Results 1 to 12 of 12
  1. #1

    Spam issue - Can't find the spammer

    Hi,

    ThePlanet has opened an abuse ticket on our account due to outgoing spam on our server. We have looked into it and could not find the source anywhere, and was therefore unable to suspend any accounts.

    We therefore asked ThePlanet to investigate the issue using our only hour of administrative time.

    Here was their response:

    Quote Originally Posted by ThePlanet ticket response
    We have made extensive checks of the system and checked the results of the extended Exim logging, but have been unable to determine the source of the emails. There is a possiblity the emails are being injected directly into the Exim queue, which would prevent them from being logged.

    In the interests of finding out if any of the users on the system were generating these messages, we checked various aspects of the users and investigated one mailing script under one of the users that shows heavy use in the Apache logs. While the check cannot be regarded as comprehensive, it was lengthy and detailed with respect to issues we have seen in the past. We could not attribute any particular user to this problem.

    An Abuse engineer and a Security engineer spent well over an hour working on this issue, however, we are only attributing the time spent towards your admin hour for the month of June for this server.

    Further time may be spent on this issue by our personnel if you wish, but this would be at a cost of $75 per hour. Please advise if this is desirable, or if you would rather have your admins work on the issue. A rapid response by either party is highly desirable.
    Is anyone familiar with a problem like this? I am not sure what to do, I can't really afford $75 for them to look into it for another hour.

    Since this issue arrised, I have blocked all emails from being sent from "nobody". I am not 100% sure if this will stop the spam for the time being.

    Any suggestions?

    Thank you in advance.

    - Rich
    Last edited by RichM; 06-03-2005 at 08:14 AM.

  2. #2
    Join Date
    Dec 2004
    Posts
    224
    Hi..

    You could first check if there is anything suspicious going on in the server.. continuously check for processes(ps auxwf or simply ps aux, or cat /proc/processIDs in case of hidden ones).. netstat -lpn for any unwanted ports listening on any ports..

    Do you have mailmon installed?? This would let you know if a user is sending emails.. also if php is compiled as cgi, then instead of scripts sending mails as nobody, it will send in the user's identity.

    We had an issue like this before and it was a hacker who gained access through phpBB forum which was continously making POSTs.. They created their own forum too.. Couldnt find how that was done!!

  3. #3
    Join Date
    Oct 2004
    Posts
    133
    I`m absolutely agree with SmartTux. You should install e-mail monitoring software if you do not have any.

    Blocking user 'nobody' is nice thing. And though this may not help on the current situation it will save you in future.

    In addition to what SmartTux has posted, this could be an issue with vBulletin board as well.
    We have one customer who did not patch the forum with the latest update, and was hacked by someone.

    If you have Fantastico, make sure that you update it with the latest version of the free scripts.
    If you know for customer who use forums/content management system/ portals & etc,
    write them an e-mail to be sure that the scripts are up-to-date.

    Insecure scripts for sending e-mails (formmail , formmail clones & etc) could be this source as well.
    The spammer may spam remotely, taking advantage from insecured contact form.

    And another nice thing would be if you configure Exim in that way,which will allow
    no more than certain amount of e-mails to be sent from certain account.
    This could be done for e-mails per hour easily.

  4. #4
    Thank you for your response.

    When you were hacked, what did you do to resolve that issue?

    Also, what email monitoring software would you suggest?

    Thank you.

  5. #5
    Join Date
    Dec 2004
    Posts
    224
    Hi RichM,

    I am sorry, it wasnt phpBB. It was php_nuke.
    I uninstalled the php_nuke which was causing the issue.. The apache/domlogs for that account was showing continuous POSTs when the nuke site was runing..
    Also disabled all phpnukes on the server for some time to ensure the outbound spamming due to this really stops.. Anyway, NOC didnt complain after that

  6. #6
    Join Date
    Dec 2004
    Posts
    224
    Mailmon is good as I find it useful to catch those who send spams from the server..


    You may also check out the following thread:
    http://www.webhostingtalk.com/showth...hreadid=406621

  7. #7
    Join Date
    Feb 2004
    Posts
    772
    Hai richm,

    plz check out this link it'll be useful for u....

    http://www.aydef.com/how_to_stop_spam.htm

    thanks
    Bright Info Solutions

  8. #8
    Join Date
    Sep 2004
    Location
    Chennai , India
    Posts
    4,632
    It is not so easy to find the spammer,

    first a simple script is enough for the spammer to send emails to another/

    How to find the spammer,

    Lets say u have 100 A/c in your servers,

    Try to moniter all servers which has been sending emails, and find their IP's

    Next check with that who sends the spams, Actually the person receving spams is from your server, so the IP address will make him get caught red hand.

  9. #9
    Hi,

    Do you guys know where I can get hold of Mailmon? I googled it and all I could find was some windows applications. (We are running Redhat enterprise linux 3 with an exim mail server)

    Thanks again for your suggestions, I appreciate your help.

    - Rich

  10. #10
    Are you an open relay? Make sure you are not. Check your badmail folders for traces... Run an online open relay test.

  11. #11
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Theres not much advise can be given too you. If ThePlanet have checked the server and found nothing. You are best to either pay them to make sure its completely gone or pay an outside source to trace and secure the server further.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  12. #12
    Join Date
    Apr 2003
    Location
    Lisbon - Portugal - Europ
    Posts
    268
    We have made extensive checks of the system and checked the results of the extended Exim logging, but have been unable to determine the source of the emails.
    With extended logging, nobody is somebody. So, if you're having a spam issue and you can't find the spammer with exim's extended loging and you don't know what to do next, you should hire someone to check it.

    I don't know if Steve from www.rack911.com is available. But he's good.
    Lookup your IP: snoopmyip.com
    Proxy Guide: proxyspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •