Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Cannot trace this spammer

[UnrealSilence]

COMLAINT:

your customer using IP address XXX.232.65.171 has been
spamming our web submission form at
http://www.trialware.org/join.html. You can see the form results
attached. Please consider doing all you can to prevent such
incidents in the future.


Thank youFrom: "Geoff" <Geoff@inm.ras.com>
To: <trialwar@trialware.org>
Subject: Join Trialware Professional Association
Date: Mon, 6 Feb 2006 10:24:40 -0600
Message-ID: <E1F69AO-00008E-NP@eta.asmallorange.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0013_01C62C0D.DA007D60"
X-Mailer: cgiemail 1.6(form="http://www.trialware.org/join.html")(action="/cgi-bin/cgiemail/join.txt")
X-Spam-Level:
X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AMATEUR_PORN,BAYES_00,HOT_NASTY autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on eta.asmallorange.com
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
thread-index: AcYrOd0lnYQUn2maS1mEwxk2fNoqUg==
x-cc-diagnostic: The F word (40)
x-pmflags: 33570944 0 1 PXHZ2PQY.CNM

This is a multi-part message in MIME format.

------=_NextPart_000_0013_01C62C0D.DA007D60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

IP: XXX.232.65.171

Update: False

email: Geoff@inm.ras.com

input_company: Health Management Associates Inc.

name: Geoff

HideEMail: True

input_website: http://www.big-woman.be

input_desc: Any girls/ladies that like random phone sex? Someone like it I
saw on <a
href='http://www.big-woman.be'>http://www.big-woman.be</a> What
do you like about it? Details please!

keywords: sex,porn,porno,adult,xxx, hardcore, fu*,sexy girls, hot girls,
amateur porn, bbw, big woman, big wonderful women

input_linktype: Other



I tried the following:

grep asmallorange.com /usr/local/apache/domlogs
grep E1F69AO-00008E-NP@eta.asmallorange.com /var/log/messages (all)
grep E1F69AO-00008E-NP@eta.asmallorange.com /var/log/mailog (all)

My settings in EXIM:

untrusted_set_sender = *
local_from_check = false
local_sender_retain = true

timeout_frozen_after = 2d
ignore_bounce_errors_after = 12h

domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist
message_size_limit = 5M
log_selector = +arguments +subject
log_selector = +all

timeout_frozen_after = 2d
ignore_bounce_errors_after = 12h

acl_not_smtp = acl_check_pipe

acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

domainlist local_domains = lsearch;/etc/localdomains

domainlist relay_domains = lsearch;/etc/localdomains : \
lsearch;/etc/secondarymx
hostlist relay_hosts = lsearch;/etc/relayhosts : \
localhost
hostlist auth_relay_hosts = *

#!!# ACL that is used after the RCPT command


##Added Sendmail Bcc and Cc Spam Removal##
acl_check_pipe:
#drop condition = ${if match {$message_body}\
#{\N.*\
#MIME-Version:.*\N}{true}}
#log_message = "Spam MIME-Version:$header_subject: "

#drop condition = ${if match {$message_body}\
#{\N.*\
#Reply-To:.*\N}{true}}
#log_message = "Spam Reply-To:$header_subject: "

# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Type:.*\N}{true}}
# log_message = "Spam: Content-Type: $header_subject: "

# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Transfer-Encoding:.*\N}{true}}
# log_message = "Spam: Content-Transfer-Encoding: $header_subject: "

drop condition = ${if match {$message_body}\
{\N.*\
[Bb][Cc][Cc]:.*\N}{true}}
log_message = "Spam: BCC: $header_subject: "

drop condition = ${if match {$message_body}\
{\N.*\
[Cc][Cc]:.*\N}{true}}
log_message = "Spam: CC: $header_subject: "
accept

accept
##End of Additions ##

check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack


drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient

# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}


# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

#if it gets here it isn't mailman

#sender verifications are required for all messages that are not sent to lists

require verify = sender
accept domains = +local_domains
endpass

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests

message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
verify = recipient

accept domains = +relay_domains

warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts

warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept

nobody@lsearch;/etc/localdomains "${if !eq {$header_From:}{}{$header_sender:$header_From:}fai l}" Fs

