Results 1 to 12 of 12
-
06-03-2005, 08:09 AM #1Newbie
- Join Date
- Apr 2005
- Posts
- 10
Spam issue - Can't find the spammer
Hi,
ThePlanet has opened an abuse ticket on our account due to outgoing spam on our server. We have looked into it and could not find the source anywhere, and was therefore unable to suspend any accounts.
We therefore asked ThePlanet to investigate the issue using our only hour of administrative time.
Here was their response:
Originally Posted by ThePlanet ticket response
Since this issue arrised, I have blocked all emails from being sent from "nobody". I am not 100% sure if this will stop the spam for the time being.
Any suggestions?
Thank you in advance.
- RichLast edited by RichM; 06-03-2005 at 08:14 AM.
-
06-03-2005, 08:26 AM #2Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
Hi..
You could first check if there is anything suspicious going on in the server.. continuously check for processes(ps auxwf or simply ps aux, or cat /proc/processIDs in case of hidden ones).. netstat -lpn for any unwanted ports listening on any ports..
Do you have mailmon installed?? This would let you know if a user is sending emails.. also if php is compiled as cgi, then instead of scripts sending mails as nobody, it will send in the user's identity.
We had an issue like this before and it was a hacker who gained access through phpBB forum which was continously making POSTs.. They created their own forum too.. Couldnt find how that was done!!
-
06-03-2005, 09:11 AM #3WHT Addict
- Join Date
- Oct 2004
- Posts
- 133
I`m absolutely agree with SmartTux. You should install e-mail monitoring software if you do not have any.
Blocking user 'nobody' is nice thing. And though this may not help on the current situation it will save you in future.
In addition to what SmartTux has posted, this could be an issue with vBulletin board as well.
We have one customer who did not patch the forum with the latest update, and was hacked by someone.
If you have Fantastico, make sure that you update it with the latest version of the free scripts.
If you know for customer who use forums/content management system/ portals & etc,
write them an e-mail to be sure that the scripts are up-to-date.
Insecure scripts for sending e-mails (formmail , formmail clones & etc) could be this source as well.
The spammer may spam remotely, taking advantage from insecured contact form.
And another nice thing would be if you configure Exim in that way,which will allow
no more than certain amount of e-mails to be sent from certain account.
This could be done for e-mails per hour easily.
-
06-03-2005, 12:55 PM #4Newbie
- Join Date
- Apr 2005
- Posts
- 10
Thank you for your response.
When you were hacked, what did you do to resolve that issue?
Also, what email monitoring software would you suggest?
Thank you.
-
06-04-2005, 12:52 AM #5Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
Hi RichM,
I am sorry, it wasnt phpBB. It was php_nuke.
I uninstalled the php_nuke which was causing the issue.. The apache/domlogs for that account was showing continuous POSTs when the nuke site was runing..
Also disabled all phpnukes on the server for some time to ensure the outbound spamming due to this really stops.. Anyway, NOC didnt complain after that
-
06-04-2005, 01:03 AM #6Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
Mailmon is good as I find it useful to catch those who send spams from the server..
You may also check out the following thread:
http://www.webhostingtalk.com/showth...hreadid=406621
-
06-04-2005, 01:57 AM #7Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 772
Hai richm,
plz check out this link it'll be useful for u....
http://www.aydef.com/how_to_stop_spam.htm
thanksBright Info Solutions
-
06-04-2005, 10:28 AM #8Big fan of RajiniKanth!!!
- Join Date
- Sep 2004
- Location
- Chennai , India
- Posts
- 4,632
It is not so easy to find the spammer,
first a simple script is enough for the spammer to send emails to another/
How to find the spammer,
Lets say u have 100 A/c in your servers,
Try to moniter all servers which has been sending emails, and find their IP's
Next check with that who sends the spams, Actually the person receving spams is from your server, so the IP address will make him get caught red hand.
-
06-04-2005, 05:55 PM #9Newbie
- Join Date
- Apr 2005
- Posts
- 10
Hi,
Do you guys know where I can get hold of Mailmon? I googled it and all I could find was some windows applications. (We are running Redhat enterprise linux 3 with an exim mail server)
Thanks again for your suggestions, I appreciate your help.
- Rich
-
06-04-2005, 06:24 PM #10Junior Guru Wannabe
- Join Date
- Aug 2002
- Posts
- 65
Are you an open relay? Make sure you are not. Check your badmail folders for traces... Run an online open relay test.
WebDivisor - www.WebDivisor.com
-
06-04-2005, 07:13 PM #11Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
Theres not much advise can be given too you. If ThePlanet have checked the server and found nothing. You are best to either pay them to make sure its completely gone or pay an outside source to trace and secure the server further.
-ScottServer Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
06-05-2005, 09:25 PM #12Web Hosting Guru
- Join Date
- Apr 2003
- Location
- Lisbon - Portugal - Europ
- Posts
- 268
We have made extensive checks of the system and checked the results of the extended Exim logging, but have been unable to determine the source of the emails.
I don't know if Steve from www.rack911.com is available. But he's good.