The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

X-AntiAbuse: Originator/Caller UID/GID format confusion

Discussion in 'General Discussion' started by elliotcooper, Dec 9, 2005.

  1. elliotcooper

    elliotcooper Well-Known Member
    PartnerNOC

    Joined:
    May 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    I am getting a number of spam notification emails from AOL concerning spam has have been relayed through machines on our network with badly configured formmail scripts.

    The notifications always contain a full header with a line like:

    X-AntiAbuse: Originator/Caller UID/GID - [99 32003] / [47 12]

    and I am not sure how the the Originator and Caller's GroutID's and UserID's are arranged.

    using the above example is it of the format:

    X-AntiAbuse: Originator/Caller UID/GID - [OriginatorUID OriginatorGID] / [CallerUID CallerGID]

    or

    X-AntiAbuse: Originator/Caller UID/GID - [OriginatorUID CallerUID] / [OriginatorGID CallerGID]

    I tried grepping for the ID's in /etc/passwd and /etc/group to sort this out but got matches in both.

    Any information on this with would help me out a lot and stop you getting just a little less filth in your inbox.
     
  2. fikse

    fikse Well-Known Member

    Joined:
    May 10, 2003
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    not sure about the ID's, but you can take a quick look at which accounts are sending out the most email.... might be able to pick up it there:

    Main > Email > View Mail Stats


    .
     
  3. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    We've also gotten alot of those messages from AOL and we're indeed sending spam through our servers. They seem to be using BCC through php mail even though we've blocked it with mod_sec

    We're at a loss right now, dont know quite what to do. Cant block php mail() function for 4000+ accounts either..
     
  4. mbarb

    mbarb Member

    Joined:
    Aug 14, 2001
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Make your users get secure mail forms that can not be exploited..

     
  5. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    On our servers it appears to be:

    X-AntiAbuse: Originator/Caller UID/GID - [OriginatorUID OriginatorGID] / [CallerUID CallerGID]


    By the way, we had alot of "true" spam coming from our servers due to insecure scripts but the mod_security seems to have clean up almost all (maybe all) of it.

    What we still have are ALOT of customers who forward their local domain mail to their AOL accounts but when it gets to them there, they send it to a spam box and it/they complain to AOL that "we" are sending them spam. I have told many of my users about how this process works and some were nice enough to turn off whatever tool it is that complains, but some of the "geniuses" refuse to accept the fact that THEY are telling AOL that WE are spamming even though THEY are the ones forwarding the spam to their aol accounts.

    We went as far as killing many forwards without warning when they either would refuse to change things or if they just didnt "get it". Some dont even know the forwarding is off now as they often 'set and forget' forwarding, sometimes for years.

    A few people continue to do this "complain" function about forwarded spam and so we get those "Client TOS Notification" which show the same headers like you have but it helps us to see what domain they are fowarding from:

    Message-ID: <26xxx12D.C1CxxD1@realspammer.com>
    Date: Mon, 12 Dec 2005 02:48:40 +0900
    From: "Beverley" <meryl@realspammer.com>
    User-Agent: fostering Program V Mail Client 5.0
    MIME-Version: 1.0
    To: <Undisclosed Recipients>
    Subject: A time teller for you
    Content-Type: text/plain;
    charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    X-AntiAbuse: This header was added to track abuse, please include it with any
    abuse report
    X-AntiAbuse: Primary Hostname - ourserver.com
    X-AntiAbuse: Original Domain - ourgeniususer.com
    X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6]
    X-AntiAbuse: Sender Address Domain - realspammer.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-AOL-IP: xxx.xxx.xxx.xxx


    So we know who the forwarder is so we complain to our customer. At some point we will tell the last hardliners if they dont stop we will have to shut down their accounts.
     
    #5 nyjimbo, Dec 13, 2005
    Last edited: Dec 13, 2005
  6. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    what rules have you added to mod_sec to stop the bccing etc thru php scripts?
     

Share This Page