Open Relay - Masses of Spam being sent

[XYZed]

Hi,

I've got 1 user that for some reason masses of spam is being sent through his username. The mail account isn't used, I've changed permissions and owners for it in an attempt to stop the spam going through.

I was using the default exim.conf and I've tried a variety of others and to no avail. If I test any DirectAdmin server via http://www.abuse.net/relay.html they all get the email that should not come through.

I've started running out of ideas, here's some info that may help:

2004-05-09 13:24:57 Received from [email protected] U=username P=local S=9175
2004-05-09 13:24:58 caprice377@www.customersdomain.com R=lookuphost defer (-1): remote host address is the local host
2004-05-09 13:24:59 [email protected] R=lookuphost T=remote_smtp: SMTP error from remote mailer after initial connection: host mailin-01.mx.aol.com [64.12.1$
** Then a thousand other lines of AOL users.

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from username by host.name.com with local (Exim 4.24)
id 1BMYHb-00015v-Lb; Sun, 09 May 2004 06:18:51 +1000
To: michael696@www.customerdomain.com
From:
To: michael696@www.customerdomain.com
From: [email protected]
Content-Type: multipart/alternative; boundary=E3hCLnHuss0S
Subject: Your chance to get in on the bottom of an amazing company Sy656V
K6R /xiVzC ddG5yE RnJcHb weLJ Message-Id:
<[email protected]>
Date: Sun, 09 May 2004 06:18:51 +1000

--E3hCLnHuss0S
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

r7W kAJr0 O1 r KVme rE
7dTX3rm E7zofzEu hNrZyesx4BU gq2PQx1J G zCvi ktIUmgPdvyV9
suqhq8NlE6qi YOqlLJu1 6fE4PJ 5 ejCaIUzG dI
c7XP
44yug2Qp7NWFWQSxh2KX 35T
5j p0SuQW Z3
T X j KZLg9 9LWQpC EQjKDRoG4vyQKuE D5H2iO R x JUj1V UyQ5BRjKY co7Z1dR
uHhS QbV
c8C5
Xo
I Th yJDi s
--E3hCLnHuss0S
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

2004-05-09 13:25:00 Received from <> R=1BMevx-0000HC-VN U=mail P=local S=295509
2004-05-09 13:25:00 routing failed for [email protected]: Unrouteable address
*** Frozen (delivery error message)


1BMew0-0000HP-Bz-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
SMTP error from remote mailer after initial connection:
host mailin-04.mx.aol.com [205.188.156.57]: 554-(RLY:B1) The information presently available to AOL indicates this
554-server is generating high volumes of member complaints from AOL's
554-member base. Based on AOL's Unsolicited Bulk E-mail policy at
554-http://www.aol.com/info/bulkemail.html AOL may not accept further
554-e-mail transactions from this server or domain. For more information,
554 please visit http://postmaster.info.aol.com.


It goes on and on - Only 1GB worth of spam so far :-(


Changing things in exim.conf did stop them for a while and abuse.net tests did fail (fail - being the good thing), but soon after it was back to doing it again. I've also upgraded to Exim 4.32 - still the same.

It is only 1 account that is sending the spam out.

Any Ideas ????

Thanks.

 

[DirectAdmin Support]

Hello,

Could it be possible that the user sending the mail has access to the server? If the mail is being sent from the server itself (script on the machine) then relaying won't have any effect on it.

The /etc/virtual/pophosts file will add all IP's who've access their pop accounts within the last 30 minutes. This method is slightly presumptuous because if a user is using a proxy, any user other user who uses that proxy will be granted relaying privileges. You can disable the pophosts file by editing the /etc/exim.conf and change

hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1

to

hostlist relay_hosts = 127.0.0.1

Note that all users would then be forced to use smtp authentication.

If relaying continues, then either he has a password for the account, or else the mail is being sent from a script on the server itself.

John

 

[XYZed]

Hi John,

Yes I have kept my eye on /etc/virtual/pophosts and looked up every IP address and they have always been valid.

As for the internal script, I have been looking but will be looking harder since it is straight from localhost and not coming in from anywhere.

I'll let you know what Ifind.

Thanks.

 

[resolveit]

Do you have AWStats installed?
Check your server /tmp directory for executable files. especially a telnetd file.

Let us know what you find.

Regards,
Onno Vrijburg

 

[filth]

sorry to bump such an old thread but does making the /etc/exim.conf change stop the server acting as an open relay.

I myself have tried the relay test at abuse.net and received the email (on a fresh install of the server)

 

[Chrysalis]

30 minutes seems very generous, I may change this on my server's.

 

[jjma]

Where would you change it?

Jon

 

[sky]

Hello

I have the same problem.
I am not blacklisted yet at AOL, but soon ^^

I'm receiving this type of email (like 500 a day) :

Spam detection software, running on the system "server.e-aide.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: This is an automatically generated Delivery Status
Notification. Delivery to the following recipients failed.
[email protected] [...]

Content analysis details: (17.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.0 NO_REAL_NAME From: does not include a real name
0.5 HTML_40_50 BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 0.9999]
1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: anpowele.com]
4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: anpowele.com]
2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: anpowele.com]
4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: anpowele.com]

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.




