[Wylug-help] Help needed with trying to identify spammer

John Craven jc at ukzone.com
Wed Nov 9 13:21:23 UTC 2011 

At 10:57 09/11/2011 +0000, you wrote:


>On 9 November 2011 00:57, John Craven 
><<mailto:jc at ukzone.com>jc at ukzone.com> wrote:
>At 21:43 08/11/2011 +0000, you wrote:
>
>
>
>
>
>>On 8 November 2011 21:00, John Craven 
>><<mailto:jc at ukzone.com>jc at ukzone.com> wrote:
>>At 20:48 08/11/2011 +0000, you wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>>On 8 November 2011 19:47, John Craven 
>>><<mailto:jc at ukzone.com>jc at ukzone.com> wrote:
>>>At 19:41 08/11/2011 +0000, you wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>On 8 November 2011 19:29, John Craven 
>>>><<mailto:jc at ukzone.com>jc at ukzone.com> wrote:
>>>>At 19:24 08/11/2011 +0000, you wrote:
>>>>John,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> >I have been notified that a spammer is sending mail through my server.
>>>> >I need help in finding out how this is happening.
>
>My server is running centos 5
>hth...
>First do your logs show evidence that these spams are originating from
>your system or being relayed by your system?
>
>
>
>I don't know where to look ????
>It has been suggested that I check my auth log, but I don't seem to have 
>one.
>Have you seen any blowback?  If you are being spoofed (or otherwise)
>
>
>
>No. I haven't had any returned mail.
>you are very likely to see many non-delivery reports.
>
>Do you have a sample of an offending e-mail with the full headers?
>
>
>
>Email in previous email. Obviously "crossed in post".
>What mailer (MTA) are you running?  exim, sendmail?
>
>
>
>I'm running SENDMAIL
>Andrew
>
>
>
>
>At first look that looks like it's coming from a script. Where is your 
>website located?
>The server is located in Preston, Lancashire.
>
>I do run lots of scripts on the server, for different web sites (clients).
>Is there any way of identifying what kind of script, or better still, 
>which script.
>
>
>Actually I meant a URL ;)
>
>Client sites are difficult, but you can search the code for mail() 
>functions if it's php.
>How would I do this ???
>
>
>
>>You might also be able to check your sendmail logs for activity. Who 
>>manages the server?
>>
>>s/
>
>Sorry for misunderstanding.
>
>I manage the server and I have around 30 web sites hosted of which I 
>created around 15 of them.
>My sendmail logs are very active since all the sites have their email on 
>my server.
>It would help if I knew what the times were that the offending email was sent.
>Is there any way of identifying this info ???
>
>John C
>
>
>
>
>
>
>>--
>>Twitter: @sfgreenwood
>>"post-apocalyptic allen keys"
>
>=================================================
>
>   Check out our British Country Music Web Sites
>
>         <http://www.countrymusic.org.uk/>http://www.countrymusic.org.uk
>         http://www.bcmi-radio.co.uk
>
>   Over 300,000 visitors a week
>
>=================================================
>
>_______________________________________________
>Wylug-help mailing list
><mailto:Wylug-help at wylug.org.uk>Wylug-help at wylug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/wylug-help
>
>
>You could check for the sending address of the original spam mail in your 
>logs and for bounced mail in your postmaster or equivalent account 
>(probably root). Check the mail queue as well (mailq from the command 
>line) as if it's a script exploit it's possible that there will be emails 
>to bad addresses queuing there.
>
>Do you keep the server up to date? I see that the apache page at 
><http://blackvelvet.gvl99.co.uk>blackvelvet.gvl99.co.uk comes from CentOS 
>3, which is very out of date now. The most common PHP mail() exploits have 
>been fixed in more recent versions of PHP.
>
>s/
>
>Sorry if my default apache page is somewhat misleading. It was copied from 
>another previous server.
>
>My server is running CentOS release 5.5 (Final). The installation was done 
>from Centos 5.5 x86_64
>So probably the most common PHP mail() exploits are not applicable.
>I have yum automatically updating so the server should be pretty well up 
>to date.
>
>I have checked my root mailbox and there is no bounced emails.
>I have also checked mailq and it is empty.
>
>However, many thanks for your suggestions.
>
>Can you tell me, how would it be possible for a spammer to exploit my mail 
>scripts ???
>
>
>John C
>
>
>There are known exploits for particular scripts, often in old versions of 
>apps, but quite often it's just plain bad code. It's something that my 
>company have tried to come up with a solution for, specifically for a 
>large scale hosting company, and even if you crawl through the CERT lists 
>and try and verify all of them, there are always people who have written 
>their own mail form using PHP for Dummies and called it mail.php or 
>contact.php, which is something that spambots look for.
>
>If you've been through the machine and there's no sign of increased 
>activity then it might have been a false positive - you can usually tell 
>if a spambot has hit a server as the load will have gone up and your 
>bandwidth will have spiked.
>
>s/

