Sending Spam to AOL

[toml]

I assume you also have the following in all your users httpd.conf files:
SuexecUserGroup USER USER
php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f USER@DOMAIN'

The SuexecUserGroup should set the user/group for any CGI scripts being executed, and the other line tells PHP to user this command to for sendmail. USER should be the real unix userid of the user and the DOMAIN should be replaced with their domain. Directadmin should have automatically put them in your /usr/local/directadmin/data/users/*/httpd.conf files, but if you have some really old accounts, they may not have been updated. These were put in place to help trace this type of problem.

Assuming your Directadmin is up to date and you don't have similar lines in all of your customers httpd.conf files, then you should be able to use this command to update them:
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d

Once that completes, restart apache and any new spammer processes, should show which account was sending the spam.

 

[SeLLeRoNe]

hi toml,

thanks for your reply aswell, yes, ive those line in all httpd.conf but, when i get report like this one:

This is an email abuse report for an email message with the message-id of [email protected] received from IP address 194.177.98.220 on Mon, 14 Jun 2010 21:37:29 -0400 (EDT)

For information, please review the top portion of the following page:
http://postmaster.aol.com/tools/fbl.html

For information about AOL E-mail guidelines, please see
http://postmaster.aol.com/guidelines/

If you would like to cancel or change the configuration for your FBL please use the tool located at: 
http://postmaster.aol.com/waters/fbl_change_form.html



Feedback-Type: abuse
User-Agent: AOL SComp
Version: 0.1
Received-Date: Mon, 14 Jun 2010 21:37:29 -0400 (EDT)
Source-IP: 194.177.98.220
Reported-Domain: Psycho.CrazyNetwork.it
Redacted-Address: redacted
Redacted-Address: redacted@



Parte 1.2
Oggetto:
Accounting Assistant Needed
Mittente:
RUXTON Textiles <[email protected]>
Data:
Mon, 14 Jun 2010 17:45:49 +0200
A:
[email protected]

Hello Here is a special provision of an employment offer in order to increase employment rate in UK/USA/Canada irrespective of the age and gender. This does not require any professional qualifications. This Organization is founded to increase employment among the honest, trustworthy and intelligent individuals living in UK to handle some elementary paper work and payroll administration to our clients in UK/USA/Canada. Your Obligation is to work for 2hours a day and also listen attentively to given instructions. Your Job is to take care of all applications with regards to new clients that are willing to register company in Cyprus. yours is to be filling all documentations from these individual companies which will be sent to you under the companies name. Salary Terms: 10% for each transaction, Get back to us asap if you are interested in the employment offer. Regards, John Macdonald.

i dont see any useful information about the user who is sending those spam email but just the server ip, thats why im not able to find out who is the responsable user of those spam emails.

The problem also is that i cannot find this email id [email protected] or 1OOBrB-0000Vb-7Q into spool directory and i still dunno how to find out that id for check the header (scomp not sending the complete header so i cannot solve the problem)

Any further idea and/or information is always appreciated

Thanks

 

[floyd]

scomp not sending the complete header so i cannot solve the problem

They do send the complete header but you have to look at the message source. I do this all the time.

Here is an example:

Return-Path: <[email protected]>
Received: from mtain-mh12.r1000.mx.aol.com (mtain-mh12.r1000.mx.aol.com [172.29.96.224]) by air-de01.mail.aol.com (v129.4) with ESMTP id MAILINDE011-5ea24c14c31a184; Sun, 13 Jun 2010 07:38:02 -0400
Received: from super.newwebsite.com (super.newwebsite.com [74.117.232.10])
by mtain-mh12.r1000.mx.aol.com (Internet Inbound) with ESMTP id 377C2380001AD
for <redacted>; Sun, 13 Jun 2010 07:38:00 -0400 (EDT)
Received: from apache by super.newwebsite.com with local (Exim 4.67)
(envelope-from <[email protected]>)
id 1ONlVn-0000yi-PL
for redacted; Sun, 13 Jun 2010 07:37:59 -0400
To: [email protected]
Subject: We always have specials in our online drugstore
X-PHP-Script: www.ratpals.com/index.php for 93.190.142.152
From: Google News <[email protected]>
Message-Id: <[email protected]>
MIME-Version: 1.0
Content-Type: text/html
Date: Sun, 13 Jun 2010 07:37:59 -0400
x-aol-global-disposition: G
x-aol-sid: 3039ac1d60e04c14c3181bcf
X-AOL-IP: 74.117.232.10
Content-Transfer-Encoding: quoted-printable
X-Mailer: Unknown (No Version)

 

[toml]

Once the email has been sent to AOL or any other host, the relevant files are removed the spool directory. The log files are the only way to find out what the problem is then. What do your log files show about that message-ID? Also, was that message sent after you made the header file change?

