problem with spam

pppplus

pppplus

Verified User
Joined
Dec 19, 2008
Messages
519
Hi

I have a problem with http://cbl.abuseat.org
They report one of my IP server to send spam.

But they don't give details or informations. I contact them several times, and always the same "automatic answer" : check your server.

One of the last message :
Please find whatever is HELOing as mail.hotmail.com and remove it.
Click to expand...
I check logs, and all try from hotmail, or gmail or else ... are rejected because they are not registered on the server.

Last message (reply to some lines of logs showing attempts from extern domains are rejected):
You write:
> > I just take some lines about my logs, for hotmail.fr and
> > gmail.com Nothing for hotmail.com in logs.
This is because viruses do not leave logs. Your server is infected with a virus, please hire someone local to you to help you with this problem.
Click to expand...
They write I have a virus on the server.
I already check it serveral times with clamav, and nothing has been found.

Do you have an idea to check if my server can send or not spam ?
CBL will never give me informations about problems they found, and it is a very big problem. For me, this politic is not honest.
It is the only one list who report my server to have problem. But a lot of provider use CBL to stop messages.

Thanks for your help
 
Based on what you write it appears there's some code running on your server which identifieds itself as hotmail.fr, and sends spam. If you can't find where the code is, then you may need to hire someone who can.

Have you tried this (github.com)?

Jeff
 
I have made a script doing the same thing.
Nothing suspect found
 
Ok, I try to understand packet snifer.

I use command
Code: 
tshark -i eth0

And I have a lot of line with that :
TCP smtp > 53397 [ACK] Seq=191 Ack=49817 Win=16060 Len=0

Always with the same IP.
So that's probably my problem.

Now, I have a lot of difficulties to understand tshark...

=> where are stored datas ? Or how can I choose file where store datas ?
I try that :
Code: 
tshark -i eth0 -w /var/log/tshark.log
But file is unreadable.

So, If you have some help.. you are welcome.
Google is not my friend with tshark... docs are unclear, or my knowledges are too bad to understand
 
one question answered... I'm stupid

Code: 
tshark -i eth0 > /var/log/tshark.log
give me all lines in my file
 
CBL ask me to use this command :
Code: 
tshark -f "ip src 188.165.219.97 && port 25" >  /var/log/tshark.log
188.165.219.97 is my server's IP.

Ok, I have some logs, but I am unable to understand exactly these logs.
I try to find help on google, but I don't find anything helping me.

CBL writes me, there is a virus, sending email from my server, without writing logs.
How to find it ? Do you already have the same problem ? And how to solve it ?

Another thing, I use CSF firewall : is there something to change in configuration, to avoid this problem ?

I am not sure CBL is right, but they don't give me any indication about the spam sent. And they are sure, I have a problem. For them, it can't be a false positive.
So if they are wrong, how to prove it ?
 
Ok, I've found source of my problem !

Spam reported by CBL are normal email send from some PHP script (actually I find only Prestashop), using PHP mail(), but with email adresses like gmail or hotmail.

And my server sends :
Received: from [188.165.219.97] (helo=mail.gmail.com)

CBL knows 188.165.219.97 is not gmail or yahoo and blacklist my server.

I have now to find how to solve it in exim.conf (I have no idea, I will search how to do something)
 
No I don't use it.
I will read features and will try if interesting.

Do you think it can help me to modify helo sent ?
 
I think all script using php mail() can do the same thing. It is not particular to prestashop.

I use IP per domain in exim.conf.

And emails sent with external emails (not using domain registered in my server) can give the same result.

So I have to find something in my conf for these emails.
Stop them, or use a special IP

EDIT : no I'am wrong. Sending with PHP mail() and hotmail or yahoo address send good HELO and use HELO mail.mydomain.com
So it seems it comes from PrestaShop
 
Last edited:
PHP mail() when sending email uses hostname in HELO. Thus check your hostname and exim's setting. Probably you use mail.gmail.com as a smarthost.
 
I'm a bit lost; if he were using mail.gmail.com as a smart host all email leaving his server would go to the gmail server pool. I doubt they'd relay his mail for him. This would only work if all email leaving his server was going to gmail.

Jeff
 
@Jeff,

Yes, this is strange. Probably, something is mis-understood by pppplus or mis-configured.

@pppplus,

will you post here full headers of such an email?
 
Yes, it is very strange !

Note I use IP per domain in exim to send emails.

1- I do not use gmail.com hostname, but "normal" domain hostname (serveur3.3go.fr)

2- The problem seem's to come from this code in Prestashop
Code: 
protected function handshake(Swift_Events_ResponseEvent $greeting)
  {
    if ($this->connection->getRequiresEHLO() || strpos($greeting->getString(), "ESMTP"))
      $this->setConnectionExtensions($this->command("EHLO " . $this->domain, 250));
    else $this->command("HELO " . $this->domain, 250);
    //Connection might want to do something like authenticate now
    if (!$this->hasOption(self::NO_POST_CONNECT)) $this->connection->postConnect($this);
  }
I contact prestashop to find where is taken $this->domain value.

3- bad email headers are (when using gmail email in prestashop)
From - Wed Mar 02 15:53:12 2011
X-Account-Key: account4
X-UIDL: 000009294ca66e5f
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 02 Mar 2011 15:56:54 +0100
Received: from mail by ns1.hb50.fr with spam-scanned (Exim 4.69)
(envelope-from <[email protected]>)
id 1PunTr-0003Y4-Uo
for [email protected]; Wed, 02 Mar 2011 15:56:53 +0100
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on ns1.hb50.fr
X-Spam-Level: **
X-Spam-Status: No, score=2.8 required=5.0 tests=DKIM_ADSP_CUSTOM_MED,
FREEMAIL_FROM,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,
NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_LOW,RDNS_NONE autolearn=no version=3.3.1
Received: from [188.165.219.97] (helo=mail.gmail.com)
by ns1.hb50.fr with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.69)
(envelope-from <[email protected]>)
id 1PunTr-0003Wm-Jl
for [email protected]; Wed, 02 Mar 2011 15:56:47 +0100
Received: from apache by serveur3.3go.fr with local (Exim 4.72)
(envelope-from <[email protected]>)
id 1PunLL-0005HN-Qv
for [email protected]; Wed, 02 Mar 2011 15:48:00 +0100
To: beneteau hubert <[email protected]>
Subject: [Import Destock Boutik] Bienvenue !
X-PHP-Script: www.1db.fr/authentication.php for 90.51.73.43
From: Import Destock Boutik <[email protected]>
Reply-To: Import Destock Boutik <[email protected]>
Date: Wed, 02 Mar 2011 15:47:59 +0100
X-LibVersion: 3.3.2
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="_=_swift-18466090344d6e589fc99426.83411072_=_"
Content-Transfer-Encoding: 7bit
Message-ID: <[email protected]>
Click to expand...
 
If I use a "normal" email like [email protected], HELO is ok

Code: 
Received: from [91.121.35.44] (helo=mail.1db.fr)
IP is not the same, because 1db.fr use 91.121.35.44

(the other IP is main serveur IP)
 
Ok, thus, I would try with default exim.conf (a bit modified in order to make it work, since original exim.conf is supposed to be updated before installing on a server). If HELO is ok with default exim.conf, then it will clarify the situation.
 
Thanks for that.
When you test with Prestashop, use a real email (like registration), not test email in admin (because it is send by another method).
 
You must log in or register to reply here.
Back
Top