Well I really havent been the one that was spamed but This morning I went to check my email account that has catch all set to it to find that around 3AM and 5AM my time some one has used some method to send spam mail out from my server. the return address was address to my httpd does any one know what could have possible cause that?

Also I wanted to know is there some way that you can limit the amount of mail any one user/IP/whatever can send in an hour or something?

Please anything would be helpful.

There are a few possibilities. Without knowing what steps your server is configured to prevent, I can only list some possibilities.

1. Someone used an open relay to send spam out through your server. Solution - close relaying.

2. One of your customers sent spam. The solution here is more complex. Limiting the amount of e-mail that can go out will not solve anything and you're only fooling yourself. Spam programs are too sophisticated to be stopped by this measure. They can e-mail in batches.

You'll need to educate yourself about spam and how to prevent it. You can start with sites like MAPS http://mail-abuse.org , CAUCE http://www.cauce.org , Spam Canners http://members.tripod.com/~SpamCanners and links from their sites.

Do you have Matt Wright's formmail.pl script installed?

I installed this for one of the users a few days ago. Also I am using a cobalt raq3

Matt Wright's formmail.pl script leaves your system ready to be an open SPAM relay. You have two choices.

1. Remove the script
2. Hard code the recipient variable into the PERL code. Set the recipient variable at the begining of the script and modify the one or two subroutines to use your new variable instead of the recipient value sent by the form. You will need a new script for each client/email address. When you get a SPAM proof script, do not keep the name as formmail.pl or your mail box will be filled up with SPAM.

If you have trouble with the mods, email me and I will send you the script.

-Mike

Download the modified formmail.pl scripts here. The first one was modified by Verio and the 2nd one was modified by myself. Instructions are in the script.

http://www.djcafe.com/formmail.txt
http://www.djcafe.com/formmail2.txt

Mike

If I ever catch a spammer on my server, I'll make sure I track him/her down and cut their genitals off with rusty bread knives! :eek:

The same goes for "crackers" too!

[Edited by Nicholas Brown on 03-17-2001 at 02:56 AM]

I'm a hacker! I think you mean cracker.

Originally posted by tymonhall
Well that around 3AM and 5AM my time some one has used some method to send spam mail out from my server. the return address was address to my httpd does any one know what could have possible cause that?

As someone else pointed out, if you are running Matt Wright's formmail, anyone can access it from anywhere and spam through it. Your address (usually "postmaster@domain") will show as the sender. I was a victim of this exact attack last Friday night, and it was not pleasant. Spammer accessed my formmail and spammed to a list of AOL addresses. Even worse was trying to get the douchebags who were hosting the spammer to nuke his site, but that's another story altogether.

If you are running a copy of formmail, get the update asap. Also, check your server logs for the timeframe you suspect the spam run was made. (if the IP of the inbound connection is 24.177.167.xxx, please contact me privately via email).

Bob Stephenson
bfs@websights1.com

My spammer is using some type of IP change program because my log files said that their was 3 diffrent IP's that were accessing the site at the time of.

The also were sending everything to aol.

Anyways I removed all of the formmail programs that I can find and email all my customers to use the formmail that I had modified.

I'm wondering if its really formmail that is causing this problem or something else because I the return address is address to httpd.

Also made sure i'm not relaying for anyone at the time.

What do you meam by saying "the return address is address to httpd" ? if it was something like www@localhost, than surely you've been attacked through formmail, or some other CGI like this - you should know better, theni, what else your site consists of. sadly, i don't know much about mail software, that Cobalt RaQ has inside, but if it's some convient SMTP daemon, such as sendmail or qmail, consider tweaking and tuning it's built-in security rules.

Cobalt use sendmail and last night was the first night I was able to rest with out getting any spam messages since this started. I think sendmail is setup to return mail to httpd@hostservername.com instead of www@localhost.

Well, that's great. Also you can modify formmail.pl to grab the username from the path, in which it is located, sum it with domain, and then use resul as a return address instead of hardcoding it into the script itself (if you have formail at a multiuser enviroment)

Last night I was attack again I think they are a user or somehow they are using smtp to send the message.

Any I have formmail.pl setup to if a user wants it to work on their site they shoot me an email and I will add them and thier email address to the script. So it allows me to have it as a multiuser enviorment. I setup a shared cgi-bin on the system which seems to work out great.

Originally posted by tymonhall
Last night I was attack again I think they are a user or somehow they are using smtp to send the message.


What are your logs showing? Have you reported any of this to the owners of the IPs invloved? Do you have a copy of the spam that's getting sent out? Have you switched to a more secure version of Formmail?

=Bob

I have did all of the above, no answer on IP, Formmail is secured either myself or one of my customers will get all the message if they try to send mail out, I've check the logs but they don't say nothing of importants except for who the message was sent to and a IP "which was most likely forge."

I made some modifications to my server so I hope this help with something.

I am posting all of this in hopes that someone can help me with figuring out how and who is sending these messages.

