Results 1 to 11 of 11
  1. #1
    Join Date
    Dec 2002
    Location
    Sibiu, Romania
    Posts
    241

    How to stop / limit the outgoing spam when client has an infected computers.

    In the last 2 months I had 2 cases where client computer was virused and his email address was used to send spam messages, but not from their IP, from different IP addresses , probably other infected computers.

    I have WHM/cPanel and did the following things so far :

    1. Activated SMTP Headers so I can track php scripts that send spam (not the case now)
    2. Scan outgoing messages with Spam Assasin
    3. Limit outgoing emails / hour based on their hosting package (50 - 500 emails / hour)

    The client that called me today told me he had 600 mailoer-daemon messages in his inbox, I found another ~100 messages in the server queue from the same domain, and the messages ware not all containing a link in text body, I have attached 2 sample messages with headers as I found them in the server queue.

    This client has his package limited to 100 emails / hour , the client that was virused in august had a limit of 500 mail/hour, and in the queue of my server I found 18000 emails that ware not yet send because client reached limit. all emails from different IP's but the same username/pass


    What do you guys do to limit the outgoing spam ?

    PS. The first thing I do is to change client email password, than contact him to scan his computers with Malwarebytes and Hit Man Pro .. after they confirm the computers are cleaned I give them the password.

    Code:
    Headers spool file
    1VRF4w-0003rl-HN-H
    mailnull 47 12
    <s....a.s........a@p......m.ro>
    1380692070 0
    -helo_name localhost
    -host_address 27.6.149.235.4261
    -host_auth courier_login
    -interface_address x3.xx5.x2.xx1.25
    -received_protocol esmtpa
    -aclc _outgoing_spam_scan 1
    1
    -body_linecount 9
    -max_received_linelength 77
    -auth_id s....a.s........a@p......m.ro
    -host_lookup_failed
    -spam_score_int 5
    NN >s....a.s........a@p......m.ro:wade.landis@wnco.com
    1
    wade.landis@wnco.com
    
    234P Received: from [27.6.149.235] (port=4261 helo=localhost)
    	by secure4.xxxxxxxxxd.com with esmtpa (Exim 4.80.1)
    	(envelope-from <s....a.s........a@p......m.ro>)
    	id 1VRF4w-0003rl-HN
    	for wade.landis@wnco.com; Wed, 02 Oct 2013 08:34:32 +0300
    033F From: s....a.s........a@p......m.ro
    025T To: wade.landis@wnco.com
    051  Subject: What an EXPLOSIVE week for our portfolio!
    038  X-OutGoing-Spam-Status: No, score=0.5
    Data spool file
    1VRF4w-0003rl-HN-D
    BUY LOW and GAIN! Even With Economy In Crapper, this stock Will Succeed!
    
    Sym: S GA-E
    Company Name: SIGA RESOURCES, CORP
    Short Term Target: $0.50
    Buy it at: .02
    Trading Date: Wed, October 2nd
    
    It Moves Forward! This Stock Could Spark A Series Of Market Reactions, Today.
    Code:
    Headers spool file
    1VRFml-0004oI-Ca-H
    mailnull 47 12
    <sssssa.ssssssssa@pssssssm.ro>
    1380694787 0
    -helo_name localhost
    -host_address 202.178.80.13.1151
    -host_name kcc-202-178-80-13.kamakuranet.ne.jp
    -host_auth courier_login
    -interface_address 13.111.12.111.25
    -received_protocol esmtpa
    -aclc _outgoing_spam_scan 1
    1
    -body_linecount 23
    -max_received_linelength 101
    -auth_id sssssa.ssssssssa@pssssssm.ro
    -spam_score_int 5
    XX
    1
    els.ansar@ua.ac.be
    
