Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Server used by spamers

[wilfried]

Hello!

I re-checked and my server is not open for relay.
This morning there was thousands of spam email sent to AOL users... looks like random emails jay1@aol.com jay2@aol.com etc...



So I am trying to figure out what the problem is... There is only 2 of us using the server so I know I don't have a malicious user spaming with his SMTP login info.

I've been looking in the logs. Here are the lines just before the attack: (exim.maillog)

2003-12-08 04:38:57 1ATKfB-0003ia-8v <= turtle@host.mydomain.net U=turtle P=local S=2965
2003-12-08 04:38:59 1ATKfB-0003ia-8v => jane <contact@turtledomain.net> R=virtual_user T=virtual_userdelivery
2003-12-08 04:38:59 1ATKfB-0003ia-8v => turtle <evita104@turtledomain.net> R=localuser T=local_delivery
2003-12-08 04:39:11 1ATKfB-0003ia-8v => rk5149@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [64.12.137.184]
2003-12-08 04:39:11 1ATKfB-0003ia-8v -> tylernewsome@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [64.12.137.184]

turtle is a user for one web site on the server. (Turtledomain.net)
evita104@turtledomain.net doesn't have an email account.

Is this in fact going thru SMTP or are they exploiting a bad script?

Any help would be so appreciated right now
Thanks

[rusko]

wilfried,

post a *full* spam message, including headers.

paul

[wilfried]

I did not get one of the original but here is the header from the AOL "Client TOS Notification". They added their own header as well.

Quote:

Return-Path: <turtle@host.mydomain.net>
Received: from host.mydomain.net (mydomain.com [My.IP]) by rly-yd03.mx.aol.com (v97.10) with ESMTP id MAILRELAYINYD38-2063fd4c4dc101; Mon, 08 Dec 2003 13:37:22 -0500
Received: from turtle by host.mydomain.net with local (Exim 4.24)
id 1ATQFv-0005bX-Ha; Mon, 08 Dec 2003 10:37:15 -0800
To: <Undisclosed Recipients>
From: CyalusIsSuperior838@voyager.com
X-AOL-ORIG-From:
To: <Undisclosed Recipients>
From: CyalusIsSuperior838@voyager.com
Content-Type: multipart/alternative; boundary=CqJGuDcTAeAJPf
Subject: Medically proven to enhance sexual performance for up to 30 hours after usage _ X6 8yqdB nh J0RFJ 6olXS1 ZL4 WPx3 S gAJ
Message-Id: <E1ATQFv-0005bX-Ha@host.mydomain.net>
Date: Mon, 08 Dec 2003 10:37:15 -0800
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.mydomain.net
X-AntiAbuse: Original Domain - aol.com
X-AntiAbuse: Originator/Caller UID/GID - [32011 32012] / [47 12]
X-AntiAbuse: Sender Address Domain - host.domain.net
X-AOL-IP: My.IP
X-Mailer: Unknown (No Version)

[Magdalena]

they dont have to use your smtp server to send emails... there are programs with smtp built in, or those who bypass it completely and just send it directly to the receipient email.

[wilfried]

I know but this did go thru my server. It's in the logs and there was a peak usage this morning as well.


I did another open relay check and now I get something new:

Relay test: #Test 8
>>> mail from: <spamtest@domain.com>
<<< 250 OK
>>> rcpt to: <nobody%mail-abuse.org@domain.com>
<<< 250 Accepted
>>> QUIT
<<< 221 host.domain.net closing connection

So that one last test did accept a mail. How can I fix it? It's set to not let 'nobody' send mail to remote address...

[rusko]

wilfried,

the message you pasted was, indeed, sent by the user 'turtle'. it is possible that a cgi script on his account was abused by a 3rd party as well as the user himself sending the spam.

as for the relay check, you need to perform the check from a non-local ip address that has not been used to log into a pop3 account on your machine for the last 15 minutes - several hours, otherwise the smtp server will permit relaying based on that (this is how most email accounts work - its called pop-before-smtp).

paul

[wilfried]

Paul

What logs should I look into to find if it's a script sending the email? "turtle" is the user name for that site. Yet it doesn't have an email account set up.

I did the open relay test on mail-abuse.org It should come from their IP so it should not allow it to relay. This line of the test is bugging me:
>>> rcpt to: <nobody%mail-abuse.org@domain.com>
What's 'nobody%' ?

Thanks for your help!

[wilfried]

I was lookin gin the DOMLOGS and found this at the same time the spaming started:

211.233.27.208 - - [08/Dec/2003:04:38:57 -0800] "POST /cgi-bin/kaosmail.pl HTTP/1.0" 302 227 "http://turtledomain.net/" "-"

kaosmail.pl is a form mail script....

I removed it just to be sure. I also a set of ACL rules to exim... one of them blocks % and other weird char. So now the relay test doesn't go thru with this line: >>> rcpt to: <nobody%mail-abuse.org@domain.com>



The weird thing is the IP's using that .pl script were from all over the world... do they spoof their ip? I'd love to get a hold of them

[rusko]

wilfried,

what the email says is that a script running as user 'turtle' was sending the spam. that formmail-like script may have been installed by the user in question to facilitate the sending of spam - or not. if the user does not have a site up on his account, it would implicate him. it is hard to say anything beyond that, since we do not have access to the machine.

paul

[wilfried]

Thanks Paul

I am now pretty sure that script was used to send the SPAM... My bandwidth was going up again as they were starting to use it once again. I removed it and it dropped back to normal.

I am the one who installed the script... No it's not a malicious user, just a spamer found it I guess. I just wish I could track him down and make him pay for the bandwidth...

[darkpunk99]

Personally, I'd suspend his account. Even if he isn't the one that didn't send the spam, he still uploaded an insecure script. Email him and tell him that his account is suspended because he put the server's security at risk, and it will remain suspended until he finds an alternative formmail script that meets your approval.

If you don't want to be that strict (which I think you should, since your server could get listed in the various spam blacklists), you could do "chown root.root filename.cgi" and then "chmod 000 filename.cgi". That way, it won't be able to be executed, and he won't be able to delete it to reupload a file. He could always upload it as a different filename, but it's at least makes it a little bit harder for him.

[codywatkins]

Quote:

Originally posted by wilfried
Thanks Paul

I am now pretty sure that script was used to send the SPAM... My bandwidth was going up again as they were starting to use it once again. I removed it and it dropped back to normal.

I am the one who installed the script... No it's not a malicious user, just a spamer found it I guess. I just wish I could track him down and make him pay for the bandwidth...

You might want to look at using the nms formmail script instead. It is more secure than most formmail scripts.

[JohnnyUtah]

Depends what kind of client he is...
If hes a good one... then try to keep him.
If its one of those virtual accounts for 9,95$ then kick him out asap.

Most basic formail script will get hijacked by spammers.

You need one that validates the entry.... U have to pay for those usually.

[rusko]

there are perfectly good, secure, free formmail scripts. with that said, i *strongly* suggest renaming your formmail scripts to some random name - often times the spammers will try to hit the script and put a lot of load on the box, without realizing that they are not succeeding. yes, some spammers are that dumb.

paul

[kickster]

I am dealing with same problem. some one used my server to send spam to alo users. I still dont have a clue what script they used to send spam. I have deleted every single formmail scripts on my server. I am getting very tired of these spammers. something should be done about this.

I have download NMS formmail. I hope it solves the problem.


What kind of spike did you see in your bandwidth usage? do you look at your SMTP bandwidth or server bandwidth?