Hello,

I just see that some spammers use my servers.My entry on /etc/mail/access is



localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY


I have several domains which all should use sendmail. I am not so familiar with that. Can
anybody give some advice?

Thanks

The first action to stop spam is stop sendmail and start investigation from the spammed messgge , to find out which way the message was created, by SMTP or by Webserver uid or unique uid if you have Suexec for cgi.

You access file did not allow SMTP relay from external so it might come from webserver , now you should dig into Webserver log files.

Do you allow running perl/php ? if so , there might be 2 source of problem.
- an idiot user run those damn scripts that send mail
- a true spammers out there scan for weakness in your webserver like /cgi-bin/formmail.cgi and /cgi-bin/formmail.pl and use that script to send mail out of your server.

Can you show on of the spammed message header?

Hello,

thanks for your quick reply.
I found out that he used a script formmail.pl
which is on the site of a customer.

Here is the header of a returned mail. I changed the
ip to "myip-number" and the hostname to "myproider" for security reasons.
it is the formular result.

I deactivated the script but I normally need it.
Id there a way that it is not used in this way?

regards Joachim


texasfloodus@yahoo.com>:
Sorry your message to texasfloodus@yahoo.com cannot be delivered. This account has
been disabled or discontinued.

--- Original message follows.

Return-Path: <apache@ds-myipnumber.dedicated.myprovider.de>
X-Track: 17856: 2
X-Rocket-Spam: myipnumber
X-YahooFilteredBulk: myipnumber
Received: from dsmyipnumber.dedicated.myprovider.de (myipnumber)
by mta454.mail.yahoo.com with SMTP; 03 Feb 2002 06:34:42 -0800 (PST)
Received: (from apache@localhost)
by dsmyipnumber.dedicated.myprovider.de (8.11.2/8.11.2) id g13FYrP02422;
Sun, 3 Feb 2002 16:34:53 +0100
Date: Sun, 3 Feb 2002 16:34:53 +0100
Message-Id: <200202031534.g13FYrP02422@dsmyipnumber.dedicated.myprovider.de>
To: swirl745@yahoo.com, swtwmiii@yahoo.com, tagasunodnikristo@yahoo.com,
teamokarl@yahoo.com, texasfloodus@yahoo.com
From: HoTTieS007@aol.com ()
Subject: Unlimited access to live webcams and chat for one time $1 fee!!

Hier ist das Ergebnis des Formulars von:
(HoTTieS007@aol.com) on Sunday, February 3, 2002 at 16:34:53
---------------------------------------------------------------------------

: Check this out to find someone you need. Looking for a mate in your area? Looking
to chat with some people live on webcam? Come to this site and be charged only a
one time fee of $1 for unlimited access. Watch people perform right in front of
your eyes...LIVE!!! It's amazing and anywhere else costs you 50 times this price.
What do you have to lose? Enjoy!

http://mail9815.********

Go there to see it all!!!!

I got this hell last week. There are a dozen users in my server using formmail scripts. So I have nothing to do but disable a formmail that cause problem then email domain owners who use formmail that

- They *MUST* remove formmail out of their cgi-bin directory
- Don't keep their scripts in cgi-bin directory as recommended by Cert http://www.cert.org/advisories/CA-1996-11.html


My users remove it as recommended. Spammers stop calling URL when they've got 404 not found. Some of my users are ignorant, so I must disable the scripts by chmod 600. This way cause the spammers to receive 500 error when calling this URL , however they won't stop calling until it's removed.


If you're not ready to switch to other mail scripts (php mail is recommend). Just move formmail outsite cgi-bin will be enough.

Thanks,

I tried but I didn´t manage to access a perl script outside the cgi-bin.

the entry in the httpd.conf is like the following:

ScriptAlias /meincgi/ var/www/www.mydomain.com/mynewcgi/

and


<Directory "/var/www/www.mydomain.com/mynewcgi">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
SetHandler cgi-script
</Directory>


chmod of the script to 755
apache restarted

Did I miss something?Any help would be much appreciated.

thanks Joachim

Now sure how your httpd.conf comes along. But I saw a ScriptAlias /meincgi/ var/www/www.mydomain.com/mynewcgi/ that / in front of var is missing , did you mistype it ?

Did you tried to step up one directory from
<Directory "/var/www/www.mydomain.com/mynewcgi"> to
<Directory "/var/www/www.mydomain.com"> ?

yes only a mistype, the leading / is there.

I tried
<Directory "/var/www/www.mydomain.com">

but still get an internal error,even is I start the html page where the form is.
Are there other values I have to set in the httpd.conf?

Joachim

Check the config on formmail. I believe you can set a referer value in formmail.pl. That will only allow the site that is using the script to send mail. If it's not set, then anyone can use it to send mail.

Frank

joachim. httpd.conf is a long story that requires digging into details which I think might be out of WHT scope. Try configuring it from the beginning would help you specify the problem.

Although the spammed formmail is chmod non-executable. The spammers did not quit. I can't use REFERER since it's not my script so I don't know where it's referred to. I saw them connected from "Microsoft URL Control" . So I chmod formmail back to executable and add a little script in the header shown as blue line below will cause them to receive 404 not found.


#/usr/bin/perl
$spam="Microsoft URL Control" ;
if (!$ENV{'HTTP_USER_AGENT'} || $ENV{'HTTP_USER_AGENT'}=~ /$spam/) { print "Status: 404 Not Found\n"; exit ;}




.

That won't prevent spammer completely, they can easily forge the User-Agent to something like Netscape.

Referer header is not the solution as well, since it can be easily forged too. :(

The best way is to limit the email addresses formmail can send email to. The latest formmail tries to do this, but unfortunately it can be easily bypassed by providing a cleverly crafted email address string.

I'll be fine if it's my script. But it's not . Many users didn't take care their sites. When the problem like this occurs, disable their script is a little rude. Nobody know where this script is referred to. Forcing email is out of Admin scope ? So I hope the spammers did not forge User Agent until my users come back and remove it himself.

Originally posted by jakis
I'll be fine if it's my script. But it's not . Many users didn't take care their sites. When the problem like this occurs, disable their script is a little rude. Nobody know where this script is referred to. Forcing email is out of Admin scope ? So I hope the spammers did not forge User Agent until my users come back and remove it himself.

You really should put a clause on your TOS that say you have the right to do just that. And if it is only a form mail, I think you should provide a secure one to your users. Lots of other hosts do that. Doing a temporary solution will not be enough, I'm sure spammers will be using it again once they know its weakness, and you are back again to square one solving this problem.

Tell your users to upgrade formmail to version 1.9
http://worldwidemart.com/scripts/formmail.shtml

Any users who are using the popular version 1.6 or the recently released version 1.7/1.8, should upgrade immediately. The new version prevents unwanted anonymous spamming through your implementation of FormMail and also prevents unwanted access to environment variables. If you are having problems receving e-mail and using the redirect variable, version 1.9 should cure that as well. The new script has two extra arrays you must now define, but will not affect current forms or the way they appear after having been submitted.
UPGRADE IMMEDIATELY!

Originally posted by Domenico
Tell your users to upgrade formmail to version 1.9
http://worldwidemart.com/scripts/formmail.shtml



1.9 is not completely secure, see http://www.securityfocus.com/bid/3955

Originally posted by priyadi


1.9 is not completely secure, see http://www.securityfocus.com/bid/3955

What IS completely secure ?
Oracle9i ?

;)

Thank you all for your help and comments.
I deactivated my formmail as I noticed the spammer used it.
I haven´t managed yet to install my formmail outside the cgi-bin and think of using
cgiemail instead. I already have it on another domain on my server and works well but still do not know whether this could be a security hole,too.


Joachim

perl/php Form-to-email is the death of us - Admin . Since MTA didn't cooperate with other service like http, hence no warning to http output when any problems occur. ie. If the script goes wrong , such as does not post sender email to MTA, the MTA has 2 choices, either do not allow the message to be sent out or sent it using the deafult server email address then the ignorant receiver out there will reply to this invalid address..which considered incompetent..rewrite the email header is touch for ordinary people and yet did not work correctly. I hope someday there'are a better MTA that will be controlled by http like show error when sender's address did not use the correct format.

Originally posted by jakis
perl/php Form-to-email is the death of us - Admin . Since MTA didn't cooperate with other service like http, hence no warning to http output when any problems occur. ie. If the script goes wrong , such as does not post sender email to MTA, the MTA has 2 choices, either do not allow the message to be sent out or sent it using the deafult server email address then the ignorant receiver out there will reply to this invalid address..which considered incompetent..rewrite the email header is touch for ordinary people and yet did not work correctly. I hope someday there'are a better MTA that will be controlled by http like show error when sender's address did not use the correct format.

qmail supports several environment variables to control just that. If the script doesn't supply the sender email, a well configured qmail will automatically supply the default email address. You can control the environment variable from your Apache configuration, so each user can have different default sender email address. This also applies to Return-path address. This wouldn't prevent the case when a user removes the environment variable on purpose, but it is not too often a user would do something like that.

I don't know about other MTA, though.

Originally posted by Domenico


What IS completely secure ?
Oracle9i ?

;)

A good one :). We need to wait for next version of formmail though. :)

For your info Oracle 9iAS [appserver] made the claim that it is unbreakable - and 3 security holes were found in the mod_plsql module of Oracle 9iAS ' web server [which is Apache modified BTW] !

I think Internet Security should rank among the top 5 oxymorons of all time along with Control Panel!

But Oracle dB is indeed secure; in my experience I have found AS400 to be much more secure than other mid-range systems

And with Microsoft, security for them means the guy in the entrance with the uniform :D

But I do understand the spirit of your post.. :)

Cheers
Balaji

thanks folks,

I have updated to 1.9 and will see whether it helps.
in the near future, I will use other programs,
I found many in the internet but I am not sure what script is rather secure. the version 1.9
seems much more reliable.

however, what makes me really angry is that, inspite of the fact that I sat 2 sundays working with this issue, some people wrote to me :

*********************
¡¡¡REMOVE!!! DO NOT RESPOND BACK WITH THAT SOMEBODY HACKED, STOLEN OR ANY
OTHER LAME EXCUSE ABOUT YOUR SYSTEM. JUST DON'T SEND.

COPY SENT TO TOS

**********************

The guy asked me several times to remove him.
Soem people seems not to understand what´s going on in the world...


thanks to those who helped me a lot, mayb I can help in the future.....

joachim