    264P Received: from kcc-202-178-80-13.kamakuranet.ne.jp ([202.178.80.13]:1151 helo=localhost)
    	by secure4.xxxxxxxxd.com with esmtpa (Exim 4.80.1)
    	(envelope-from <sssssa.ssssssssa@pssssssm.ro>)
    	id 1VRFml-0004oI-Ca
    	for els.ansar@ua.ac.be; Wed, 02 Oct 2013 09:19:48 +0300
    033F From: sssssa.ssssssssa@pssssssm.ro
    023T To: els.ansar@ua.ac.be
    024  Subject: Kseniya to you
    038  X-OutGoing-Spam-Status: No, score=0.5
    Data spool file
    1VRFml-0004oI-Ca-D
    Hello dear friend!
    I hope that you will like to read this letter and answer to me.
    My name is Kseniya. I'm from Russian Federation. I'm serious woman, without pernicious habits!
    I'm looking for serious relations with good man from Europe. I dreamed to visit Europe all last time!
    I hope that my dream will come be true very soon!
    I'm 29 years old, blonde hairs and grey-blue eyes...
    I'm tall! My height is 175 cm only. My weight is 57 kg. I'm good woman :)
    I'm not very beauty woman, but not ugly also :) I have "GOLD" heart, which open for LOVE.
    I have a good chance to come to Europe this month!
    So if you wish to get relations with me, I will be very happy to get your answer!
    I would like more about yourself (age, city, hobbies, work, etc)
    I think that you have interest how I found your e-mail address. Right?
    Ok, I got your e-mail via Internet dating agency www.worlddating.ru 
    I gave to them my letter and they sent it to you!
    If you will answer to me I will write to you more about myself!!!
    Also I will send more photos! Ok?
    
    IMPORTANT! I'm looking for serious relations only!!! Not sex and games!
    
    Please, answer to my regular e-mail: gus.ksyu@bk.ru
    
    Best regards,
    Kseniya from Russia
    Attached Thumbnails Attached Thumbnails email_stats_4.jpg  

  2. #2
    Join Date
    May 2013
    Location
    Dubai, UAE
    Posts
    283
    Loving the Russian woman email! On topic, though, I don't think I understand what you're looking to do. Is the client infected or the server itself infected/rootkit'd?

  3. #3
    Join Date
    Dec 2002
    Location
    Sibiu, Romania
    Posts
    241
    the client was infected, not the server. And the virus probably stolen his password and used to send emails using my server from different IP addresses, correctly authenticating using this client's email address and password.

    All emails sent have the same -auth_id sssssa.ssssssssa@pssssssm.ro

    My question is what I can do to detect if an outgoing mail is spam or not, as you can see both mails had a very low score even if the emails ware actualy spam X-OutGoing-Spam-Status: No, score=0.5

    If a client has the limit of 500 mails/ hour and I only notice this after a few hours, or if this happens at the middle of the night the server will send a few thousants mails which for sure will get my IP blacklisted.
    Last edited by ovisopa; 10-02-2013 at 09:51 AM.

  4. #4
    Join Date
    Dec 2002
    Location
    Sibiu, Romania
    Posts
    241
    I just was notified by MX toolbox that my server IP was listed on MAILSPIKE BL Return codes were: 127.0.0.12 - this is because of the last client got infected yesterday :|

  5. #5
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    From the logs its clear that client system is infected.

    =============
    -host_name kcc-202-178-80-13.kamakuranet.ne.jp
    -host_auth courier_login
    -interface_address 13.111.12.111.25
    ==============

    Both logins are auth courier_login means authenticated logins.

    Hope you have already change the passwords and scan the client system. Also check his mail client version. You can enable SPF records for this domain.
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  6. #6
    Join Date
    Apr 2002
    Posts
    1,789
    Change the password on the sssssa.ssssssssa@pssssssm.ro email account. That's the only way you can stop the spam.

    You can give the new password to the client, but it's not going to do a lot of good if they just start using the new password without cleaning their system, it will eventually just get compromised again and use to send out spam.

    You can ask the client to change the password on their own, but this is usually met with a lot of "meh" and shrugs.

    If the problem persists you can suspend the user's account.

    The user has a compromise some where. Likely a computer/device/open wifi that is being used to discover the account's password and that information is then sent on to spammers to exploit (which is why you see this from multiple IP addresses). This is a problem the user will have to correct. It's really just speculation on our (and your) part that it is a trojan/virus/spyware/malware on the users computer or system that is causing this. It could just be an easy password. It could be a reused password that was shared with another system (like a forum database) that was compromised. There's really no way for us (or you) to know how the password was compromised. You just know that the password has been compromised and the end-user will have to figure this out and resolve it.

    If there was a magic fix-all, we'd all be using it.