There are a few other things you may to look at, is a possibility of a root kit. I would recommend you run something like rkhunter to make sure you aren't affected by a root kit.

Since it is most likely an apache process that is initiating the spam, you could search through the apache log files, for "GET" or "POST" requests around the same time as some confirmed spams. A fairly simple egrep or perl script could extract all those requests within X number of minutes from Mon, 14 Jun 2010 17:45:49 +0200 which is when the spam was sent. You can start with X being 1 minute and gradually expand the search by 1 minute increments until you see the request(s) that sent the spam. I can't imagine you would need to look more that 5 minutes before then to find the request. Just make sure you format your time request to adjust for the actual time your apache server logs.

 

[SeLLeRoNe]

Ok,

ive found this specific message in log, was a message sent yesterday (prolly wasnt yet under php header)

Here the log:

>exigrep 1OOBrB-0000Vb-7Q mainlog.1
2010-06-14 17:45:49 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1OOBrB-0000Vb-7Q

2010-06-15 03:37:29 cwd=/var/spool/exim 10 args: /usr/sbin/exim -MCQ 28063 5 -MC remote_smtp mailin-04.mx.aol.com 205.188.103.2 227 1OOBrB-0000Vb-7Q

2010-06-14 17:45:49 1OOBrB-0000Vb-7Q <= [email protected] U=apache P=local S=1470 T="Accounting Assistant Needed" from <[email protected]> for [email protected]
2010-06-15 03:37:30 1OOBrB-0000Vb-7Q => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1503 H=mailin-04.mx.aol.com [205.188.103.2]* C="250 2.0.0 Ok: queued as D20F0380001D2"
2010-06-15 03:37:30 1OOBrB-0000Vb-7Q Completed

In case php-header was active, how i should be able to check the header of this specific message for example? Here in the log or with one specific command line?

Thank you guys, you are very gentle

PS toml im not so expert on scripts, i should check it manually, prolly harder but efficente

 

[floyd]

how i should be able to check the header of this specific message for example?

Its as if nobody listens to me. Post #23

You can only check headers of mail in your possession. You cannot check headers of mail sent unless that mail gets sent back to you.

 

[SeLLeRoNe]

oh ok, sorry, is not i didnt read, is that i didnt get how did u get the header ^^

So ive just to wait for a more specific mail with header i think and check for suspicious apache acting

thanks everyone

 

[floyd]

oh ok, sorry, is not i didnt read, is that i didnt get how did u get the header ^^

You have to view the source of the email that you get from AOL. I showed an example of the message source I get from AOL. How you do that depends on what email client you are using. In Thunderbird I go the the menu View and then Message Source. In Outlook its something else. There are different ways in different webmail clients.

 

[SeLLeRoNe]

yes i know how see source of email and i use TB aswell, but, watching source from aol email i see just their mail header, not the one of the spam mail they received, at least that is what i saw till now using source view...

 

[floyd]

Well I gave you an example of the source above. If you don't see something like that then you are not really viewing the source.

There should also be an .eml attachment. You may have to open that and view the source.

Here is a little more to look at:

This is an email abuse report for an email message with the message-id of [email protected] received from IP address 74.117.232.10 on Sun, 13 Jun 2010 07:38:00 -0400 (EDT)

For information, please review the top portion of the following page:
http://postmaster.aol.com/tools/fbl.html

For information about AOL E-mail guidelines, please see
http://postmaster.aol.com/guidelines/

If you would like to cancel or change the configuration for your FBL please use the tool located at:
http://postmaster.aol.com/waters/fbl_change_form.html


--boundary-1138-29572-2659438-22082
Content-Disposition: inline
Content-Type: message/feedback-report

Feedback-Type: abuse
User-Agent: AOL SComp
Version: 0.1
Received-Date: Sun, 13 Jun 2010 07:38:00 -0400 (EDT)
Source-IP: 74.117.232.10
Reported-Domain: super.newwebsite.com
Redacted-Address: redacted
Redacted-Address: redacted@


--boundary-1138-29572-2659438-22082
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <[email protected]>
Received: from mtain-mh12.r1000.mx.aol.com (mtain-mh12.r1000.mx.aol.com [172.29.96.224]) by air-de01.mail.aol.com (v129.4) with ESMTP id MAILINDE011-5ea24c14c31a184; Sun, 13 Jun 2010 07:38:02 -0400
Received: from super.newwebsite.com (super.newwebsite.com [74.117.232.10])
by mtain-mh12.r1000.mx.aol.com (Internet Inbound) with ESMTP id 377C2380001AD
for <redacted>; Sun, 13 Jun 2010 07:38:00 -0400 (EDT)
Received: from apache by super.newwebsite.com with local (Exim 4.67)
(envelope-from <[email protected]>)
id 1ONlVn-0000yi-PL
for redacted; Sun, 13 Jun 2010 07:37:59 -0400
To: [email protected]
Subject: We always have specials in our online drugstore
X-PHP-Script: www.ratpals.com/index.php for 93.190.142.152
From: Google News <[email protected]>
Message-Id: <[email protected]>
MIME-Version: 1.0
Content-Type: text/html
Date: Sun, 13 Jun 2010 07:37:59 -0400
x-aol-global-disposition: G
x-aol-sid: 3039ac1d60e04c14c3181bcf
X-AOL-IP: 74.117.232.10
Content-Transfer-Encoding: quoted-printable
X-Mailer: Unknown (No Version)


Angela Denison<br />
3308 Route 112<br />
Medford, NY 11763, USA<br />
<br />
Dear Angela Denison,<br />
<br />
Please update your bookmarks - we moved our store to <a href=3D'http://www=
.nuvi200.com/?action=3Dfdashop'>new location</a>.<br />
Follow this link to check our products and find good deals.<br />
Be aware of scam sites with similar look - we are the only one legitimate=
US approved online drugstore.<br />
<br />
And remember - we always sell for less! <br />

<br />
Thank you for been loyal customer, <br />
<br />
Sincerely, Solutions For You, LLc.

You will see in there this line:

X-PHP-Script: www.ratpals.com/index.php for 93.190.142.152

This tells me what script sent the email and the ip address of the sender. I can then grep the apache logs for the ip and see what else they were doing.

 

[SeLLeRoNe]

ok ive found the line you was saying, curios thing was that i didnt made source view of scomp mail but of .eml attachment.. and there is no the header.. i did on complete email and after first header of aol mail there was the second, here it is:

From - Tue Jun 15 21:41:35 2010
X-Account-Key: account8
X-UIDL: 0000f27b4853e821
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:                                                                                 
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 15 Jun 2010 21:35:21 +0200
Received: from mail by Psycho.CrazyNetwork.it with spam-scanned (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1OObur-0005Hm-2y
	for [email protected]; Tue, 15 Jun 2010 21:35:21 +0200
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	Psycho.CrazyNetwork.it
X-Spam-Level: 
X-Spam-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE,
	SPF_PASS autolearn=ham version=3.2.5
Received: from omr-m22.mx.aol.com ([64.12.136.130])
	by Psycho.CrazyNetwork.it with esmtp (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1OObuq-0005Hb-QK
	for [email protected]; Tue, 15 Jun 2010 21:35:21 +0200
Received: from scmp-m45.mail.aol.com (scmp-m45.mail.aol.com [172.21.139.223]) by omr-m22.mx.aol.com (v117.7) with ESMTP id MAILOMRM227-7ded4c17d5e41c; Tue, 15 Jun 2010 15:35:00 -0400
Received: from [email protected] by scmp-m45.mail.aol.com; Tue, 15 Jun 2010 15:34:57 EDT
To: [email protected]
From: [email protected]
Date: Tue, 15 Jun 2010 15:34:57 EDT
Subject: Email Feedback Report for IP 194.177.98.220
MIME-Version: 1.0
Content-Type: multipart/report; report-type=feedback-report; boundary="boundary-1138-29572-2659438-23059"
X-AOL-INRLY: Psycho.CrazyNetwork.it [194.177.98.220] scmp-m45
X-Loop: scomp
X-AOL-IP: 172.21.139.223
Message-ID: <[email protected]>

--boundary-1138-29572-2659438-23059
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

This is an email abuse report for an email message with the message-id of [email protected] received from IP address 194.177.98.220 on Mon, 14 Jun 2010 21:52:08 -0400 (EDT)

For information, please review the top portion of the following page:
http://postmaster.aol.com/tools/fbl.html

For information about AOL E-mail guidelines, please see
http://postmaster.aol.com/guidelines/

If you would like to cancel or change the configuration for your FBL please use the tool located at: 
http://postmaster.aol.com/waters/fbl_change_form.html


--boundary-1138-29572-2659438-23059
Content-Disposition: inline
Content-Type: message/feedback-report

Feedback-Type: abuse
User-Agent: AOL SComp
Version: 0.1
Received-Date: Mon, 14 Jun 2010 21:52:08 -0400 (EDT)
Source-IP: 194.177.98.220
Reported-Domain: Psycho.CrazyNetwork.it
Redacted-Address: redacted
Redacted-Address: redacted@


--boundary-1138-29572-2659438-23059
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <[email protected]>
Received: from mtain-dd02.r1000.mx.aol.com (mtain-dd02.r1000.mx.aol.com [172.29.64.142]) by air-df03.mail.aol.com (v129.4) with ESMTP id MAILINDF032-5eeb4c16dcc9c5; Mon, 14 Jun 2010 21:52:09 -0400
Received: from Psycho.CrazyNetwork.it (Psycho.CrazyNetwork.it [194.177.98.220])
	by mtain-dd02.r1000.mx.aol.com (Internet Inbound) with ESMTP id 7E3A238000108
	for <redacted>; Mon, 14 Jun 2010 21:52:08 -0400 (EDT)
Received: from apache by Psycho.CrazyNetwork.it with local (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1OO9z2-00077N-ES
	for redacted; Mon, 14 Jun 2010 15:45:48 +0200
Date: Mon, 14 Jun 2010 15:45:48 +0200
Message-Id: <[email protected]>
To: [email protected]
Subject: 
X-PHP-Script: 194.177.98.240/~frc/web/img/l/wa.php for 82.128.0.14
From: RUXTON Textiles <[email protected]>
Reply-To: [email protected]
MIME-Version: 1.0
Content-Type: text/html
x-aol-global-disposition: S
x-aol-sid: 3039ac1d408e4c16dcc82128
X-AOL-IP: 194.177.98.220
Content-Transfer-Encoding: quoted-printable
X-Mailer: Unknown (No Version)


Hello
Here is a special provision of an employment offer in order to increase em=
ployment rate in UK/USA/Canada irrespective of the age and gender. This do=
es not require any professional qualifications.
This Organization is founded to increase employment among the honest, trus=
tworthy and intelligent individuals living in UK to handle some elementary=
 paper work and payroll administration to our clients in UK/USA/Canada.
Your Obligation is to work for 2hours a day and also listen attentively to=
 given instructions.
Your Job is to take care of all applications with regards to new clients=
 that are willing to register company in Cyprus.

yours is to be filling all documentations from these individual companies=
 which will be sent to you under the companies name.
Salary Terms: 10%  for each transaction, Get back to us asap if you are in=
terested
in the employment offer.
Regards,

John Macdonald.



--boundary-1138-29572-2659438-23059--

And here there is the script that was sending mail, i had already found it yesterday so those email are report of mail sent yesterday.

thanks a lot for your support and patience ^^

Now i know a little bit more and that always appreciated

PS. ive tryed to check the apache log in /var/log/httpd/domains/formularuncup.it.log but there is nothing regarding wa.php (the file with the script) and i would like to know, if you can tell me, where i can find older httpd logs for a domain

Thanks again

 

[daveyw]

X-PHP-Script: 194.177.98.240/~frc/web/img/l/wa.php for 82.128.0.14

Go to that..

I guess: cd /home/frc/public_html/web/img/l/
there must be 'wa.php'
maybe you can better clean up the whole account 'frc'

 

[SeLLeRoNe]

Yes thanks, as i wrote i had already find out that script yesterday night, prolly those email are not for email sent today but yesterday.

Thanks everyone for the help