<html>
At 10:57 09/11/2011 +0000, you wrote:<br><br>
<br>
<blockquote type=cite class=cite cite>On 9 November 2011 00:57, John
Craven <<a href="mailto:jc@ukzone.com">jc@ukzone.com</a>> wrote:
<dl>
<dd>At 21:43 08/11/2011 +0000, you wrote:<br><br>
<br><br>
<br><br>
<blockquote type=cite class=cite cite>
<dd>On 8 November 2011 21:00, John Craven
<<a href="mailto:jc@ukzone.com">jc@ukzone.com</a>> wrote:
<dd>At 20:48 08/11/2011 +0000, you wrote:<br><br>
<br><br>
<br><br>
<br><br>
<br><br>
<blockquote type=cite class=cite cite>
<dd>On 8 November 2011 19:47, John Craven
<<a href="mailto:jc@ukzone.com">jc@ukzone.com</a>> wrote:
<dd>At 19:41 08/11/2011 +0000, you wrote:<br><br>
<br><br>
<br><br>
<br><br>
<br><br>
<blockquote type=cite class=cite cite>
<dd>On 8 November 2011 19:29, John Craven
<<a href="mailto:jc@ukzone.com">jc@ukzone.com</a>> wrote:
<dd>At 19:24 08/11/2011 +0000, you wrote:
<dd>John,<br><br>
<br><br>
<br><br>
<br><br>
<br><br>
<br><br>
<br><br>
<br><br>
<br><br>
<dd>>I have been notified that a spammer is sending mail through my
server.
<dd>>I need help in finding out how this is happening.
</blockquote></blockquote>
</dl></blockquote><br>
My server is running centos 5<br>
hth...
<dl>
<dd>First do your logs show evidence that these spams are originating
from
<dd>your system or being relayed by your system?
</dl><br><br>
<br>
I don't know where to look ????<br>
It has been suggested that I check my auth log, but I don't seem to have
one.
<dl>
<dd>Have you seen any blowback? If you are being spoofed (or
otherwise)
</dl><br><br>
<br>
No. I haven't had any returned mail.
<dl>
<dd>you are very likely to see many non-delivery reports.<br><br>
<dd>Do you have a sample of an offending e-mail with the full headers?
</dl><br><br>
<br>
Email in previous email. Obviously "crossed in post".
<dl>
<dd>What mailer (MTA) are you running? exim, sendmail?
</dl><br><br>
<br>
I'm running SENDMAIL
<dl>
<dd>Andrew
</dl><br><br>
<br><br>
At first look that looks like it's coming from a script. Where is your
website located?<br>
The server is located in Preston, Lancashire.<br><br>
I do run lots of scripts on the server, for different web sites
(clients).<br>
Is there any way of identifying what kind of script, or better still,
which script.<br><br>
<br>
Actually I meant a URL ;)<br><br>
Client sites are difficult, but you can search the code for mail()
functions if it's php.<br>
How would I do this ???<br><br>
<br><br>
<blockquote type=cite class=cite cite>You might also be able to check
your sendmail logs for activity. Who manages the server?<br><br>
s/</blockquote><br>
Sorry for misunderstanding.<br><br>
I manage the server and I have around 30 web sites hosted of which I
created around 15 of them.<br>
My sendmail logs are very active since all the sites have their email on
my server.<br>
It would help if I knew what the times were that the offending email was
sent.<br>
Is there any way of identifying this info ???<br><br>
John C<br><br>
<br><br>
<br><br>
<br>
<blockquote type=cite class=cite cite>-- <br>
Twitter: @sfgreenwood<br>
"post-apocalyptic allen keys"</blockquote><br>
=================================================<br><br>
Check out our British Country Music Web Sites <br><br>
<a href="http://www.countrymusic.org.uk/">http://www.countrymusic.org.uk<br>
</a>
<a href="http://www.bcmi-radio.co.uk/" eudora="autourl">http://www.bcmi-radio.co.uk</a><br>
<br>
Over 300,000 visitors a week<br><br>
================================================= <br><br>
_______________________________________________<br>
Wylug-help mailing list<br>
<a href="mailto:Wylug-help@wylug.org.uk">Wylug-help@wylug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/wylug-help" eudora="autourl">https://mailman.lug.org.uk/mailman/listinfo/wylug-help</a><br><br>
<br>
You could check for the sending address of the original spam mail in your
logs and for bounced mail in your postmaster or equivalent account
(probably root). Check the mail queue as well (mailq from the command
line) as if it's a script exploit it's possible that there will be emails
to bad addresses queuing there.<br><br>
Do you keep the server up to date? I see that the apache page at
<a href="http://blackvelvet.gvl99.co.uk">blackvelvet.gvl99.co.uk</a>
comes from CentOS 3, which is very out of date now. The most common PHP mail() exploits have been fixed in more recent versions of PHP.<br><br>
s/<br><br>
Sorry if my default apache page is somewhat misleading. It was copied from another previous server.<br><br>
My server is running CentOS release 5.5 (Final). The installation was done from Centos 5.5 x86_64<br>
So probably the most common PHP mail() exploits are not applicable.<br>
I have yum automatically updating so the server should be pretty well up to date.<br><br>
I have checked my root mailbox and there is no bounced emails.<br>
I have also checked mailq and it is empty.<br><br>
However, many thanks for your suggestions.<br><br>
Can you tell me, how would it be possible for a spammer to exploit my mail scripts ???<br><br>