I've checked again this morning and got a real shock.
My /var/log/maillog was going mad with hundreds of mail that were being 
rejected
My root mailbox is full of bounced emails.
Here is the script of one of them:

Return-Path: <MAILER-DAEMON at blackvelvet.gvl99.co.uk>
Date: Wed, 9 Nov 2011 12:19:40 GMT
To: <root at blackvelvet.gvl99.co.uk>
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

--pA9CJe9d024580.1320841180/blackvelvet.gvl99.co.uk

The original message was received at Wed, 9 Nov 2011 12:14:33 GMT
from redvelvet.gvl99.co.uk [127.0.0.1]

    ----- The following addresses had permanent fatal errors -----
<tasobello at hotmail.it>
     (reason: 550 Requested action not taken: mailbox unavailable)

    ----- Transcript of session follows -----
451 4.4.1 reply: read error from mx1.hotmail.com.
... while talking to mx3.hotmail.com.:
 >>> DATA
<<< 550 Requested action not taken: mailbox unavailable
550 5.1.1 <tasobello at hotmail.it>... User unknown
<<< 503 Need Rcpt command.

--pA9CJe9d024580.1320841180/blackvelvet.gvl99.co.uk
Content-Type: message/delivery-status

Reporting-MTA: dns; blackvelvet.gvl99.co.uk
Received-From-MTA: DNS; redvelvet.gvl99.co.uk
Arrival-Date: Wed, 9 Nov 2011 12:14:33 GMT

Final-Recipient: RFC822; tasobello at hotmail.it
Action: failed
Status: 5.1.1
Remote-MTA: DNS; mx3.hotmail.com
Diagnostic-Code: SMTP; 550 Requested action not taken: mailbox unavailable
Last-Attempt-Date: Wed, 9 Nov 2011 12:19:39 GMT

--pA9CJe9d024580.1320841180/blackvelvet.gvl99.co.uk
Content-Type: message/rfc822

Return-Path: <root at blackvelvet.gvl99.co.uk>
Received: from blackvelvet.gvl99.co.uk (redvelvet.gvl99.co.uk [127.0.0.1])
         by blackvelvet.gvl99.co.uk (8.13.8/8.13.8) with ESMTP id 
pA9CEU9d024577
         for <tasobello at hotmail.it>; Wed, 9 Nov 2011 12:14:33 GMT
Received: (from root at localhost)
         by blackvelvet.gvl99.co.uk (8.13.8/8.13.8/Submit) id pA9CET3k024573;
         Wed, 9 Nov 2011 12:14:29 GMT
Date: Wed, 9 Nov 2011 12:14:29 GMT
Message-Id: <201111091214.pA9CET3k024573 at blackvelvet.gvl99.co.uk>
From: Promotions Department <promotions at places-cazino.info>
To: tasobello at hotmail.it
Subject: Get Free 1000 EURO to Play!
MIME-Version: 1.0
Content-Type: multipart/related;
         boundary="=_a9713fc79164888ab50b927c8b0c2650"

--=_a9713fc79164888ab50b927c8b0c2650
Content-Type: multipart/alternative;
         boundary="=_d8df151bd01e463b26b81cbf2741e6bb"

--=_d8df151bd01e463b26b81cbf2741e6bb
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

This is a copy of my maillog relating to the above email:

Nov  9 12:19:40 blackvelvet sendmail[25823]: pA9CJd8i025823: from=root, 
size=140075, class=0, nrcpts=1, 
msgid=<201111091219.pA9CJd8i025823 at blackvelvet.gvl99.co.uk>, 
relay=root at localhost
Nov  9 12:19:40 blackvelvet sendmail[25823]: pA9CJd8i025823: 
to=jonny_be_good30 at hotmail.com, ctladdr=root (0/0), delay=00:00:01, 
xdelay=00:00:00, mailer=relay, pri=170075, relay=[127.0.0.1] [127.0.0.1], 
dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Nov  9 12:19:40 blackvelvet sendmail[24580]: pA9CEU9d024577: 
pA9CJe9d024580: DSN: User unknown

I'm leaning towards the problem being from a script.
Is there any way that I can identify which script is the problem?

Any help will be very much appreciated.

Thanks,

John C


>--
>Twitter: @sfgreenwood
>"post-apocalyptic allen keys"

=================================================

   Check out our British Country Music Web Sites

         http://www.countrymusic.org.uk
         http://www.bcmi-radio.co.uk

   Over 300,000 visitors a week

=================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wylug-help/attachments/20111109/b567f682/attachment.htm>

More information about the Wylug-help mailing list