Track spam source

[Maniak]

Hi buddies,

I guess on this forum we are all against spam.

Many people know that even using the maximum security, it is each time possible to bypass the security, or simply to use a bad customer script to spam thru the mail() function of PHP including an outside script, or even a registered customer would decide to spam..

So far I was using a patch for PHP that was telling me which script was sending which mail, but it's boring to recompile it each time you upgrade PHP, so today i got a mail from a script using the cPanel, and he had headers like :

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - hostname.domain.net
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6]
X-AntiAbuse: Sender Address Domain - domain.net

So, I was thinking that it can be nice to add it to my exim too, but I wasn't sure that this will work with PHP script using the mail() function, so I tried and I can say that it works.

So, if you also want to add a tag to your outgoing mail, such as I showed upper, simply change this in your /etc/exim.conf :

lookuphost:
  driver = dnslookup
  domains = ! +local_domains
  ignore_target_hosts = 127.0.0.0/8
  condition = "${perl{check_limits}}"
  transport = remote_smtp
  no_more

to this :

lookuphost:
  driver = dnslookup
  domains = ! +local_domains
  ignore_target_hosts = 127.0.0.0/8
  headers_add = "X-AntiAbuse: This header was added to track abuse, please include it with any abuse report\n\
  X-AntiAbuse: Primary Hostname - $primary_hostname\n\
  X-AntiAbuse: Original Domain - $original_domain\n\
  X-AntiAbuse: Originator/Caller UID/GID - [$originator_uid $originator_gid] / [$caller_uid $caller_gid]\n\
  X-AntiAbuse: Sender Address Domain - $sender_address_domain\n"
  condition = "${perl{check_limits}}"
  transport = remote_smtp
  no_more

Restart exim. Now you have an easy way to check find the source in case someone will complain for mail abuse, or just for your fun.

I have noticed that the mails are a bit slower with this system.

 

[nobaloney]

This is a request for comments.

Should I add this to SpamBlocker?

Jeff

 

[smtalk]

This is a request for comments.

Should I add this to SpamBlocker?

Jeff

Probably, but modified. I suggest you not to rip, but create your own code as alternative to the suggested (the code was created by cPanel).

 

[nobaloney]

Of course.



Jeff

 

[quackweb]

Jeff,

I would love to see this in your SPAM Blocker. We have found some users are very crafty at hiding where they send spam from and it can take longer to find the source for such senders. This is especially true with our dedicated server clients as some are not so familiar with the methods for tracking down the source of spam on their servers. With this, it would definitely give us the legs up at tracking the source and help those that aren't as good as tracking the source as others.

 

[smtalk]

quackweb, why don't you use php mail header patch then? http://choon.net/php-mail-header.php

 

[quackweb]

We actually do but somehow some spammers have found away around that. It's a very rare case but it does happen once in a while. Will this exim patch fix that?

 

[dannygoh]

Please add to the SpamBlocker

 

[Maniak]

Hello,

We actually do but somehow some spammers have found away around that. It's a very rare case but it does happen once in a while. Will this exim patch fix that?

This is even not a patch to exim, simply an additional parameter to exim configuration and this tag ANY email outgoing, including from any script (PHP, Perl, Bash, or whatever other programming language).

So except that this will not give the exact URL of the script (as choon does), it will tell you which website domain did it !

 

[nobaloney]

We use the choon.net patch on our own servers but we can't add it to Spamblocker as only DA can add it.

But we'll probably add this.

Jeff

 

[ZenSpirit]

Hi all ...
at the risk of being dump, is there a howto available for installing this Choon PHP Mail Header Patch.
I'm getting 10000 mails/hour in my queue, all bounce messages.
I suspect one of my accounts is infected with some malicious php script that is using the php mail function.
Any help on this installation would be great!

Thanks in advance and have a great day!
ZenSpirit.

 

[skruf]

Hey,

Take a look here:

http://www.directadmin.com/forum/showthread.php?p=103846#post103846

Post #12 in the thread should be helpful.

David

 

[Vibe]

I'm coming into this thread somewhat late...great suggestion!

I have made the changes as recommended by Maniak, however, I am not seeing the additions in any email headers sent from scripts using the PHP mail() function. I'm running FreeBSD 6.2 with Exim 4.66.

Have any FreeBSD users had success with this addition?