Results 1 to 7 of 7
  1. #1
    Join Date
    Apr 2003
    Location
    UK
    Posts
    210

    Unusual Spam Problem being reported by Data Center

    Hello,

    I have an unusual spam problem on my server being reported by my data center (theplanet). They have opened up an abuse ticket on the issue as they say it appears my server is sending out child porn spam. Something I am obviously keen to stop.

    I've had the mail logs checked, and there's not been any sign of the cpu going above normal acceptable levels, nor can I see any processes running that appear to be sending out spam.

    The only information I have to go on, is the mail headers provided by the data centre themselves, which I will copy and paste below.

    Does anyone have any suggestions as to what could be causing this? or what I can do to stop it?

    Whenever anything like this has happened before, there's usually something like dm.cgi being run on the server which can be traced and stopped, but with this there's nothing.

    As you'll see from the report below, it even states that it has been received from a different server, but it just says xyvcx or something similar...

    Thanks in advance...

    Received: from dozer.webservercity.com (dozer.webservercity.com [75.125.220.34]) by rly-mg07.mx.aol.com (v121.4) with ESMTP id MAILRELAYINMG076-a2447d506b924c; Mon, 10 Mar 2008 06:00:26 -0500

    Received: from pqfoqhh (33.135.166.205)

    by dozer.webservercity.com; Mon, 10 Mar 2008 10:00:22 -0000

    Date: Mon, 10 Mar 2008 10:00:22 -0000

    From: Leta Elliot <[email protected]>

    X-Mailer: The Bat! (v2.01)

    Reply-To: Jamie Dunlap <[email protected]>

    X-Priority: 3 (Normal)

    Message-ID: <[email protected]>

    To: [email protected]

    Subject: K! D S - V1 DS

    MIME-Version: 1.0

    Content-Type: text/plain; charset=windows-1251

    Content-Transfer-Encoding: quoted-printable

    X-AOL-IP: 75.125.220.34

    X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo : n

    X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from : n



    MIME element (text/plain)

    Hi!

    Love CHxiL. D POR. N* ?



    See catalog: [url removed]



    CP Company.


    Last edited by bear; 03-18-2008 at 07:33 AM.

  2. #2
    Join Date
    Jun 2007
    Location
    UK
    Posts
    219
    What does your mail log say?
    I think the server saw what was required of it and just committed suicide instead.

  3. #3
    Join Date
    Mar 2008
    Location
    kolkata, India
    Posts
    102
    Look like some one abuse you. Please update all your scripts / addon(s) and make sure that your mail has set :fail: .
    Sysfirm
    So you think your server is secure?
    Try our security Service
    With SysFirm

  4. #4
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Quote Originally Posted by applicurearun View Post
    Look like some one abuse you. Please update all your scripts / addon(s) and make sure that your mail has set :fail: .
    Did you even think for a microsecond before you posted that drivel applicurearun?? It's particularly unhelpful, especially as the opposite may be the case.

    What's important is to track down that the spam actually is coming from your server. If your server IP does not appear in any of the headers, it's not coming from your server, unless it's a new form of magic email that travels by telepathy.

    If your server IP does appear there, then there are two possibilities:
    • Spam sent by system mail - look in your server mail logs for entries around the time given in the redacted spam sample from AOL;
    • Spam originating from a script. Usually sent via port 25, this is easily stopped by enabling the "SMTP tweak" in cpanel and/or installing the CSF firewall and preventing outgoing port 25 to all but exim and root. This usually comes from an exploited script or account and theres heaps written here in posts about how to find the exploited user/script, so I won't duplicate what you can easily research.

  5. #5
    Join Date
    Mar 2008
    Location
    kolkata, India
    Posts
    102
    Hi brianoz,
    Thank you for pointing me! Yes i thought before the posting. Have a take look at your two possibilities. its about exploited script ( in my word " Abuse") may be the word was not correct. but until i don't have any clue, how can I say it is because of exploited script. His service provider not saying about any load or process. so, i said it may be abuse!

    Also your solution (enabling the "SMTP tweak") is the best at the time. We have to assume base on limited information here... so, some time our solution might come from various angle of the issue.

    Anyway I appreciate your command.
    Sysfirm
    So you think your server is secure?
    Try our security Service
    With SysFirm

  6. #6
    Join Date
    Apr 2003
    Location
    UK
    Posts
    210
    Hello,

    Thank you for your replies. The SMTP tweak is already enabled, and according to the server admin there's no sign of it in the mail log. Which part of the email headers should I be searching for in the mail log? As I will check it myself to make sure...

    Thanks again for your help.

  7. #7
    Join Date
    Jun 2007
    Location
    UK
    Posts
    219
    I don't know what SMTP software you're using, but a trawl for the from address in that email ([email protected]) for the logs on Monday the 10th should tell you whether or not it came through your SMTP server.

    If it's not there then it's unlikely that your server is the source. It's still possible it could be (a process on your server could be connecting to remote SMTP servers directly), but less likely.
    I think the server saw what was required of it and just committed suicide instead.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •