Someone, in the last few days, has been sending out massive amounts of spam - and making it look like it came from one of our servers (the headers show one of our nameservers and IPs).

It absolutely is NOT being relayed or sent through our servers in any way. However, I am getting flooded with spam/abuse reports and people urging me to do something about it.

My concern is two-fold:

1. How can I make these people understand that it is NOT one of my users or ANYTHING to do with us?

2. If this many people can't understand that it isn't our fault - what's to prevent us from getting blacklisted?

Anyone ever deal with this before??

--Tina

Is there ANY other information in the header (other than your very incriminating IP information)? If there is other information in the headers?

Usually mail server handoff looks something like:
Received: from xxx.xx.xx.xxx by hostname

(where xxx.xx.xx.xxx is the IP address of the remote SMTP server the mail is actually coming from.)

Nope. My network administrator, myself and two other web gurus can't see anything that looks like it came from anywhere other than our servers.

However, the bandwidth usage on that server doesn't reflect any kind of massive outgoing emails. Also, we've been tested and retested and tested again - that server is NOT a relay and there is nothing on our logs to show any of our users sending out this amount of email.

Any suggestions?

--Tina

A lot of times when people use the formmail exploit, the server logs will not show the usage.

Check your server for any formmail.pl scripts (or other scripts that may have been renamed from formmail.pl).

Tina:

Beginning in March, we had a run of spoofing -- it began "innocently" enough with "get rich quick" crap, and then they started sending out "invitations" to porn sites. Needless to say, I was more than a little upset :angry: and confused :confused: about how all this was happening.

It was formmail.pl that was being exploited. Kill that on all of your servers, and let your clients know what is going on ASAP.

This post here (http://webhostingtalk.com/showthread.php?s=&threadid=13650) http://webhostingtalk.com/showthread.php?s=&threadid=13650 at WebHostingTalk Forums titled "Alert! - Formmail.pl as Spam server " is how I found out how the spam was going out. :mad:

Duster (<--nice guy, but no "relation" to me! ;))made this page (http://techcellence.net/gotspammed.htm) http://techcellence.net/gotspammed.htm about this very problem.

You aren't alone!!! :) Hang in there!

I had a user one time who was sending spam thru my servers. Thru a script he would ftp up to the server, send his spam and then delete the files from the server. If you would like my help in finding out if this is the same guy or a copy cat then let me know.

Hello
We had this on a server with only 43 accounts on it.
Nobody on the server had shell access.
None of tha mail was going through our SMTP or sendmail.
It was impossible to track down.

What is happening is they are passing the data from the server to an open relay somewhere else.
They do this to prevent their computers IP address appearing in the headers. The mail server the mail comes from is not ours but the one they are connecting to.
How they do it is a mystery.
Without shell access I do not understand how this is possible.
I guess its some sort of CGI or PHP script.

The problem for us was that out of 43 users, about 10 had been aded after the spam started and of the other 33 many were known to us personally as repeat customers or were people with limited technical knowledge who were not likely candidates for spamming.

Short of terminating all 43 users there was nothing we could do to stop it, but it seemed to dry up eventually.

Gordon



added: I should say that we investigated all 43 accounts and found no suspicious PHP or cgi scripts in any of them.

Originally posted by tymonhall
I had a user one time who was sending spam thru my servers. Thru a script he would ftp up to the server, send his spam and then delete the files from the server. If you would like my help in finding out if this is the same guy or a copy cat then let me know.
If that's the case then you might be able to find something suspicious in your FTP transfer logs. Look at the time in the e-mail headers to get an idea of where to look in your FTP logs.

We've checked our logs - nothing. :(

--Tina

Originally posted by Dustbunny
Tina:

Beginning in March, we had a run of spoofing -- it began "innocently" enough with "get rich quick" crap, and then they started sending out "invitations" to porn sites. Needless to say, I was more than a little upset :angry: and confused :confused: about how all this was happening.

It was formmail.pl that was being exploited. Kill that on all of your servers, and let your clients know what is going on ASAP.

This post here (http://webhostingtalk.com/showthread.php?s=&threadid=13650) http://webhostingtalk.com/showthread.php?s=&threadid=13650 at WebHostingTalk Forums titled "Alert! - Formmail.pl as Spam server " is how I found out how the spam was going out. :mad:

Duster (<--nice guy, but no "relation" to me! ;))made this page (http://techcellence.net/gotspammed.htm) http://techcellence.net/gotspammed.htm about this very problem.

You aren't alone!!! :) Hang in there!


We actually install formmail.pl on all accounts. However, we know about the security risk and (I thought) my network guy had plugged up the security leak there.

--Tina

From what I remember, there were two major points of exploit. One with the recipient address (which could be hard coded instead) and another with the referrer function which allows the script to be run from other locations that it should be able to be run. Guess you hit those two, but I'm not aware of other exploits and wonder what is the best form mailer to use? Yeah, I know another topic, but maybe it somewhat ties in here (and installing it would kill this problem?).

If you have telnet/ssh available on your servers it may be that they are telneting through your server to send the mail that way.
All kinds of tricks. Are these Windows or Unix style servers? There is a small SMTP server requiring minimal setup and space that runs under windows that they may have uploaded, used and then deleted.

Originally posted by NyteOwl
If you have telnet/ssh available on your servers it may be that they are telneting through your server to send the mail that way.
All kinds of tricks. Are these Windows or Unix style servers? There is a small SMTP server requiring minimal setup and space that runs under windows that they may have uploaded, used and then deleted.


No Telnet and we only give out SSH by request (so we know the few users that have it). Our servers are all Linux machines.

--Tina

Just FYI, I can create a script that ALL I need is one or two files ftped over that can mail out to thousands of users. I am a beginner programmer so I know that if I can do it any person with some skill can.

When I check my ftp logs when I had that spammer I didn't notice anything funny at first. If you have only 43 sites they should not be ftping a lot so it should be easy to find out who is doing it.

Another thing is if they are using the formmail.pl exploit then I have a copy of a script that I got off of here (WHT) a while back that suppost to keep it from happening. If you need a copy of it let me know.

With formmail.pl, if you hard-code the recipient's email address in the script and disable the "get" method, then it plugs the problem. The only problem is, if you hard-code the recipients email address, it's not portable. I would suggest finding another form script...if this DOES turn out to be the problem.