<br>
John C<br><br>
<br>
There are known exploits for particular scripts, often in old versions of apps, but quite often it's just plain bad code. It's something that my company have tried to come up with a solution for, specifically for a large scale hosting company, and even if you crawl through the CERT lists and try and verify all of them, there are always people who have written their own mail form using PHP for Dummies and called it mail.php or contact.php, which is something that spambots look for.<br><br>
If you've been through the machine and there's no sign of increased activity then it might have been a false positive - you can usually tell if a spambot has hit a server as the load will have gone up and your bandwidth will have spiked. <br><br>
s/</blockquote><br>
I've checked again this morning and got a real shock.<br>
My /var/log/maillog was going mad with hundreds of mail that were being rejected<br>
My root mailbox is full of bounced emails.<br>
Here is the script of one of them:<br><br>
<b>Return-Path: <MAILER-DAEMON@blackvelvet.gvl99.co.uk><br>
Date: Wed, 9 Nov 2011 12:19:40 GMT<br>
To: <root@blackvelvet.gvl99.co.uk><br>
Subject: Returned mail: see transcript for details<br>
Auto-Submitted: auto-generated (failure)<br><br>
This is a MIME-encapsulated message<br><br>
--pA9CJe9d024580.1320841180/blackvelvet.gvl99.co.uk<br><br>
The original message was received at Wed, 9 Nov 2011 12:14:33 GMT<br>
from redvelvet.gvl99.co.uk [127.0.0.1]<br><br>
----- The following addresses had permanent fatal errors -----<br>
<tasobello@hotmail.it><br>
(reason: 550 Requested action not taken: mailbox unavailable)<br><br>
----- Transcript of session follows -----<br>
451 4.4.1 reply: read error from mx1.hotmail.com.<br>
... while talking to mx3.hotmail.com.:<br>
>>> DATA<br>
<<< 550 Requested action not taken: mailbox unavailable<br>
550 5.1.1 <tasobello@hotmail.it>... User unknown<br>
<<< 503 Need Rcpt command.<br><br>
--pA9CJe9d024580.1320841180/blackvelvet.gvl99.co.uk<br>
Content-Type: message/delivery-status<br><br>
Reporting-MTA: dns; blackvelvet.gvl99.co.uk<br>
Received-From-MTA: DNS; redvelvet.gvl99.co.uk<br>
Arrival-Date: Wed, 9 Nov 2011 12:14:33 GMT<br><br>
Final-Recipient: RFC822; tasobello@hotmail.it<br>
Action: failed<br>
Status: 5.1.1<br>
Remote-MTA: DNS; mx3.hotmail.com<br>
Diagnostic-Code: SMTP; 550 Requested action not taken: mailbox unavailable<br>
Last-Attempt-Date: Wed, 9 Nov 2011 12:19:39 GMT<br><br>
--pA9CJe9d024580.1320841180/blackvelvet.gvl99.co.uk<br>
Content-Type: message/rfc822<br><br>
Return-Path: <root@blackvelvet.gvl99.co.uk><br>
Received: from blackvelvet.gvl99.co.uk (redvelvet.gvl99.co.uk [127.0.0.1])<br>
by blackvelvet.gvl99.co.uk (8.13.8/8.13.8) with ESMTP id pA9CEU9d024577<br>
for <tasobello@hotmail.it>; Wed, 9 Nov 2011 12:14:33 GMT<br>
Received: (from root@localhost)<br>
by blackvelvet.gvl99.co.uk (8.13.8/8.13.8/Submit) id pA9CET3k024573;<br>
Wed, 9 Nov 2011 12:14:29 GMT<br>
Date: Wed, 9 Nov 2011 12:14:29 GMT<br>
Message-Id: <201111091214.pA9CET3k024573@blackvelvet.gvl99.co.uk><br>
From: Promotions Department <promotions@places-cazino.info><br>
To: tasobello@hotmail.it<br>
Subject: Get Free 1000 EURO to Play!<br>
MIME-Version: 1.0<br>
Content-Type: multipart/related;<br>
boundary="=_a9713fc79164888ab50b927c8b0c2650"<br><br>
--=_a9713fc79164888ab50b927c8b0c2650<br>
Content-Type: multipart/alternative;<br>
boundary="=_d8df151bd01e463b26b81cbf2741e6bb"<br><br>
--=_d8df151bd01e463b26b81cbf2741e6bb<br>
Content-Type: text/plain; charset="ISO-8859-1"<br>
Content-Transfer-Encoding: 7bit<br><br>
</b>This is a copy of my maillog relating to the above email:<br><br>
Nov 9 12:19:40 blackvelvet sendmail[25823]: pA9CJd8i025823: from=root, size=140075, class=0, nrcpts=1, msgid=<201111091219.pA9CJd8i025823@blackvelvet.gvl99.co.uk>, relay=root@localhost<br>
Nov 9 12:19:40 blackvelvet sendmail[25823]: pA9CJd8i025823: to=jonny_be_good30@hotmail.com, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=170075, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]<br>
Nov 9 12:19:40 blackvelvet sendmail[24580]: pA9CEU9d024577: pA9CJe9d024580: DSN: User unknown<br><br>
</b>I'm leaning towards the problem being from a script.<br>
Is there any way that I can identify which script is the problem?<br><br>
Any help will be very much appreciated.<br><br>
Thanks,<br><br>
John C<br><br>
<br>
<blockquote type=cite class=cite cite>-- <br>
Twitter: @sfgreenwood<br>
"post-apocalyptic allen keys"<br>
</blockquote>
<x-sigsep><p></x-sigsep>
=================================================<br><br>
Check out our British Country Music Web Sites <br><br>
<x-tab> </x-tab><a href="http://www.countrymusic.org.uk/" eudora="autourl">http://www.countrymusic.org.uk<br>
</a><x-tab> </x-tab><a href="http://www.bcmi-radio.co.uk/" eudora="autourl">http://www.bcmi-radio.co.uk<br>
</a><x-tab> </x-tab><br>
Over 300,000 visitors a week<br><br>
=================================================</html>