Email server hijacked
- Thread starter coppertop
- Start date
I appreciate the humor. Is that your way of telling me there's nothing I can do about it?
sullise
Verified User
- Joined
- Mar 4, 2004
- Messages
- 475
Just make sure you have no open relay's, and that you monitor any client sites for exploited scripts.
You can also put limiters on that only allow any one email address to send out so many emails an hour, thus making it ineffective for spammers.
You can also put limiters on that only allow any one email address to send out so many emails an hour, thus making it ineffective for spammers.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
You don't have an open relay unless you've edited your /etc/exim.conf file and seriously broken it; by default DA's exim install is not an open relay.
More likely you've got some PHP injection going on from some insecure php scripts installed on your server.
There have been posts on these forums previously, which discuss limiting email.
I'll let you do the search
.
Jeff
More likely you've got some PHP injection going on from some insecure php scripts installed on your server.
There have been posts on these forums previously, which discuss limiting email.
I'll let you do the search
.Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
That eliminates php injection as a possible cause.
There's still perl injection.
If any of your sites are using forms they're using one or the other of the above.
You didn't respond to my other concern; have you made any changes to the exim.conf file?
And another question, what's in your whitelist files in /etc/virtual?
You should never whitelist domains or users for domains hosted on your server; if you do, anyone using those return addresses can spam through your system.
Jeff
There's still perl injection.
If any of your sites are using forms they're using one or the other of the above.
You didn't respond to my other concern; have you made any changes to the exim.conf file?
And another question, what's in your whitelist files in /etc/virtual?
You should never whitelist domains or users for domains hosted on your server; if you do, anyone using those return addresses can spam through your system.
Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
That's too general a question.
There are probably some important perl scripts on your system. There may be some unimportant perl scripts on your program.
The most dangerous perl script is probably many (most?) versions of formmail.pl, which can be found under several variants:
FormMail.pl
FormMail.cgi
Formmail.pl
Formmail.cgi
formmail.pl
formmail.cgi
While there are probably some others out there that are safe, the one I use is is the one I've posted (with instructions) here.
Have you been accused of spamming? Do you think you're spamming? Or are you just looking at taking prophylactic measures?
Jeff
There are probably some important perl scripts on your system. There may be some unimportant perl scripts on your program.
The most dangerous perl script is probably many (most?) versions of formmail.pl, which can be found under several variants:
FormMail.pl
FormMail.cgi
Formmail.pl
Formmail.cgi
formmail.pl
formmail.cgi
While there are probably some others out there that are safe, the one I use is is the one I've posted (with instructions) here.
Have you been accused of spamming? Do you think you're spamming? Or are you just looking at taking prophylactic measures?
Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
I presume you were sent some evidence?
If so, then posting the evidence may help us help you.
For what it's worth, we get accused of spamming in the area of a few hundred times a day.
That happens when you've got thousands of email addresses going through your servers.
Most of it is caused by AOL users, who forward mail from their account on our server to their account at AOL, and then click on the This is spam button.
And AOL accuses the last mailserver to touch the email, which of course is ours.
Jeff
If so, then posting the evidence may help us help you.
For what it's worth, we get accused of spamming in the area of a few hundred times a day.
That happens when you've got thousands of email addresses going through your servers.
Most of it is caused by AOL users, who forward mail from their account on our server to their account at AOL, and then click on the This is spam button.
And AOL accuses the last mailserver to touch the email, which of course is ours.
Jeff
Here is the email that was forwarded to us:
_____________________________________________
On Thu Dec 22 09:47:14 PST 2005, Todd Aitken <[email protected]>
wrote:
> Dr. Levine
>
> It appears that somebody has hijack your email server and is
> sending spam
> all over the place. Here is a copy of the email below and this is
> the email
> address they are using : Nona Perez [[email protected]]
>
> This might not be an existing email account but the major concern
> is that
> they are using your account for spam and you could get black
> listed for
> that.
>
> I would call your service provider and ask that they take action
> on this ,
> to avoid problems for yourself.
>
> Thanks,
> Todd Aitken
> WebMaster
> iBead.com
>
> Remove now
>
> -----Original Message-----
> From: Nona Perez [mailto: ] Sent: Thursday, December 22, 2005
> 6:50 PM
> To: [email protected]
> Subject: important news
>
> Explosive St=ck Alert
> Doll Technology Group Inc.
> Global Manufacturer and Marketer of "Clean & Green" Products and
> Technology
> Solutions(Source: News 12/6/05)
>
> OTC: DTGP
>
> Price: .14
>
> Huge PR Campaign Underway For Thursday's Trading **DTGP** Can You
> Make Some
> Fast Money On This One?
>
> RECENT NEWS: Go Read The Full Stories Right Now!!
