Tracing spammer, serious matter

Server specs:
Centos 4.2
Cpanel 10.x
EXIM
PHP 4.4.1
Apache 1.3


COMPLAINT RECEIVED:

your customer using IP address XXX.232.65.171 has been
spamming our web submission form at
http://www.trialware.org/join.html. You can see the form results
attached. Please consider doing all you can to prevent such
incidents in the future.


Thank youFrom: "Geoff" <Geoff@inm.ras.com>
To: <trialwar@trialware.org>
Subject: Join Trialware Professional Association
Date: Mon, 6 Feb 2006 10:24:40 -0600
Message-ID: <E1F69AO-00008E-NP@eta.asmallorange.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0013_01C62C0D.DA007D60"
X-Mailer: cgiemail 1.6(form="http://www.trialware.org/join.html")(action="/cgi-bin/cgiemail/join.txt")
X-Spam-Level:
X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AMATEUR_PORN,BAYES_00,HOT_NASTY autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on eta.asmallorange.com
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
thread-index: AcYrOd0lnYQUn2maS1mEwxk2fNoqUg==
x-cc-diagnostic: The F word (40)
x-pmflags: 33570944 0 1 PXHZ2PQY.CNM

This is a multi-part message in MIME format.

------=_NextPart_000_0013_01C62C0D.DA007D60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

IP: XXX.232.65.171

Update: False

email: Geoff@inm.ras.com

input_company: Health Management Associates Inc.

name: Geoff

HideEMail: True

input_website: http://www.big-woman.be

input_desc: Any girls/ladies that like random phone sex? Someone like it I
saw on <a
href='http://www.big-woman.be'>http://www.big-woman.be</a> What
do you like about it? Details please!

keywords: sex,porn,porno,adult,xxx, hardcore, fu*,sexy girls, hot girls,
amateur porn, bbw, big woman, big wonderful women

input_linktype: Other



I tried the following:

grep asmallorange.com /usr/local/apache/domlogs
grep E1F69AO-00008E-NP@eta.asmallorange.com /var/log/messages (all)
grep E1F69AO-00008E-NP@eta.asmallorange.com /var/log/mailog (all)

My settings in EXIM:

untrusted_set_sender = *
local_from_check = false
local_sender_retain = true

timeout_frozen_after = 2d
ignore_bounce_errors_after = 12h

domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist
message_size_limit = 5M
log_selector = +arguments +subject
log_selector = +all

timeout_frozen_after = 2d
ignore_bounce_errors_after = 12h

acl_not_smtp = acl_check_pipe

acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

domainlist local_domains = lsearch;/etc/localdomains

domainlist relay_domains = lsearch;/etc/localdomains : \
lsearch;/etc/secondarymx
hostlist relay_hosts = lsearch;/etc/relayhosts : \
localhost
hostlist auth_relay_hosts = *

#!!# ACL that is used after the RCPT command


##Added Sendmail Bcc and Cc Spam Removal##
acl_check_pipe:
#drop condition = ${if match {$message_body}\
#{\N.*\
#MIME-Version:.*\N}{true}}
#log_message = "Spam MIME-Version:$header_subject: "

#drop condition = ${if match {$message_body}\
#{\N.*\
#Reply-To:.*\N}{true}}
#log_message = "Spam Reply-To:$header_subject: "

# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Type:.*\N}{true}}
# log_message = "Spam: Content-Type: $header_subject: "

# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Transfer-Encoding:.*\N}{true}}
# log_message = "Spam: Content-Transfer-Encoding: $header_subject: "

drop condition = ${if match {$message_body}\
{\N.*\
[Bb][Cc][Cc]:.*\N}{true}}
log_message = "Spam: BCC: $header_subject: "

drop condition = ${if match {$message_body}\
{\N.*\
[Cc][Cc]:.*\N}{true}}
log_message = "Spam: CC: $header_subject: "
accept

accept
##End of Additions ##

check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack


drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient

# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}


# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

#if it gets here it isn't mailman

#sender verifications are required for all messages that are not sent to lists

require verify = sender
accept domains = +local_domains
endpass

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests

message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
verify = recipient

accept domains = +relay_domains

warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts

warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept

nobody@lsearch;/etc/localdomains "${if !eq {$header_From:}{}{$header_sender:$header_From:}fai l}" Fs

(rest of exim.conf default)

I do have enabled also:

Track the origin of messages sent though the mail server by adding the X-Source headers
Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail
Always set the Sender
Verify the existance of email senders
Use callouts to verify the existance of email senders.
Discard emails for users who have exceeded their quota

I also did the following tweaks:

php spammer
http://www.eth0.us/exim-logging

stop php nobody spammers
http://www.webhostgear.com/232.html


What else to do?


I would like to install the mod_security rules found here also
http://www.gotroot.com/tiki-index.ph...security+rules

They only give directions on apach 2. I am using apache 1 and installed mod_security via whm addon modules. Any tip on how to do this would be greatly appreciated
SecretAgentOnlineAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nepostojeci_emailCommented:
come on.. simplify it a little bit.. I don't understand what is your text here, and what is the quote.. :(
SecretAgentOnlineAuthor Commented:
Then don't respond if you do not understand it. I cannot simply what is already straightforward.
pjedmondCommented:
To start with, you are using CPanel. I presume that means that multiple individuals have access to that server?