-------------Return message from aol postmaster-------------
The original message was received at Mon, 19 Mar 2001 06:25:10 -0500 (EST)
from http://www.cheaphostonline.net [216.234.186.127]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<sweetthang133@aol.com>

----- Transcript of session follows -----
... while talking to air-xd03.mail.aol.com.:
>>> RCPT To:<sweetthang133@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <sweetthang133@aol.com>... User unknown

------------End Return Message from aol postmaster----------

There were two attachments

---------------------Attachment 1--------------------------


Reporting-MTA: dns; rly-xd03.mx.aol.com
Arrival-Date: Mon, 19 Mar 2001 06:25:10 -0500 (EST)

Final-Recipient: RFC822; sweetthang133@aol.com
Action: failed
Status: 2.0.0
Remote-MTA: DNS; air-xd03.mail.aol.com
Diagnostic-Code: SMTP; 250 OK
Last-Attempt-Date: Mon, 19 Mar 2001 06:25:18 -0500 (EST)


------------------End Attachment 1-------------------------
Attachment 2 is the spammers message

-------------------Attachment 2----------------------------
What did you get for the last $99 YOU spent?

Do you even remember?

I received $5,500 cash almost immediately!

And, I can help you do the same.. very easily!

Interested?

I have been working \"full-time\" from home now for ten years.. and
over time have offered people various ways of earning income
from home on a very part-time basis. If you have joined me, you
have probably done very well for yourself.

Just before Christmas, I found what has eluded me for these ten
years. I started just two weeks before Christmas, and by
Christmas Eve, I had $5,500 profit in my hands! and it has just
accelerated since then.

Since Christmas, I have been building a team of real, everyday
people....people like you with regular jobs and
responsibilities... and on a part-time basis they are now
starting to see similar results.

So, I am ready to open this up to others who may have an
interest in learning how to earn money from home... it
is now up to you whether or not you get the full information so
you can see for yourself!

So, if you want to turn $99 today into $5,500 just for
starters.. and a whole bunch more over the coming months and
years...Click on \"Reply\", or if that does not work,
send your info now to:
itspayday@n2money.com

IN EITHER CASE, INCLUDE THE FOLLOWING INFORMATION:

Your name
Your full phone number
Your time zone
THE BEST TIME TO REACH YOU

Please! I am seeking only serious replies. Only requests with
FULL information provided will be considered.

I will call you with all the details.. no hype.. no pressure ..
no sales call! Just the information.. then YOU be the judge.

What would an extra $5,500 every couple of weeks mean to YOU?

What would an extra $5,500 every couple days mean to you?
It can happen, reply NOW!

If you are not interested, click reply and type
REMOVE.

-----------------End Attachment 2---------------------------
I have send message to all of the address involved saying quit. Oh I almost forgot that the message was return to me by this email address, <httpd@www.cheaphostonline.net>. I have not change email setting for my cobalt raq system so.

Any help will be GREATLY appreciated.

Log into your RaQ, and issue this command : telnet mail-abuse.org
After a little while evil script will shoot your MTA to death with relay attacs, and if you fail some of them, at least, you'll understand, what's the trouble.

I found my spammer and I thought everyone might want to know. What the user did.

First I thought it was an formmail.pl exploit but come to find out it was not formmail.pl at all. The user has some sort of php script call webspammer v1.0. When I would check my server logs (access logs) I couldn't find anything worth looking at. Well something told me to check my ftp logs I thought this might be strange since you wouldn't have to ftp the formmail.pl script to there server nothing but once. At this point I thought it was a customer that kept being rebellious with the formmail.pl script. Well I notice that a user every day ftped files up to his site however when I went to look for the files they weren’t there. So what I did was setup a cron program that every 15 minutes it would copy everything from his site to another directory on the server. Sure enough this morning I got the files he kept ftping and deleting.

I hope this info helps anyone out there that is having spamming problems it was fun investigating this but it is not fun being attacked or have the server abused.

i have had a similar problem and have seemed to stop it!

here is how the attack is made by creating a URL like


http://www.somewhere.net/cgi-bin/formmail.pl?email=web%20browser@aol.com&recipient=someone@somename.co.uk&subject=formmail&message=****_spammers

possible cure ( seems to work on mine!)


Change

if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
}
else {
$check_referer = 1;
}



TO

if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
}
else {
$check_referer = 0;
}

The first option says if there is NO referer let it through
second says dont

Originally posted by Nicholas Brown
If I ever catch a spammer on my server, I'll make sure I track him/her down and cut their genitals off with rusty bread knives! :eek:

The same goes for "crackers" too!

[Edited by Nicholas Brown on 03-17-2001 at 02:56 AM]

hehehehe
well here goes some scary stuff to hear cause it was true

nail his little joys of antaomy to the floor and give him a butter knive to get loose

OH and do it in a condemed building.
this happened once in Seattle area years ago

scarrrry stuff