  7. #7
    Join Date
    Dec 2002
    Location
    Sibiu, Romania
    Posts
    241
    Quote Originally Posted by supportexpertz View Post
    Both logins are auth courier_login means authenticated logins.

    Hope you have already change the passwords and scan the client system. Also check his mail client version. You can enable SPF records for this domain.
    Yes, I know emails ware sent using users password and also know that the emails ware not sent from his office but from different IP's . I have enabled SPF and DKIM but this is not helping on the spam messages that are in fact sent from my server. The SPF check will pass on the destination server.

    Quote Originally Posted by SPaReK View Post
    Change the password on the sssssa.ssssssssa@pssssssm.ro email account. That's the only way you can stop the spam.
    This is what I did and as I know personally all my hosting clients (I'm a webdesigner that has 2 dedicated servers to host clients websites), I did not give the client password, I personally checked the client computer for more than 1 hour through Team Viewer, Malwarebytes found just a few threads, I want to try also Hitman Pro and than install AVG Free, as the client had an expired version of bitdefender.
    The client is still waiting for his password, and I did the same with the client in august, he received his password after 1 day.

    The ideea is how to find a solution to avoid being blacklisted in the first time, and avoid sending spam messages like those ware sent yesterday.

    As none of my clients chosed to pay extra for dedicated IP, all the 200 websites on this server share the same IP , except my website. It's very annoying to have issues with all clients because of a client that got infected. I have explained this situation to the only client who send newsletters weekly to ~4000 mailboxes, mostly yahoo (used yahoo feedback loop for their domain an in the last 3 months I did not received a single complaint) and they chosed now to get dedicated IP

  8. #8
    Join Date
    Mar 2006
    Location
    Servers
    Posts
    1,590
    -auth_id s....a.s........a@p......m.ro

    It is obvious either the cPanel is hacked or the email credentials.
    Patch this first.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
    Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
    INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard

  9. #9
    Join Date
    Dec 2002
    Location
    Sibiu, Romania
    Posts
    241
    I;m sure it's clients email as everytime I checkd their computer I found problems :

    - the client that had infected in may found 9000 infected files on his computer in just 20 minutes of scanning with malware bytes (scan was in progress)

    - another client could not install mallware bytes ... again because his computer was infected

    - the client I checked yesterday had an expired bit defender license, so no protection. I scanned and found ~9 infected files (troian)

    I think if the issue was with my server this was happening much more frequently and with no evidence on my client computers, right ?

    Still curios what other suggestions you have (other than to change client password, which is something you do after the emails are sent, I'm looking to find something to stop sending those emails)

  10. #10
    Join Date
    Apr 2002
    Posts
    1,789
    Honestly, if end-users aren't going to take the initiative to protect their computer/devices/wifi then you're always going to have this problem.

    How the user's computer is constantly being infected should be the alarming concern. What are they doing on their computer that is leading to these infections? (That's rhetorical).

    I know of no way to completely stop this, other than limiting the infections on end-users computers and devices.

    A server cannot know if a specific connection is legitimate or not. A server can just use authentication to determine, "this login is correct" or "this login is incorrect". How else is it suppose to determine legitimacy of the connection?

  11. #11
    Join Date
    Mar 2006
    Location
    Servers
    Posts
    1,590
    You cannot filter/limit good or bad emails. If the customer is hacked and his data is stolen they can do a lot worse things than sending emails.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
    Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
    INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard

Similar Threads

  1. Chkrootkit bindshell Infected...how to stop this false warning?
    By akasharya in forum Hosting Security and Technology
    Replies: 4
    Last Post: 08-06-2010, 12:33 AM
  2. How to limit/block outgoing spam - cPanel servers + EXIM ?
    By WebHostDog in forum Hosting Security and Technology
    Replies: 0
    Last Post: 03-12-2008, 11:00 AM
  3. Stop outgoing spam using mod_security ?
    By sh4ka in forum Hosting Security and Technology
    Replies: 10
    Last Post: 03-05-2007, 04:46 PM
  4. Ways to stop outgoing SPAM?
    By HostingOne-Jeff in forum Hosting Security and Technology
    Replies: 16
    Last Post: 03-14-2006, 01:15 AM
  5. How to limit outgoing bandwidth
    By ranjitbhar in forum Dedicated Server
    Replies: 9
    Last Post: 06-30-2004, 07:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •