Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Mail server is used by someone to send spam. How to stop that?

Posted on 2007-10-09
21
Medium Priority
?
563 Views
Last Modified: 2013-11-30
Web provide a sharing a hosting on our server.   Now we got complain that there are a lot of spams are sent from this server IP.  
Have no idea how to stop that.
We use Imail.   In mail SMTP is set to "No Mail Relay".   How do that send out those spams.
0
Comment
Question by:snowname
  • 11
  • 9
21 Comments
 
LVL 12

Expert Comment

by:dalesit
ID: 20046521
Is this your own server, or shared space on a hosted server from a provider? It is possible that the issue is not with your account, but with someone elses using the same server if it is shared.

Cheers,

Joel
0
 

Author Comment

by:snowname
ID: 20046542
I am the hosting provider.  The server is mine.

Here is a spam that sent out from our server.

==============
[ SpamCop V640 ]
This message is brief for your comfort. Please use links below for details.

Email from 64.34.XXX.XXX/ Mon, 08 Oct 2007 07:27:23 +1000

[ Offending message ]
X-Account-Key: account1
X-Mozilla-Keys:
Return-path: <kd100@inbox.com>
Envelope-to: x
Delivery-date: Sun, 07 Oct 2007 15:45:05 -0700
Received: from host.intensehosting3.com.au ([122.201.83.98]) by andromeda.lunarpages.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <kd100@inbox.com>) id 1Ieerp-0003c6-17 for x; Sun, 07 Oct 2007 15:45:05 -0700
Received: from cpanel by host.intensehosting3.com.au with local (Exim 4.68) (envelope-from <kd100@inbox.com>) id 1Iedep-0004Cp-3h; Mon, 08 Oct 2007 07:27:27 +1000
Received: from 64.34.XXX.XXX ([64.34.XXX.XXX) by www.intensehosting3.com.au (Horde MIME library) with HTTP; Mon, 08 Oct 2007
07:27:23 +1000
Message-ID: <2007_______________________wk8w@www.intensehosting3.com.au>
Date: Mon, 08 Oct 2007 07:27:23 +1000
From: K Dinc <kd100@inbox.com>
To: undisclosed-recipients:;
Subject: Good Day
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.3)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.intensehosting3.com.au
X-AntiAbuse: Original Domain - audio-restoration.com
X-AntiAbuse: Originator/Caller UID/GID - [32002 32002] / [47 12]
X-AntiAbuse: Sender Address Domain - inbox.com
X-Source: /usr/local/cpanel/3rdparty/bin/php
X-Source-Args: /usr/local/cpanel/3rdparty/bin/php /usr/local/cpanel/base/horde/imp/compose.php
X-Source-Dir: :/base/horde/imp
X-Spam-Status: No, score=2.8
X-Spam-Score: 28
X-Spam-Bar: ++
X-Spam-Flag: NO

Confidential

Dear Friend,

My name is Kemal Dinc of Ankara Sigorta A.S., An Insurance Company with office in Istanbul-Turkey. I got your contact from our customer service list hence i am contacting you for a possible assistance.

I wish to request your sincere assistance for a business of Mutual Benefit to both parties which involves a Municipal Blanket Insurance Bond covering one of our deceased client. Since his demise, all efforts to locate his relatives has proved abortive and recently there has been plans to declare his Insurance Policy Unserviceable which will automatically approve the Local Government full ownership over the said Policy and properties.

I am requesting your sincere perticipation to enable me present you as the Next of Kin/Beneficiary to the Insurance Policy and with the legal documents available to me, all process will be legal and 100% risk free but first will like to meet with you on a neutral ground to access :-

(1) Each others Ability, Personality and Trust.
(2) To draw up a Mutual Agreement on mode of sharing.

If my proposal is not against your business ethics please reply me via my official email for security purpose at (kemal.dinc@anksigorta.com)

Sincerely Yours
Kemal Dinc
www.anksigorta.com

==============
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20046667
Are you, or one of clients who you host, running Horde on your server?

Do you only host your own websites or do you sell/provide hosting to other people on your server?

