. When people sign up for a hosting account, this new system calls the phone number used during the order. When someone answers, an automated system asks them if they made the purchase. 1 = Yes and 2 = No.

If they press 1, the account is created.
If they press 2, the account does not get created.

That should put an end to fraud...hopefully.

Thanks Richy for taking the time to reply to the thread and for doing it so quickly.

 

[gorilla]

We found out who did it. In the email headers, it shows the directory of where the emails were sent from which reveiled the username. This person was using php bulk mailer and the email was made to look like it was sent from US Bank. The URL actually took them to another host in which the page was a clone of the US Bank longin page. So we're thinking it was some sort of scam to get US Bank customer account numbers and/or credit card numbers.

This person will not get away with it. The moron's IP was logged when signing up for our hosting and it was not a proxy. It came from some school in Illinois so this person wil not be hard to track down.

The bad news is that our server got blocked by a few major ISP's and blacklisted. It will be ok once we contact all of thse places and explain what happened.

Anyway, we just added a new feature to our billing system. When people sign up for a hosting account, this new system calls the phone number used during the order. When someone answers, an automated system asks them if they made the purchase. 1 = Yes and 2 = No.

If they press 1, the account is created.
If they press 2, the account does not get created.

That should put an end to fraud...hopefully.

Thanks Richy for taking the time to reply to the thread and for doing it so quickly.

This sounds like a great solution, you wanna share with us how you implemented this new anti fraud solution ?

 

[tAzMaNiAc]

This sounds like a great solution, you wanna share with us how you implemented this new anti fraud solution ?

This is not a great solution for people who are deaf.. FYI.

Brenden

 

[PWSowner]

This is not a great solution for people who are deaf.. FYI.

Brenden

That's true, but then if they are deaf, wouldn't they either have a phone specially made for the deaf? Or not have a phone?

I like the idea. Wanna share it with us?

 

[tAzMaNiAc]

Heh..

Yeah but they would still have problems hearing what it is saying.. push 1 or 2. I am talking about those who were born deaf and did not acquire language with sound. Therefore they would not be able to understand anything on the phone. Calling back would cause them to be on the "discard" list.

Brenden

 

[casey]

Therefore they would not be able to understand anything on the phone. Calling back would cause them to be on the "discard" list.

But how would they know to pick up the phone if they couldn't hear it ringing?

 

[gorilla]

But how would they know to pick up the phone if they couldn't hear it ringing?

Yeah the deaf wouldnt be able to hear the ring tone !
Anyway I guess its a great way to double check the automatic set up process and if nobody is home or the are deaf or have the music playing to loud to hear anything or are still on dial up and what ever other reasons , the system , as I understood it, wouldnt automatically setup the account on the server , but hopefully you could still do this manually after double checking the order. Either way , I guess its a great concept ! :D
So lets hear the ins and outs from the inventor !

 

[casey]

I'm just being fecetious. I do think it's a good idea. I do hope that it does not cancel the order if the phone is not answered or if the person is deaf or if the number is accidentally typed wrong or whatever. Also, what happens if the number is in a different country? Still okay?

 

[daniel.eriksson]

Heh..

Yeah but they would still have problems hearing what it is saying.. push 1 or 2. I am talking about those who were born deaf and did not acquire language with sound. Therefore they would not be able to understand anything on the phone. Calling back would cause them to be on the "discard" list.

Brenden

This is entirely untrue. Deaf people have a callcenter they get called up from via telex or something else, maybe internet by now. In other words, The system speaks to an operator, the operator writes to the deaf person and he tells her what to do.

My two cents.

Br,

Daniel

 

[fct_tom]

Deafness issues

Most of you seem to have some very strange concepts of what happens as far as deaf persons and telephony. I am deaf and have been since the age of six years old.

To clear some things up:

1.) Phone ringing

There are systems available for the deaf and hearing impaired that can cover an individual device or cover the entire home. Basically when the the phone rings it sends a signal to a transmitter which causes a light (or several lights) to flash or for a bed shaker or pager to go off.

2.) Relay calls/callcenter

This scencario would NOT work because while there are voice to text and text to voice relays the automated system would be calling the client directly. In order to use the relay system the caller must first call the relay number and then have them call the deaf/hearing impaired person. Yes, there are internet based relay services now, hoewver these still require contacting relay before contacting the other person, its simply an IP phone direct to the relay center.