Subject:
Spam: Delivery Status Notification (Failure)
From:
[email protected]
Date:
Fri, 9 Dec 2005 12:50:49 +0100
To:
[email protected]

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

[email protected]





Reporting-MTA: dns;mail.cpgmarket.com
Received-From-MTA: dns;cpggw5.dmz.cpgmarket.com
Arrival-Date: Fri, 9 Dec 2005 12:50:49 +0100

Final-Recipient: rfc822;[email protected]
Action: failed
Status: 5.1.1



Subject:
Spam: The Ultimate Online Pharmaceutical
From:
Doctor <[email protected]>
Date:
Thu, 08 Dec 2005 19:59:35 -0600
To:
Madlene <[email protected]>

Vliagra - $3.3
Leovitra - $3.3
Citalis - $3.7
Imimtrex - $16.4
Flovmax - $2.2
Ulttram - $0.78
Vixoxx - $4.75
Amfbien - $2.2
Valieum - $0.97
Xaknax - $1.09
Somka - $3
Mersidia - $2.2


visit our website


Best regards,
Online Pharmaceuticals

gdgsdegnsq XFNXWFBfVx1QWl1Xc1dFVl9SRl5URh1XWlw=

Of course spamassasin see that it is spam ... but this email whas first send by me ?
Or is someone just using this domains to spam ?

I have set hostlist relay_hosts = 127.0.0.1
... but it is still going on ...

Can i desactivate smtp ? I dont whant people using the smtp on this server.
But, if i cut smt off, will pop still work?

Thx for any help or idea's !
Sky

ps : before, i did receive lots of these email from Online Pharmaceuticals, but i just filterd that keyword from email's. And now, it seam to be sending them with my server ...

 

[jjma]

This thread might interest you. Click Here

Also might worth checking that you have no forms on the site that can be used by spammer/robots by hacking the header tags. I had a few and have patched my forms. ...

regards

Jon

 

[sky]

Hi jjma
the idea of spam via forms is not bad !
Ill chek them out.

Thx
Sky

 

[jjma]

Belive it! Spammers like form exploits.

Jon

 

[sky]

jjma ...
what do you mean by patching ?

I have a form that send me an email when someone contacts me. (no email is the html source).
I dont understand how someone can hack the headers and send the email to someone else ...

Sky

 

[jjma]

It depends how you created the form to be able to answer your question. However I can send you alink from antother form builder who has written about this exploit.

Click here for web site

Jon

P.S his form is pretty good as well.

 

[Chrysalis]

I have had a couple of bounce email's sent out to me with spam originating from 2 of my domains one been [email protected] and I checked DA and no majordomo is setup, so I think it could possibly be spoofing email addresses.

 

[sky]

Ok, i understand mor now. I think some are posible to spam ...

For majordomo : ill turn it off to see.

Thx for your reply's

Im repeiting myself, but i realy like this DA forum. Its "adult" ... and pro, but you stay cool, and thats nice

Sky

 

[sky]

Hello again.

Well, i have found 2 form on another server that where spamd

But, for the domain graphiks.net, i cant find a form that as been spamd, and i have now added filtering for all forms wen a email is sent.

Im still receiving a lot of spam. Perhaps a litle less, im not sure. Always the same type.

Ill try and desactivate mail to see if that stops the spam ...

Spam is a real problem. dam it.

 

[nobaloney]

sorry to bump such an old thread but does making the /etc/exim.conf change stop the server acting as an open relay.

Making that change will stop all relaying through the server for anyone who doesn't login to the smtp server.

exim as installed in DA is not an open relay.

I myself have tried the relay test at abuse.net and received the email (on a fresh install of the server)

Where did you find a test on abuse.net?

I just looked and can't find one.

Jeff

 

[nobaloney]

I'm receiving this type of email (like 500 a day)

Nothing in your quoted email indicates it was sent by your server. Lots of servers are misconfigured and send you spam reports because your return address was in the spam even if it didn't come from your server.

To see if it was coming from your server you have to have the headers in the email as received by the server sending it to you. If you had that, then you didn't show it to us.

but this email whas first send by me ?
Or is someone just using this domains to spam ?

Perhaps. Without the headers we can't tell.

I have set hostlist relay_hosts = 127.0.0.1
... but it is still going on ...

Did you restart exim after you made the change? Personally I don't see what this would stop.

And in any event it won't stop spam from originating on the server, perhaps by php injection.

Can i desactivate smtp ? I dont whant people using the smtp on this server.
But, if i cut smt off, will pop still work?[/quote]
POP will still work. What won't work is any kind of notification to you, for example, by any daemons. And of course forms on your server that rely on SMTP won't work.

And since many forms don't rely on SMTP but rather call exim (through the SMTP alias) directly, they can still send spam.

So similarly to the change you've already made, it will cut your system functionality without blocking any appreciable amount of spam that is coming from your server.

Most likely if you are sending the spam it's coming from compromised PHP scripts.

Jeff

 

[sky]

Ok, thx for that.
Ill check all that out and see.

Sky

 

[Atari]

Where did you find a test on abuse.net?

I just looked and can't find one.

Jeff

I am digging up old posts on "Open Relay" because we just did the dovecot upgrade and tested at abuse.net, which failed the very first test and passed the email through



The relay test is here:

http://www.abuse.net/relay.html