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:snowname
ID: 20046673
we sell shared hosting.

How to find Horde on the server.
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20046743
Ok - your problem is simple.

One of your clients is using the installed version of Horde (which is a content management and groupware product running under PHP) - in turn this is being used to send SPAM. It appears that Horde is installed as part of your general server offering. If not then one of your clients has installed it.

I am guessing that you are using Cpanel to manage your server - and  in which case you can disable Horde within Cpanel - look for 3rdParty Applications and then disable Horde.

In the above message it mentions which client is running/using Horde:

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.intensehosting3.com.au
X-AntiAbuse: Original Domain - audio-restoration.com   <<<<<<<<<<<<<  this is your client!!!!!
X-AntiAbuse: Originator/Caller UID/GID - [32002 32002] / [47 12]
X-AntiAbuse: Sender Address Domain - inbox.com
X-Source: /usr/local/cpanel/3rdparty/bin/php  
X-Source-Args: /usr/local/cpanel/3rdparty/bin/php /usr/local/cpanel/base/horde/imp/compose.php    <<<<<< this is the location of Horde!!!!!
X-Source-Dir: :/base/horde/imp  <<<<<< this is the location of Horde!!!!!

You need to be very carefull with applications like Horde - if the security and code is not tightened then just about anyone can use your server to send SPAM - which is obviously what has happened to you.

To get your server delisted from SPAMCOP will take you a lot of work and time - currently email sent from your server will be blocked by mail servers that use SPAMCOP blacklist lookups - and believe me that is a serious problem for you that you should deal with as quickly as possible.

0
 

Author Comment

by:snowname
ID: 20047534
audio-restoration.com is not hosted on this server.
when I ping it, the ip is different from my server.  
In IIS, I can not see the domain.

We do not use CPanel, we use another control panel.

I scaned all files, but I do not find /base/horde/imp

0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20048246
Hi Snowman:

In the headers :

Received: from 64.34.XXX.XXX ([64.34.XXX.XXX) by www.intensehosting3.com.au (Horde MIME library) with HTTP; Mon, 08 Oct 2007 07:27:23 +1000

>>> In the line above where the 64.34.XXX.XXX shows - did you delete this IP address and if so was it your IP Address?

Assuming it was your IP address you must have SMTP log files on your system (or at least HTTP log files) - assuming you have SMTP log files then goto 8th Oct and review the logs to find who (which of your clients) is sending email at that time.

If you do not have SMTP files - you could check your HTTP log around the same time - your client is probably using server side script to send these bulk mails.

Finally - if you have your mail server set to authenticate before send - then you must have logs of which useer logged in at around the time of sending these emails.

If you don't have logs - well you really should keep detailed logs for at least 30 - 45 days (really a lot longer) if you are providing shared hosting - you never know when you might need them.

Without log files - then I'm afraid you will find it very difficult to discover who was abusing your system.

Please confirm that the 64.34.XXX.XXX  is actually your IP address?
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20048366
Actually looking at the headers again I believe the SPAM is being generated on your server and then a PHP script is connecting to the Web Mail client of  www.intensehosting3.com.au  - which is Horde - and then www.intensehosting3.com.au  is forwarding the mail.

Do you have any other examples of email (including the header) that is being sent from your server?

I need to be sure what is actually sending the email - as it looks at the moment it is not your SMTP service that is at fault. It looks like you have someone using a script on your server - but we should be able to pin that person down using your log files.
0
 

Author Comment

by:snowname
ID: 20048678
Please confirm that the 64.34.XXX.XXX  is actually your IP address?=> Yes, it is.

I will check log file now.    Will tell what I found later.
0
 

Author Comment

by:snowname
ID: 20049200
Delivery-date: Sun, 07 Oct 2007 15:45:05 -0700 <<<< <<<<<<< So I checked sys1007.txt

Unlucky the server's time is not set correctly.  

The Imail's SMTP Security  is set to "No Mail Relay".   It means that only imail user can send email, isn't it?

I found this user logon with many accounts every 15 mintues.   Is it the problem?

