SecretAgentOnline
asked on
Tracing spammer, serious matter
Server specs:
Centos 4.2
Cpanel 10.x
EXIM
PHP 4.4.1
Apache 1.3
COMPLAINT RECEIVED:
your customer using IP address XXX.232.65.171 has been
spamming our web submission form at
http://www.trialware.org/join.html. You can see the form results
attached. Please consider doing all you can to prevent such
incidents in the future.
Thank youFrom: "Geoff" <Geoff@inm.ras.com>
To: <trialwar@trialware.org>
Subject: Join Trialware Professional Association
Date: Mon, 6 Feb 2006 10:24:40 -0600
Message-ID: <E1F69AO-00008E-NP@eta.asm allorange. com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0 00_0013_01 C62C0D.DA0 07D60"
X-Mailer: cgiemail 1.6(form="http://www.trialware.org/join.html")(action="/cgi- bin/cgiema il/join.tx t")
X-Spam-Level:
X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AMATEUR_ PORN,BAYES _00,HOT_NA STY autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on eta.asmallorange.com
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
thread-index: AcYrOd0lnYQUn2maS1mEwxk2fN oqUg==
x-cc-diagnostic: The F word (40)
x-pmflags: 33570944 0 1 PXHZ2PQY.CNM
This is a multi-part message in MIME format.
------=_NextPart_000_0013_ 01C62C0D.D A007D60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
IP: XXX.232.65.171
Update: False
email: Geoff@inm.ras.com
input_company: Health Management Associates Inc.
name: Geoff
HideEMail: True
input_website: http://www.big-woman.be
input_desc: Any girls/ladies that like random phone sex? Someone like it I
saw on <a
href='http://www.big-woman.be'>http://www.big-woman.be</a> What
do you like about it? Details please!
keywords: sex,porn,porno,adult,xxx, hardcore, fu*,sexy girls, hot girls,
amateur porn, bbw, big woman, big wonderful women
input_linktype: Other
I tried the following:
grep asmallorange.com /usr/local/apache/domlogs
grep E1F69AO-00008E-NP@eta.asma llorange.c om /var/log/messages (all)
grep E1F69AO-00008E-NP@eta.asma llorange.c om /var/log/mailog (all)
My settings in EXIM:
untrusted_set_sender = *
local_from_check = false
local_sender_retain = true
timeout_frozen_after = 2d
ignore_bounce_errors_after = 12h
domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwh itelist
message_size_limit = 5M
log_selector = +arguments +subject
log_selector = +all
timeout_frozen_after = 2d
ignore_bounce_errors_after = 12h
acl_not_smtp = acl_check_pipe
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
domainlist local_domains = lsearch;/etc/localdomains
domainlist relay_domains = lsearch;/etc/localdomains : \
lsearch;/etc/secondarymx
hostlist relay_hosts = lsearch;/etc/relayhosts : \
localhost
hostlist auth_relay_hosts = *
#!!# ACL that is used after the RCPT command
##Added Sendmail Bcc and Cc Spam Removal##
acl_check_pipe:
#drop condition = ${if match {$message_body}\
#{\N.*\
#MIME-Version:.*\N}{true}}
#log_message = "Spam MIME-Version:$header_subje ct: "
#drop condition = ${if match {$message_body}\
#{\N.*\
#Reply-To:.*\N}{true}}
#log_message = "Spam Reply-To:$header_subject: "
# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Type:.*\N}{true}}
# log_message = "Spam: Content-Type: $header_subject: "
# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Transfer-Encoding: .*\N}{true }}
# log_message = "Spam: Content-Transfer-Encoding: $header_subject: "
drop condition = ${if match {$message_body}\
{\N.*\
[Bb][Cc][Cc]:.*\N}{true}}
log_message = "Spam: BCC: $header_subject: "
drop condition = ${if match {$message_body}\
{\N.*\
[Cc][Cc]:.*\N}{true}}
log_message = "Spam: CC: $header_subject: "
accept
accept
##End of Additions ##
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack
drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}} {3}{yes}{n o}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfro mcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)- bounces\+. *}} \
{exists {/usr/local/cpanel/3rdpart y/mailman/ lists/${lc :$1}/confi g.pck}}} \
{yes}{no}}
accept condition = \
${if and {{match{$local_part}{(.*)- bounces\+. *}} \
{exists {/usr/local/cpanel/3rdpart y/mailman/ lists/${lc :$1}/confi g.pck}}} \
{yes}{no}}
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfro mcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)- bounces\+. *}} \
{exists {/usr/local/cpanel/3rdpart y/mailman/ lists/${lc :$1}_${lc: $domain}/c onfig.pck} }} \
{yes}{no}}
accept condition = \
${if and {{match{$local_part}{(.*)- bounces\+. *}} \
{exists {/usr/local/cpanel/3rdpart y/mailman/ lists/${lc :$1}_${lc: $domain}/c onfig.pck} }} \
{yes}{no}}
#if it gets here it isn't mailman
#sender verifications are required for all messages that are not sent to lists
require verify = sender
accept domains = +local_domains
endpass
#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests
message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
verify = recipient
accept domains = +relay_domains
warn message = ${perl{popbeforesmtpwarn}{ $sender_ho st_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts
warn message = ${perl{popbeforesmtpwarn}{ $sender_ho st_address }}
condition = ${perl{checkrelayhost}{$se nder_host_ address}}
accept condition = ${perl{checkrelayhost}{$se nder_host_ address}}
accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *
deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept
nobody@lsearch;/etc/locald omains "${if !eq {$header_From:}{}{$header_ sender:$he ader_From: }fai l}" Fs
(rest of exim.conf default)
I do have enabled also:
Track the origin of messages sent though the mail server by adding the X-Source headers
Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail
Always set the Sender
Verify the existance of email senders
Use callouts to verify the existance of email senders.
Discard emails for users who have exceeded their quota
I also did the following tweaks:
php spammer
http://www.eth0.us/exim-logging
stop php nobody spammers
http://www.webhostgear.com/232.html
What else to do?
I would like to install the mod_security rules found here also
http://www.gotroot.com/tiki-index.ph...security+rules
They only give directions on apach 2. I am using apache 1 and installed mod_security via whm addon modules. Any tip on how to do this would be greatly appreciated
Centos 4.2
Cpanel 10.x
EXIM
PHP 4.4.1
Apache 1.3
COMPLAINT RECEIVED:
your customer using IP address XXX.232.65.171 has been
spamming our web submission form at
http://www.trialware.org/join.html. You can see the form results
attached. Please consider doing all you can to prevent such
incidents in the future.
Thank youFrom: "Geoff" <Geoff@inm.ras.com>
To: <trialwar@trialware.org>
Subject: Join Trialware Professional Association
Date: Mon, 6 Feb 2006 10:24:40 -0600
Message-ID: <E1F69AO-00008E-NP@eta.asm
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0
X-Mailer: cgiemail 1.6(form="http://www.trialware.org/join.html")(action="/cgi-
X-Spam-Level:
X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AMATEUR_
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on eta.asmallorange.com
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
thread-index: AcYrOd0lnYQUn2maS1mEwxk2fN
x-cc-diagnostic: The F word (40)
x-pmflags: 33570944 0 1 PXHZ2PQY.CNM
This is a multi-part message in MIME format.
------=_NextPart_000_0013_
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding:
IP: XXX.232.65.171
Update: False
email: Geoff@inm.ras.com
input_company: Health Management Associates Inc.
name: Geoff
HideEMail: True
input_website: http://www.big-woman.be
input_desc: Any girls/ladies that like random phone sex? Someone like it I
saw on <a
href='http://www.big-woman.be'>http://www.big-woman.be</a> What
do you like about it? Details please!
keywords: sex,porn,porno,adult,xxx, hardcore, fu*,sexy girls, hot girls,
amateur porn, bbw, big woman, big wonderful women
input_linktype: Other
I tried the following:
grep asmallorange.com /usr/local/apache/domlogs
grep E1F69AO-00008E-NP@eta.asma
grep E1F69AO-00008E-NP@eta.asma
My settings in EXIM:
untrusted_set_sender = *
local_from_check = false
local_sender_retain = true
timeout_frozen_after = 2d
ignore_bounce_errors_after
domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwh
message_size_limit = 5M
log_selector = +arguments +subject
log_selector = +all
timeout_frozen_after = 2d
ignore_bounce_errors_after
acl_not_smtp = acl_check_pipe
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
domainlist local_domains = lsearch;/etc/localdomains
domainlist relay_domains = lsearch;/etc/localdomains : \
lsearch;/etc/secondarymx
hostlist relay_hosts = lsearch;/etc/relayhosts : \
localhost
hostlist auth_relay_hosts = *
#!!# ACL that is used after the RCPT command
##Added Sendmail Bcc and Cc Spam Removal##
acl_check_pipe:
#drop condition = ${if match {$message_body}\
#{\N.*\
#MIME-Version:.*\N}{true}}
#log_message = "Spam MIME-Version:$header_subje
#drop condition = ${if match {$message_body}\
#{\N.*\
#Reply-To:.*\N}{true}}
#log_message = "Spam Reply-To:$header_subject: "
# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Type:.*\N}{true}}
# log_message = "Spam: Content-Type: $header_subject: "
# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Transfer-Encoding:
# log_message = "Spam: Content-Transfer-Encoding:
drop condition = ${if match {$message_body}\
{\N.*\
[Bb][Cc][Cc]:.*\N}{true}}
log_message = "Spam: BCC: $header_subject: "
drop condition = ${if match {$message_body}\
{\N.*\
[Cc][Cc]:.*\N}{true}}
log_message = "Spam: CC: $header_subject: "
accept
accept
##End of Additions ##
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack
drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfro
condition = \
${if and {{match{$local_part}{(.*)-
{exists {/usr/local/cpanel/3rdpart
{yes}{no}}
accept condition = \
${if and {{match{$local_part}{(.*)-
{exists {/usr/local/cpanel/3rdpart
{yes}{no}}
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfro
condition = \
${if and {{match{$local_part}{(.*)-
{exists {/usr/local/cpanel/3rdpart
{yes}{no}}
accept condition = \
${if and {{match{$local_part}{(.*)-
{exists {/usr/local/cpanel/3rdpart
{yes}{no}}
#if it gets here it isn't mailman
#sender verifications are required for all messages that are not sent to lists
require verify = sender
accept domains = +local_domains
endpass
#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests
message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
verify = recipient
accept domains = +relay_domains
warn message = ${perl{popbeforesmtpwarn}{
hosts = +relay_hosts
accept hosts = +relay_hosts
warn message = ${perl{popbeforesmtpwarn}{
condition = ${perl{checkrelayhost}{$se
accept condition = ${perl{checkrelayhost}{$se
accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *
deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept
nobody@lsearch;/etc/locald
(rest of exim.conf default)
I do have enabled also:
Track the origin of messages sent though the mail server by adding the X-Source headers
Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail
Always set the Sender
Verify the existance of email senders
Use callouts to verify the existance of email senders.
Discard emails for users who have exceeded their quota
I also did the following tweaks:
php spammer
http://www.eth0.us/exim-logging
stop php nobody spammers
http://www.webhostgear.com/232.html
What else to do?
I would like to install the mod_security rules found here also
http://www.gotroot.com/tiki-index.ph...security+rules
They only give directions on apach 2. I am using apache 1 and installed mod_security via whm addon modules. Any tip on how to do this would be greatly appreciated
come on.. simplify it a little bit.. I don't understand what is your text here, and what is the quote.. :(
ASKER
Then don't respond if you do not understand it. I cannot simply what is already straightforward.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you sure the complaint you received wasn't SPAM?
It looks like maybe you have been selected as the unlucky "reply to" by a spammer and are receiving a bounce message
It is little hard track spam emails on cpanel server, due to process owner. Use control and view the queue, otherwise you will not able to find anything useful.
usually biggest hint is the X-mailer, in your case it is "cgiemail 1.6" , it may take few hours but I was always able to find out what is going. It will lead you to a website, then you look a for cgi script. I would disable cgi script and send an email to site owner.
Probably you will not able to find a solution to this, but you could create a script to look for cgi email program and compare X-mailers, if it is well known script and you can automatically disable it, or send an email to yourself. Then you can manually check unkown scripts.
Telman
usually biggest hint is the X-mailer, in your case it is "cgiemail 1.6" , it may take few hours but I was always able to find out what is going. It will lead you to a website, then you look a for cgi script. I would disable cgi script and send an email to site owner.
Probably you will not able to find a solution to this, but you could create a script to look for cgi email program and compare X-mailers, if it is well known script and you can automatically disable it, or send an email to yourself. Then you can manually check unkown scripts.
Telman
ASKER
"in your case it is "cgiemail 1.6" , it may take few hours but I was always able to find out what is going. It will lead you to a website, then you look a for cgi script. I would disable cgi script and send an email to site owner."
How did you do it?
"Probably you will not able to find a solution to this, but you could create a script to look for cgi email program and compare X-mailers, if it is well known script and you can automatically disable it, or send an email to yourself. Then you can manually check unkown scripts."
I am not aware of any. If you know of any that would be appreciated you share. Thank you.
How did you do it?
"Probably you will not able to find a solution to this, but you could create a script to look for cgi email program and compare X-mailers, if it is well known script and you can automatically disable it, or send an email to yourself. Then you can manually check unkown scripts."
I am not aware of any. If you know of any that would be appreciated you share. Thank you.
I don't know if myself or some folks here missunderstood the issue. As i understand, "secretagentonline" and its systems aren't involved in any kind in this issue. One of his users accessed a webform on complainant`s website www.trialware.org locate at IP 67.19.36.196 to send a porn ads. Using this unsecure form, the abuser/spammer may specify the "from" and "to" field. This is up to the complainant to modify its form & CGI to prevent such abuse. Using a 2 step webform would easily render impossible such abuse.
Then, there is nothing to be secured nor tuned on your mail server & web server. If i am right, IP XXX.232.65.171 is part of your network and someone (your customer/user) used it to access the complainant`s unsecure website to send ads to themself or someone else. You may verify on your radius server who was using this IP at this date/time and tell him "don't send spam".
Then, there is nothing to be secured nor tuned on your mail server & web server. If i am right, IP XXX.232.65.171 is part of your network and someone (your customer/user) used it to access the complainant`s unsecure website to send ads to themself or someone else. You may verify on your radius server who was using this IP at this date/time and tell him "don't send spam".
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If i recall, most answers to this question was going in different direction. Mostly because the author is missundertanding the issue itself and then the question was not pretty clear either.
Then i propose to split points to all participants
Then i propose to split points to all participants