If any of them have shell access, then there is virtually no chance of you being able to trace them, unless you find an offending script on the system.

Your php version is up to date, and is therefore unlikely to be a problem (until the next exploit is found)

Apache exploits exist for version 1.3.x - What  version are you using? There should be another number after the 3 denoted by the x. You should probably be on 1.3.31, although a 1.3.34 exists.

Other issues relate to exploitable web pages on the server itself. It is often possible to 'abuse' poorly set up cgi or php post (input) pages. These should all be checked.

Wrt EXIM, I don't seem to be able top find any 'remote' vulnerabilities that would achieve this, so anyone trying to  do would not really be trying to abuse this because there are easier ways.

My gut feeling is that someone on the server either has shell access and is running a script to do this. Alternatively, even with ftp/webpage access, it is possible to program php (part of the webpage) to do this, so realistically, anyone sharing the system has the ability to do what you have described.

Suggested approach for tracing source of this problem:

1.    Find all files on the server that have been modified between say 1 week before and 2 days after :

"Date: Mon, 6 Feb 2006 10:24:40 -0600"

2.    Check all of these individually, particularly any that are .php or +x.

Unfortunately tracing this is not going to be easy:(




Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Danny_LaroucheCommented:
You should not waste your time tracking a problem caused by their own negligence.  Everybody in the field is aware of this unsecure mailform script being abused by spammers since a while.  If they don't bother to secure their CGI script and their mail server, why should you do their job!!!

Tell him to secure their system by hard-coding the recipient address in the CGI script and install an IDS to prevent abnormal mail queue on their mail server.

input name="recipient" size="0" value="join@trialware.org" type="hidden"
                                                         ~~~~~~~~~~~~~~~~~
Gary CutriData & Communications SpecialistCommented:
Are you sure the complaint you received wasn't SPAM?
thedwillCommented:
It looks like maybe you have been selected as the unlucky "reply to" by a spammer and are  receiving a bounce message
telmanCommented:
It is little hard track spam emails on cpanel server, due to process owner. Use control and view the queue, otherwise you will not able to find anything useful.
usually biggest hint is the X-mailer, in your case it is "cgiemail 1.6" , it may take few hours but I was always able to find out what is going. It will lead you to  a website, then you look a for cgi script. I would disable cgi script and send an email to site owner.


Probably you will not able to find a solution to this, but you could create a script to look for cgi email program and compare X-mailers, if it is well known script and  you can automatically  disable it, or send an email to yourself. Then you can manually check unkown scripts.

Telman
SecretAgentOnlineAuthor Commented:
"in your case it is "cgiemail 1.6" , it may take few hours but I was always able to find out what is going. It will lead you to  a website, then you look a for cgi script. I would disable cgi script and send an email to site owner."

How did you do it?

"Probably you will not able to find a solution to this, but you could create a script to look for cgi email program and compare X-mailers, if it is well known script and  you can automatically  disable it, or send an email to yourself. Then you can manually check unkown scripts."

I am not aware of any. If you know of any that would be appreciated you share. Thank you.
Danny_LaroucheCommented:
I don't know if myself or some folks here missunderstood the issue.  As i understand, "secretagentonline" and its systems aren't involved in any kind in this issue. One of his users accessed a webform on complainant`s website www.trialware.org locate at IP  67.19.36.196 to send a porn ads.  Using this unsecure form, the abuser/spammer may specify the "from" and "to" field. This is up to the complainant to modify its form & CGI to prevent such abuse. Using a 2 step webform would easily render impossible such abuse.  

Then, there is nothing to be secured nor tuned on your mail server & web server. If i am right, IP XXX.232.65.171 is part of your network and someone (your customer/user) used it to access the complainant`s unsecure website to send ads to themself or someone else.  You may verify on your radius server who was using this IP at this date/time and tell him "don't send spam".
telmanCommented:

1. For example: We had an automated script( a bash script, you can use perl too, whatever works for you) which can scan users cgi-bin folders for well known scripts like "http://www.scriptarchive.com/formmail.html", open them and check for the built version.( we had pre-defined list of builts and x-mailers), Sometimes users would modify their cgi files so our automated scanner could not detect script details, in that case we would manually go in and check it.( of course we get email alert about that)

Now you can add "cgiemail 1.6" to your pre-defined list so your scanner can detect that type of formmailer.

We usually renamed script during system scan. We also sent an email to the client to  say it is insecure to use that script.

2. I checked emails in the queue and looked for X-mailer (they are the easy one) and go from there. If you look carefully usually you will find something. Unfortunately each case was unique so I can not give you step-by-step guide.


3. You can make a shell script, to run every 5 minutes to check email queue if it is more than certain number of email it may send you an alert.

I hope it helps

Telman
Danny_LaroucheCommented:
If i recall, most answers to this question was going in different direction.  Mostly because the author is missundertanding the issue itself and then the question was not pretty clear either.

Then i propose to split points to all participants
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.