MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Technical Helps => Topic started by: lenawaii on 2014-12-06, 12:28:04
-
Hi,
I would like to report a spam action on my web server running Kloxo MR, My web server has been blacklisted by Barracuda and I wanted to discover why so I found a way to follow scripts using PHP mail function. So to get this, I used an easy way:
Adding two line in /etc/php.ini in [Mail Function] part:
- mail.add_x_header = On
- mail.log = /var/log/phpmail.log
I created a file phpmail.log at the good place with CH777 to report all the PHP scripts that uses PHP mail function and then restarted Apache.
After this, I could read the scripts and found the spam source: It's a script on a website in China with IP 124.173.132.30 => http://www.faret.cn/anzo.txt
How is it possible to send spam from an external script?
I wanted to blacklist spammer IP with "Blocked Hosts" option in Kloxo Panel but this option does not work as I reported here in this post => http://forum.mratwork.com/kloxo-mr-technical-helps/blocked-hosts-for-localhost-do-not-blacklist-ip-in-kloxo-mr/
What do you suggest to protect my server from external scripts like this one? Is Spamdyke useful for this?
Thanks for helping :-)
Here is below the spam sent by spammer to many recipients: this mail is blocked in mail queue by the way.
mail() on [http://www.faret.cn/anzo.txt????:193]: To: bin@iptransit.net -- Headers: From: Kenneth Williams <kwilliams174@yahoo.com> Reply-To: kwilliams174@yahoo.com MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Hello , My name is Mr.Kenneth Williams,A America citizen that live in Liberia ,Am sick for Ebola Virus Disease , Am an oil business man that made so much wealth in Africa,Right here my family and associate cannot come to see me because of the disease , Doctor has confirm to me that i will be death in 9 days time,I have wrote to my bank account officer to transfer $10 million to you ,so that you will take 20% and help me donate 80% to the charity home,This is my last wish as doctor has confirmed that i cannot live any more, Please kindly contact her now on Ms.Helen Adams Email: helenadams842@yahoo.com ,I have instructed her to work out the modalities and you will disburse the funds to various charity home in the world.May God bless you as you work with my instruction,You may not hear from me again as am very weak,Just manage to type this message,cooperate with my account officer Ms.Helen,Bye Kenneth Williams
-
Check your plugins of website apps (like wordpress). Possible one of plugins have a backdoor code.
-
Try check maillog in 'log manager'.
-
thank you for advice,
maillog checked, not spam at the moment, i will use IP tables to block IPs if I identify spammer.
-
Hi, i follow your tip but my phpmail.log is empty, but i still receive bounce-back in (anonymous@myrealserver.net) my server main email like this..
How can i search if the original message was sent by my server.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<iceman66@centrum.cz>:
User and password not set, continuing without authentication.
<iceman66@centrum.cz> 77.93.216.15 failed after I sent the message.
Remote host said: 554 message refused by the scanner (#5.7.1) - for more information visit https://www.virusfree.cz/faq--- Below this line is a copy of the message.
Return-Path: <anonymous@myrealserver.net>
Received: (qmail 21668 invoked by uid 496); 5 Feb 2015 13:09:29 -0000
Date: 5 Feb 2015 13:09:29 -0000
Message-ID: <20150205130929.21666.qmail@rudraksha.myrealserver.net>
To: iceman66@centrum.cz
Subject: Read and reply me
From: D.Mitch <de_mitche3797@aol.ca>
Reply-To: De Mitch <d.m7002@yahoo.co.uk>
Content-Type: text/plain
Hope you get to read this important message in good health.
I have a business opportunity to urgently share with you which involves a total amount of 18 Million (USD). The money was left behind by a deceased customer of my bank, and I am contacting you to seek your trusted partnership in receiving these funds. If you are interested, please reply immediately for detailed information.
Best regards,
Derek.
-
hi,
did you restart Apache ?
-
of course i did
-
Here is my php.ini :
[mail function]
SMTP = localhost
smtp_port = 25
sendmail_path = /usr/sbin/sendmail -t -i
mail.add_x_header = On
mail.log = /var/log/phpmail.log
Create the file at the right place phpmail.log with CH777, retart Apache.
This trick works only with PHP 5.3.0 and after.
Let me know of you manage to get it work.
-
About spam,
I use now a php function to secure my forms and protect my server from spammers, i share it here:
function nospam($text){
$text = str_replace(array("\r", "\n", "%OA", "%oa", "%OD", "%od","Content-Type:","BCC:","bcc:", "CC:","cc:"), "", $text);
$text = strip_tags($text);
$text = stripslashes($text);
return $text;
}
especially for forms that send automatic emails to buyers or subscribers.
-
Well, i have now logs on /var/log/phpmail.log but spammer is not using php to send emails, as here nothing appears.
I search into forums and i found that i should look as bounce said Received: (qmail 21406 invoked by uid 496); 6 Feb 2015 09:43:03 -0000
Who is uid 496 ? It's Varnish :o
varnish:x:496:496:Varnish Cache:/var/lib/varnish:/sbin/nologin
Is Varnish sending emails ?
-
With the new qmail-toaster for Kloxo-MR, sendmail (including from php) will be report something like:
Feb 2 03:31:16 server1 root: sendmail: CALLER="php-fpm: pool devel" PWD="/home/xyz/xyzdomain.com" BAN="no"
So, if you think domain mratwork.com as send spam mail, you can add their PWD ("/home/xyz/xyzdomain.com") to /var/qmail/control/badsendmailfrom file.
And if domain xyzdomain.com try again sendmail, the report will recorded as:
Feb 2 03:31:16 server1 root: sendmail: CALLER="php-fpm: pool devel" PWD="/home/xyz/xyzdomain.com" BAN="yes"
-
You can see sendmail report via running 'cat /var/log/maillog|grep PWD' from ssh or 'command center' in panel.