10:07 01:01 POP3D  (00001F8C) logon success for suheb bgtdubai.com from 83.110.225.76
10:07 01:01 POP3D  (00001f8c) logoff for suheb R:0, D:0, P:0
............
10:07 01:01 POP3D  (00001F8C) logon success for suheb bgtdubai.com from 83.110.225.76
10:07 01:01 POP3D  (00001f8c) logoff for suheb R:0, D:0, P:0
.......
10:07 01:01 POP3D  (00001FC0) logon success for azhar bgtdubai.com from 83.110.225.76
10:07 01:01 POP3D  (00001fc0) logoff for azhar R:0, D:0, P:0
.......
10:07 01:01 POP3D  (00001E3C) logon success for meraj bgtdubai.com from 83.110.225.76
10:07 01:01 POP3D  (00001e3c) logoff for meraj R:0, D:0, P:0
...........
10:07 01:01 POP3D  (00001920) logon success for shailendra bgtdubai.com from 83.110.225.76
10:07 01:01 POP3D  (00001920) logoff for shailendra R:0, D:0, P:0
.........
10:07 01:01 POP3D  (00001A98) logon success for rita bgtdubai.com from 83.110.225.76
10:07 01:01 POP3D  (00001a98) logoff for rita R:0, D:0, P:0
.........
10:07 01:01 POP3D  (00001BF8) logon success for waseem bgtdubai.com from 83.110.225.76
10:07 01:01 POP3D  (00001bf8) logoff for waseem R:0, D:0, P:0
.

Do I need to check sys1008.txt?
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20049582
Thes entries are normal logons from - probably - Outlook or something like it, you can ignore these entries.

As I said earlier - I do not think it is your SMTP service that is being used. Do you have any more copies of different emails that are supposed to be SPAM. Specifically I need to see some more headers from SPAM emails.

What I think is happening is that you have a user who is running a PHP script that is connecting to another server and sending the SPAM - but your IP address is showing as the originator becuase the script is running on your server.

Again we can find this user but it will mean we need to look at different SPAM emails to start with - then in to each of your clients root folders. How many clients do you have on this one server? Do you have another example SPAM email?

0
 

Author Comment

by:snowname
ID: 20049741
This is the only SPAM email I received from my server hosting company.   I asked them for more samples.  No response yet.

There are 150 websites on that server.  

So I will check each fold.   Check each PHP file, is it?

Also  I can stop PHP function.  Wait to see who will complain.  Will this work?
0
 

Author Comment

by:snowname
ID: 20049825
Hi grahamnonweiler,

By reading your profile.  You are so knowledgeable.
Right now, we do look for someone to admin our server.

1 name server.
2 web servers.  (one of them has problem).  

Except the spam problem.  I submit another problem for this server.
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Q_22884429.html

I would like to if you have time admin our server?  And how much would you charge?

0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20050127
Your servers are with ServerBeach correct?
0
 

Author Comment

by:snowname
ID: 20050215
Yes. All of them.
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20050287
Suggest you email me off forum - graham at nonweiler dot com

We can probably solve your immediate problems with SPAM quite quickly - the ISA problem is related so we should be able to bring your server back up quite quickly.
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20050315
By the way do not use your ServerBeach servers to send me an email they are RBL's - use another account if you have one - if not post back here and I will give you alternative method of contact
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20050455
OK snowname - I have received and responded to your email.
 
After we have solved the problem the action taken will be posted back to this forum to help other users that may face similar difficulties.
0
 

Author Comment

by:snowname
ID: 20050473
Sent you an email through gmail 10 minutes ago.  
helen dot helen at gmail dot come
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20050543
Yes I responded already to your email - please check your inbox
0
 
LVL 16

Accepted Solution

by:
grahamnonweiler earned 2000 total points
ID: 20052449
Solution: After checking the server it was discovered that an anonamizer style proxy service had been installed on the server which was allowing malicious users to connect through this server and onwards to other servers on the net. We removed this proxy and tightened overall security on the server.
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses
Course of the Month20 days, 19 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question