[Wylug-help] Help needed with trying to identify spammer
John Craven
jc at ukzone.com
Wed Nov 9 13:21:23 UTC 2011
At 10:57 09/11/2011 +0000, you wrote:
>On 9 November 2011 00:57, John Craven
><<mailto:jc at ukzone.com>jc at ukzone.com> wrote:
>At 21:43 08/11/2011 +0000, you wrote:
>
>
>
>
>
>>On 8 November 2011 21:00, John Craven
>><<mailto:jc at ukzone.com>jc at ukzone.com> wrote:
>>At 20:48 08/11/2011 +0000, you wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>>On 8 November 2011 19:47, John Craven
>>><<mailto:jc at ukzone.com>jc at ukzone.com> wrote:
>>>At 19:41 08/11/2011 +0000, you wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>On 8 November 2011 19:29, John Craven
>>>><<mailto:jc at ukzone.com>jc at ukzone.com> wrote:
>>>>At 19:24 08/11/2011 +0000, you wrote:
>>>>John,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> >I have been notified that a spammer is sending mail through my server.
>>>> >I need help in finding out how this is happening.
>
>My server is running centos 5
>hth...
>First do your logs show evidence that these spams are originating from
>your system or being relayed by your system?
>
>
>
>I don't know where to look ????
>It has been suggested that I check my auth log, but I don't seem to have
>one.
>Have you seen any blowback? If you are being spoofed (or otherwise)
>
>
>
>No. I haven't had any returned mail.
>you are very likely to see many non-delivery reports.
>
>Do you have a sample of an offending e-mail with the full headers?
>
>
>
>Email in previous email. Obviously "crossed in post".
>What mailer (MTA) are you running? exim, sendmail?
>
>
>
>I'm running SENDMAIL
>Andrew
>
>
>
>
>At first look that looks like it's coming from a script. Where is your
>website located?
>The server is located in Preston, Lancashire.
>
>I do run lots of scripts on the server, for different web sites (clients).
>Is there any way of identifying what kind of script, or better still,
>which script.
>
>
>Actually I meant a URL ;)
>
>Client sites are difficult, but you can search the code for mail()
>functions if it's php.
>How would I do this ???
>
>
>
>>You might also be able to check your sendmail logs for activity. Who
>>manages the server?
>>
>>s/
>
>Sorry for misunderstanding.
>
>I manage the server and I have around 30 web sites hosted of which I
>created around 15 of them.
>My sendmail logs are very active since all the sites have their email on
>my server.
>It would help if I knew what the times were that the offending email was sent.
>Is there any way of identifying this info ???
>
>John C
>
>
>
>
>
>
>>--
>>Twitter: @sfgreenwood
>>"post-apocalyptic allen keys"
>
>=================================================
>
> Check out our British Country Music Web Sites
>
> <http://www.countrymusic.org.uk/>http://www.countrymusic.org.uk
> http://www.bcmi-radio.co.uk
>
> Over 300,000 visitors a week
>
>=================================================
>
>_______________________________________________
>Wylug-help mailing list
><mailto:Wylug-help at wylug.org.uk>Wylug-help at wylug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/wylug-help
>
>
>You could check for the sending address of the original spam mail in your
>logs and for bounced mail in your postmaster or equivalent account
>(probably root). Check the mail queue as well (mailq from the command
>line) as if it's a script exploit it's possible that there will be emails
>to bad addresses queuing there.
>
>Do you keep the server up to date? I see that the apache page at
><http://blackvelvet.gvl99.co.uk>blackvelvet.gvl99.co.uk comes from CentOS
>3, which is very out of date now. The most common PHP mail() exploits have
>been fixed in more recent versions of PHP.
>
>s/
>
>Sorry if my default apache page is somewhat misleading. It was copied from
>another previous server.
>
>My server is running CentOS release 5.5 (Final). The installation was done
>from Centos 5.5 x86_64
>So probably the most common PHP mail() exploits are not applicable.
>I have yum automatically updating so the server should be pretty well up
>to date.
>
>I have checked my root mailbox and there is no bounced emails.
>I have also checked mailq and it is empty.
>
>However, many thanks for your suggestions.
>
>Can you tell me, how would it be possible for a spammer to exploit my mail
>scripts ???
>
>
>John C
>
>
>There are known exploits for particular scripts, often in old versions of
>apps, but quite often it's just plain bad code. It's something that my
>company have tried to come up with a solution for, specifically for a
>large scale hosting company, and even if you crawl through the CERT lists
>and try and verify all of them, there are always people who have written
>their own mail form using PHP for Dummies and called it mail.php or
>contact.php, which is something that spambots look for.