3.) Phone devices

Thanks to modern technology there are several very advanced TDD (Telecommunication Devices for the Deaf) out there. They range from somewhat heavy units that look like a condensed typewriter, to a lightweight, flip open screen and keyboard type device. Many of them have advanced features you would expect to find in a pda or scaled down computer.

In general, automated systems are a hardship for persons who are deaf or hard of hearing period. Basically there is no way for an automated system to verify with a truly deaf person live time. You would have to put a notice on the site with the number that would be calling to verify and instructions to push 1 or 2 in writing when the phone rings. While not a perfect solution that should work as most do have caller ID in this day and age, or would be expecting the call immediately after signup.

Hope this clears up some issues.

Tom

 

[gorilla]

good stuff, Tom !

 

[knipper]

Very good info ftc_tom. Thanks for clarifying the telephony information. This type of info is great to get out. My wife is an interpreter for the deaf, and has been doing this approx. 10 years. She had also worked in a relay service as well for several years, before she started interpreting.

Although this won't help in the automated phone scenario, almost all of the people my wife deals with now uses some sort of mobile Instant messanger/text messenger system. So they are communicating via text, just as hearing people do on cell phones.

Just an additional FYI.

 

[vortex2000]

Didn't work for me!

I followed the steps of:

grep [email protected] /var/log/exim_*

but it only comes up with:

/var/log/exim_mainlog:2004-09-29 02:08:22 1CCXdT-0008K6-Vy <= [email protected] U=nobody P=local S=1736

Does anybody know of any other techniques to track or find who is relaying into my system?

Thanks!

 

[richy]

Now search your logs for the message ID 1CCXdT-0008K6-Vy.

The U=nobody makes it appear to be sent from the "nobody" user which Apache tends to run as (if you aren't using phpSuExec and suExec). You'll have to check your Apache logs at /usr/locala/apache/domlogs around that time period. I'd try:

grep kunlebadmose /usr/local/apache/domlogs/*

to see if you can find anything "obvious". If not, try:

grep "[29/Sep/2004:02:0]" /usr/local/apache/domlogs/* > /root/tempgrep
grep "POST" /root/tempgrep > /root/doublechecktheseresults

which may bring up some "interesting scripts" to double check (webmail.php , formmail.pl etc etc)

 

[WestBend]

Here is some info i grabbed from webhostingtalk.com unfortunately i did not cut and paste the links when i cut and paste the text into notepad the other day to implement on my own server. Hope nobody kills me for not crediting them.

Option A:

iptables -A OUTPUT --protocol tcp --destination-port 25 -j ACCEPT --match owner --uid-owner 0
iptables -A OUTPUT --protocol tcp --destination-port 25 -j REJECT 

to UNDO the above (if it messes something up for you)

iptables -D OUTPUT --protocol tcp --destination-port 25 -j ACCEPT --match owner --uid-owner 0
iptables -D OUTPUT --protocol tcp --destination-port 25 -j REJECT

Option B:

# * * * * * netstat -pan | grep -v 216.180.252.225 | grep -E ":25 [ ]*EST" 2> /dev/null > /root/netstat2.out && ps -wwwwwef >> /root/netstat2.out && cat /root/netstat2.out | mail -s "outgoing port 25 caught" [email protected]

# * * * * * sleep 30 ; netstat -pan | grep -v 216.180.252.225 | grep -E ":25 [ ]*EST" 2> /dev/null > /root/netstat2.out && ps -wwwwwef >> /root/netstat2.out && cat /root/netstat2.out | mail -s "outgoing port 25 caught" [email protected]

We have a mail-relay, the server is supposed to send all outgoing email to this relay, then the relay does all the spooling. So open port 25 connections NOT to the relay (grep -v removes the relay from the results) is a dead giveaway something is up, so "if found open port 25 outgoing not to relay" "send results and a ps -wwwef to admin"

 

[RandyO]

Heh..

Yeah but they would still have problems hearing what it is saying.. push 1 or 2. I am talking about those who were born deaf and did not acquire language with sound. Therefore they would not be able to understand anything on the phone. Calling back would cause them to be on the "discard" list.

Brenden

We already post a notice that ALL ORDERS ARE PHONE VERIFIED. Just add on a simple tag line to that so that a deaf client could give a valid number to a hearing person to verify the account. Hassle yes, do-able? yes