>
> 1)Doll Technology Group Begins U.S. Trials of AquaBoost(TM)
>
> 2)Doll Technology Group Announces Strategic Partnership With Land
> and Sea
> Development to Market
> BlazeTamer(TM) Fire Retardant Product- Initial Purchase Order
> Valued at Over
> $1.1 Million
>
> RedBrooks Laboratory, a DTGP subsidiary, is a full service
> independent
> facility that tests,
> qualifies and certifies all Doll Technology Group's products and
> services.
> The laboratory is one of
> the few government certified facilities for the testing of fire
> suppression
> systems for the aerospace,
> maritime, and general industries. (Source: News 12/2/05)
>
>
> Watch This One Trade on Thursday! Radar it Right Now..
>
> !nf0rmat!0n w!th!n th!$ ema!l c0nta!n$ 4rward l00k!ng $tatement$
> w!th!n the
> mean!ng 0f $ect!0n 27A 0f the $ecur!t!e$
> Act 0f n!neteen th!rty three and $ect!0n 21B 0f the $ecur!t!e$
> Exchange Act
> 0f n!neteen th!rty f0ur. Any $tatement$
> that expre$$ 0r !nv0lve d!$cu$$!0n$ w!th re$pect t0 pred!ct!0n$,
> expectat!0n$, bel!ef$, plan$, pr0ject!0n$, 0bject!ve$,
> g0al$, a$$umpt!0n$ 0r future event$ 0r perf0rmance are n0t
> $tatement$ 0f
> h!$t0r!cal fact and may be 4rward 100k!ng
> $tatement$.4rward l00k!ng $tatement$ are ba$ed 0n expectat!0n$,
> e$t!mate$
> and pr0ject!0n$ at the t!me the $tatement$
> are made that !nv0lve a number 0f r!$k$ and uncerta!nt!e$ wh!ch
> c0uld cau$e
> actual re$ult$ 0r event$ t0 d!ffer
> mater!ally fr0m th0$e pre$ently ant!c!pated.T0day'$ featured
> C0mpany !$ n0t
> a reprt!ng c0mpany under the $EC
> Act 0f 1934 and theref0re there !$ l!m!ted !nf0rmat!0n ava!lable
> 0n the
> c0mpany. A$ w!th many m!cr0cap $t0ck$,
> t0day'$ c0mpany ha$ d!$cl0$able mater!al !tem$ y0u need t0
> c0n$!der !n 0rder
> t0 make an !nf0rmed and !ntell!gent
> !n_ve$tment dec!$!0n. The$e !tem$ !nclude: A n0m!nal ca$h
> p0$!t!0n. !t !$ an
> 0perat!ng C0mpany. The c0mpany !$
> g0!ng t0 need f!nanc!ng. !f that f!nanc!ng d0e$ n0t 0ccur, the
> c0mpany may
> n0t be able t0 c0nt!nue a$ a g0!ng
> c0ncern !n wh!ch ca$e y0u c0uld l0$e y0ur ent!re !n-ve$tment.
> The publ!$her
> 0f th!$ new$letter d0e$ n0t repre$ent
> that the !nf0rmat!0n c0nta!ned !n th!$ me$$age $tate$ all
> mater!al fact$ 0r
> d0e$ n0t 0m!t a mater!al fact nece$$ary
> t0 make the $tatement$ there!n n0t m!$lead!ng. All !nf0rmat!0n
> pr0v!ded
> w!th!n th!$ e_ma!l perta!n!ng t0 !n-ve$t!ng,
> $t0ck$, $ecur!t!e$ mu$t be under$t00d a$ !nf0rmat!0n pr0v!ded and
> n0t
> !nve$tment adv!ce. Remember a th0r0ugh due
> d!l!gence eff0rt, !nclud!ng a rev!ew 0f a c0mpany'$ f!l!ng$ when
> ava!lable,
> $h0uld be c0mpleted pr!0r t0 !n_ve$t!ng.
> The publ!$her 0f th!$ new$letter adv!$e$ all reader$ and
> $ub$cr!ber$ t0 $eek
> adv!ce fr0m a reg!$tered pr0fe$$!0nal
> $ecur!t!e$ repre$entat!ve bef0re dec!d!ng t0 trade !n $t=ck$
> featured w!th!n
> th!$ e_ma!l. N0ne 0f the mater!al
> w!th!n th!$ rep0rt $hall be c0n$trued a$ any k!nd 0f !n_ve$tment
> adv!ce 0r
> $0l!c!tat!0n. Many 0f the$e c0mpan!e$
> are 0n the verge 0f bankruptcy. Y0u can l0$e all y0ur m0ny by
> !nve$t!ng !n
> th!$ $t0ck. The publ!$her 0f th!$
> new$letter !$ n0t a reg!$tered !n-ve$tment adv!$0r. $ub$cr!ber$
> $h0uld n0t
> v!ew !nf0rmat!0n here!n a$ legal, tax,
> acc0unt!ng 0r !nve$tment adv!ce. !n c0mpl!ance w!th the
> $ecur!t!e$ Act 0f
> n!neteen th!rty three, $ect!0n 17(b),
> The publ!$her 0f th!$ new$letter !$ c0ntracted t0 rece!ve twelve
> th0u$and
> d0llar$ fr0m a th!rd party, n0t an 0ff!cer,
> d!rect0r 0r aff!l!ate $hareh0lder f0r the c!rculat!0n 0f th!$
> rep0rt. Be
> aware 0f an !nherent c0nfl!ct 0f !ntere$t
> re$ult!ng fr0m $uch c0mpen$at!0n due t0 the fact that th!$ !$ a
> pa!d
> advert!$ement and !$ n0t w!th0ut b!a$.The
> party that pay$ u$ ha$ a p0$!t!0n !n the $t0ck they w!ll $ell at
> any t!me
> w!th0ut n0t!ce. Th!$ c0uld have a
> negat!ve !mpact 0n the pr!ce 0f the $t0ck, cau$!ng y0u t0 l0$e
> m0ny.The!r
> !ntent!0n !$ t0 $ell n0w.All factual
> !nf0rmat!0n !n th!$ rep0rt wa$ gathered fr0m publ!c
> $0urce$,!nclud!ng but
> n0t l!m!ted t0 C0mpany Pre$$ Relea$e$.
> U$e 0f the !nf0rmat!0n !n th!$ ema!l c0n$t!tute$ y0ur acceptance
> 0f the$e
> term$.
>
>
>
>
>
_____________________________________________
On Thu Dec 22 09:47:14 PST 2005, Todd Aitken <[email protected]>
wrote:
> Dr. Levine
>
> It appears that somebody has hijack your email server and is
> sending spam
> all over the place. Here is a copy of the email below and this is
> the email
> address they are using : Nona Perez [[email protected]]
>
> This might not be an existing email account but the major concern
> is that
> they are using your account for spam and you could get black
> listed for
> that.
>
> I would call your service provider and ask that they take action
> on this ,
> to avoid problems for yourself.
>
> Thanks,
> Todd Aitken
> WebMaster
> iBead.com
>
> Remove now
>
> -----Original Message-----
> From: Nona Perez [mailto: ] Sent: Thursday, December 22, 2005
> 6:50 PM
> To: [email protected]
> Subject: important news
>
> Explosive St=ck Alert
> Doll Technology Group Inc.
> Global Manufacturer and Marketer of "Clean & Green" Products and
> Technology
> Solutions(Source: News 12/6/05)
>
> OTC: DTGP
>
> Price: .14
>
> Huge PR Campaign Underway For Thursday's Trading **DTGP** Can You
> Make Some
> Fast Money On This One?
>
> RECENT NEWS: Go Read The Full Stories Right Now!!
>
> 1)Doll Technology Group Begins U.S. Trials of AquaBoost(TM)
>
> 2)Doll Technology Group Announces Strategic Partnership With Land
> and Sea
> Development to Market
> BlazeTamer(TM) Fire Retardant Product- Initial Purchase Order
> Valued at Over
> $1.1 Million
>
> RedBrooks Laboratory, a DTGP subsidiary, is a full service
> independent
> facility that tests,
> qualifies and certifies all Doll Technology Group's products and
> services.
> The laboratory is one of
> the few government certified facilities for the testing of fire
> suppression
> systems for the aerospace,
> maritime, and general industries. (Source: News 12/2/05)
>
>
> Watch This One Trade on Thursday! Radar it Right Now..
>
> !nf0rmat!0n w!th!n th!$ ema!l c0nta!n$ 4rward l00k!ng $tatement$
> w!th!n the
> mean!ng 0f $ect!0n 27A 0f the $ecur!t!e$
> Act 0f n!neteen th!rty three and $ect!0n 21B 0f the $ecur!t!e$
> Exchange Act
> 0f n!neteen th!rty f0ur. Any $tatement$
> that expre$$ 0r !nv0lve d!$cu$$!0n$ w!th re$pect t0 pred!ct!0n$,
> expectat!0n$, bel!ef$, plan$, pr0ject!0n$, 0bject!ve$,
> g0al$, a$$umpt!0n$ 0r future event$ 0r perf0rmance are n0t
> $tatement$ 0f
> h!$t0r!cal fact and may be 4rward 100k!ng
> $tatement$.4rward l00k!ng $tatement$ are ba$ed 0n expectat!0n$,
> e$t!mate$
> and pr0ject!0n$ at the t!me the $tatement$
> are made that !nv0lve a number 0f r!$k$ and uncerta!nt!e$ wh!ch
> c0uld cau$e
> actual re$ult$ 0r event$ t0 d!ffer
> mater!ally fr0m th0$e pre$ently ant!c!pated.T0day'$ featured
> C0mpany !$ n0t
> a reprt!ng c0mpany under the $EC
> Act 0f 1934 and theref0re there !$ l!m!ted !nf0rmat!0n ava!lable
> 0n the
> c0mpany. A$ w!th many m!cr0cap $t0ck$,
> t0day'$ c0mpany ha$ d!$cl0$able mater!al !tem$ y0u need t0
> c0n$!der !n 0rder
> t0 make an !nf0rmed and !ntell!gent
> !n_ve$tment dec!$!0n. The$e !tem$ !nclude: A n0m!nal ca$h
> p0$!t!0n. !t !$ an
> 0perat!ng C0mpany. The c0mpany !$
> g0!ng t0 need f!nanc!ng. !f that f!nanc!ng d0e$ n0t 0ccur, the
> c0mpany may
> n0t be able t0 c0nt!nue a$ a g0!ng
> c0ncern !n wh!ch ca$e y0u c0uld l0$e y0ur ent!re !n-ve$tment.