>
>If you've been through the machine and there's no sign of increased
>activity then it might have been a false positive - you can usually tell
>if a spambot has hit a server as the load will have gone up and your
>bandwidth will have spiked.
>
>s/
I've checked again this morning and got a real shock.
My /var/log/maillog was going mad with hundreds of mail that were being
rejected
My root mailbox is full of bounced emails.
Here is the script of one of them:
Return-Path: <MAILER-DAEMON at blackvelvet.gvl99.co.uk>
Date: Wed, 9 Nov 2011 12:19:40 GMT
To: <root at blackvelvet.gvl99.co.uk>
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
This is a MIME-encapsulated message
--pA9CJe9d024580.1320841180/blackvelvet.gvl99.co.uk
The original message was received at Wed, 9 Nov 2011 12:14:33 GMT
from redvelvet.gvl99.co.uk [127.0.0.1]
----- The following addresses had permanent fatal errors -----
<tasobello at hotmail.it>
(reason: 550 Requested action not taken: mailbox unavailable)
----- Transcript of session follows -----
451 4.4.1 reply: read error from mx1.hotmail.com.
... while talking to mx3.hotmail.com.:
>>> DATA
<<< 550 Requested action not taken: mailbox unavailable
550 5.1.1 <tasobello at hotmail.it>... User unknown
<<< 503 Need Rcpt command.
--pA9CJe9d024580.1320841180/blackvelvet.gvl99.co.uk
Content-Type: message/delivery-status
Reporting-MTA: dns; blackvelvet.gvl99.co.uk
Received-From-MTA: DNS; redvelvet.gvl99.co.uk
Arrival-Date: Wed, 9 Nov 2011 12:14:33 GMT
Final-Recipient: RFC822; tasobello at hotmail.it
Action: failed
Status: 5.1.1
Remote-MTA: DNS; mx3.hotmail.com
Diagnostic-Code: SMTP; 550 Requested action not taken: mailbox unavailable
Last-Attempt-Date: Wed, 9 Nov 2011 12:19:39 GMT
--pA9CJe9d024580.1320841180/blackvelvet.gvl99.co.uk
Content-Type: message/rfc822
Return-Path: <root at blackvelvet.gvl99.co.uk>
Received: from blackvelvet.gvl99.co.uk (redvelvet.gvl99.co.uk [127.0.0.1])
by blackvelvet.gvl99.co.uk (8.13.8/8.13.8) with ESMTP id
pA9CEU9d024577
for <tasobello at hotmail.it>; Wed, 9 Nov 2011 12:14:33 GMT
Received: (from root at localhost)
by blackvelvet.gvl99.co.uk (8.13.8/8.13.8/Submit) id pA9CET3k024573;
Wed, 9 Nov 2011 12:14:29 GMT
Date: Wed, 9 Nov 2011 12:14:29 GMT
Message-Id: <201111091214.pA9CET3k024573 at blackvelvet.gvl99.co.uk>
From: Promotions Department <promotions at places-cazino.info>
To: tasobello at hotmail.it
Subject: Get Free 1000 EURO to Play!
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="=_a9713fc79164888ab50b927c8b0c2650"
--=_a9713fc79164888ab50b927c8b0c2650
Content-Type: multipart/alternative;
boundary="=_d8df151bd01e463b26b81cbf2741e6bb"
--=_d8df151bd01e463b26b81cbf2741e6bb
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
This is a copy of my maillog relating to the above email:
Nov 9 12:19:40 blackvelvet sendmail[25823]: pA9CJd8i025823: from=root,
size=140075, class=0, nrcpts=1,
msgid=<201111091219.pA9CJd8i025823 at blackvelvet.gvl99.co.uk>,
relay=root at localhost
Nov 9 12:19:40 blackvelvet sendmail[25823]: pA9CJd8i025823:
to=jonny_be_good30 at hotmail.com, ctladdr=root (0/0), delay=00:00:01,
xdelay=00:00:00, mailer=relay, pri=170075, relay=[127.0.0.1] [127.0.0.1],
dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Nov 9 12:19:40 blackvelvet sendmail[24580]: pA9CEU9d024577:
pA9CJe9d024580: DSN: User unknown
I'm leaning towards the problem being from a script.
Is there any way that I can identify which script is the problem?
Any help will be very much appreciated.
Thanks,
John C
>--
>Twitter: @sfgreenwood
>"post-apocalyptic allen keys"
=================================================
Check out our British Country Music Web Sites
http://www.countrymusic.org.uk
http://www.bcmi-radio.co.uk
Over 300,000 visitors a week
=================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wylug-help/attachments/20111109/b567f682/attachment.htm>
More information about the Wylug-help
mailing list