(rest of exim.conf default)

I do have enabled also:

Track the origin of messages sent though the mail server by adding the X-Source headers
Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail
Always set the Sender
Verify the existance of email senders
Use callouts to verify the existance of email senders.
Discard emails for users who have exceeded their quota

I also did the following tweaks:

php spammer
http://www.eth0.us/exim-logging

stop php nobody spammers
http://www.webhostgear.com/232.html


What else to do?

[UnrealSilence]

I would like to install the mod_security rules found here also
http://www.gotroot.com/tiki-index.ph...security+rules

They only give directions on apach 2. I am using apache 1 and installed mod_security via whm addon modules. Any tip on how to do this would be greatly appreciated

[layer0]

Their directions actually work just take out

#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf

from the modsec conf

[UnrealSilence]

There is other issues here;

Include /etc/modsecurity/blacklist2.conf
Include /etc/modsecurity/rules.conf
Include /etc/modsecurity/exclude.conf

[UnrealSilence]

Ok I got the mod sec setup. Just need help on tracing this person

[choon]

Quote:

grep asmallorange.com /usr/local/apache/domlogs
grep E1F69AO-00008E-NP@eta.asmallorange.com /var/log/messages (all)
grep E1F69AO-00008E-NP@eta.asmallorange.com /var/log/mailog (all)

If you are using cpanel server, grep the log /var/log/exim_mainlog. Try with the complaint IP also and see what you can find

[UnrealSilence]

The complaint IP is the server IP (mine) so that won't work. I already grepped exim_mainlog also (forgot to mention).

Any easier way? Grep the domlogs took 1.5 hrs before I stopped without results (due to high load on/off).

Also, the mod_security filters made cpu load shoot to the roof. I had to remove all except the main rules file. Is this normal or just bad rules?

[choon]

Try:

Code:

tail -n 1000 /var/log/exim_mainlog | grep 'trialware.org'

Play with the 1000 (number of tailed lines) and see what you can find

[Website Rob]

I see the problem as two-fold.

1. Because the Form mentioned has no 'validate input checking', anyone can Spam the Form. The site Owner should have their Form recoded so it is more secure. It's too easy for people to run insecure scripts and place blame for any problems on someone else.

2. The only thing you have to go on is the IP address used. Since you've stated it is a Shared IP of yours, you should run a 'find' command for all accounts using that IP and check files for specific text. Using 'random phone sex' for example, should find the file/script being used and thus, the account Owner causing the problem.

Also, you might want to consider manually rotating your Apache domlogs, to prevent it from getting too large. It's probably in the GB's for file size. Future grep's will then be much faster.

[choon]

My bad... apologies... didn't understand the situation clearly until after reading Website Rob's post above

If the complaint IP information is true... then maybe one of your user's account using script to post data to that site's feedback form script which will not be shown in your maillog at all if this is the case since data is submitted to that site's feedback script to their port 80. This abuse script can be executed via your user's website URL or via background like using your user or apache user in crontab... ... do what Website Rob said will sooner or later help you to find out which script is used to abuse from your server. Maybe you can also try to check your crontab as well for all your users especially nobody user.

[PerfTuner]

It has nothing to do with email spam or exim logs.
I doubt you have a way to trace who the spammer is.
First, tell folks at trialware to add "captcha" to their form - or they will spend days and days sending out notices like this one.
Second, block connections to trialware's IP (67.19.36.196):
iptables -I OUTPUT 1 -d 67.19.36.196 -j REJECT

[UnrealSilence]

I'm using APF firewall. Also, what "find" command are you referring to?

Any tips on log rotation? I got basics from web host gear only on certain ones like ssl, apache,

[serversphere]

Do "man find" at cmd line and you will learn and be happy.