> The publ!$her
> 0f th!$ new$letter d0e$ n0t repre$ent
> that the !nf0rmat!0n c0nta!ned !n th!$ me$$age $tate$ all
> mater!al fact$ 0r
> d0e$ n0t 0m!t a mater!al fact nece$$ary
> t0 make the $tatement$ there!n n0t m!$lead!ng. All !nf0rmat!0n
> pr0v!ded
> w!th!n th!$ e_ma!l perta!n!ng t0 !n-ve$t!ng,
> $t0ck$, $ecur!t!e$ mu$t be under$t00d a$ !nf0rmat!0n pr0v!ded and
> n0t
> !nve$tment adv!ce. Remember a th0r0ugh due
> d!l!gence eff0rt, !nclud!ng a rev!ew 0f a c0mpany'$ f!l!ng$ when
> ava!lable,
> $h0uld be c0mpleted pr!0r t0 !n_ve$t!ng.
> The publ!$her 0f th!$ new$letter adv!$e$ all reader$ and
> $ub$cr!ber$ t0 $eek
> adv!ce fr0m a reg!$tered pr0fe$$!0nal
> $ecur!t!e$ repre$entat!ve bef0re dec!d!ng t0 trade !n $t=ck$
> featured w!th!n
> th!$ e_ma!l. N0ne 0f the mater!al
> w!th!n th!$ rep0rt $hall be c0n$trued a$ any k!nd 0f !n_ve$tment
> adv!ce 0r
> $0l!c!tat!0n. Many 0f the$e c0mpan!e$
> are 0n the verge 0f bankruptcy. Y0u can l0$e all y0ur m0ny by
> !nve$t!ng !n
> th!$ $t0ck. The publ!$her 0f th!$
> new$letter !$ n0t a reg!$tered !n-ve$tment adv!$0r. $ub$cr!ber$
> $h0uld n0t
> v!ew !nf0rmat!0n here!n a$ legal, tax,
> acc0unt!ng 0r !nve$tment adv!ce. !n c0mpl!ance w!th the
> $ecur!t!e$ Act 0f
> n!neteen th!rty three, $ect!0n 17(b),
> The publ!$her 0f th!$ new$letter !$ c0ntracted t0 rece!ve twelve
> th0u$and
> d0llar$ fr0m a th!rd party, n0t an 0ff!cer,
> d!rect0r 0r aff!l!ate $hareh0lder f0r the c!rculat!0n 0f th!$
> rep0rt. Be
> aware 0f an !nherent c0nfl!ct 0f !ntere$t
> re$ult!ng fr0m $uch c0mpen$at!0n due t0 the fact that th!$ !$ a
> pa!d
> advert!$ement and !$ n0t w!th0ut b!a$.The
> party that pay$ u$ ha$ a p0$!t!0n !n the $t0ck they w!ll $ell at
> any t!me
> w!th0ut n0t!ce. Th!$ c0uld have a
> negat!ve !mpact 0n the pr!ce 0f the $t0ck, cau$!ng y0u t0 l0$e
> m0ny.The!r
> !ntent!0n !$ t0 $ell n0w.All factual
> !nf0rmat!0n !n th!$ rep0rt wa$ gathered fr0m publ!c
> $0urce$,!nclud!ng but
> n0t l!m!ted t0 C0mpany Pre$$ Relea$e$.
> U$e 0f the !nf0rmat!0n !n th!$ ema!l c0n$t!tute$ y0ur acceptance
> 0f the$e
> term$.
>
>
>
>
>
toml
Verified User
If that is all they sent you, there isn't enough evidence there to say who sent the email. All the headers are gone. The "From:" address means nothing in the case of spam, the headers tell where the email originated from.
coppertop said: