Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 22:46:57

Author Topic: Spammer sending spam from my web server with Kloxo MR  (Read 8936 times)

0 Members and 1 Guest are viewing this topic.

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Hi,

I would like to report a spam action on my web server running Kloxo MR, My web server has been blacklisted by Barracuda and I wanted to discover why so I found a way to follow scripts using PHP mail function. So to get this, I used an easy way:

Adding two line in /etc/php.ini in [Mail Function] part:
- mail.add_x_header = On
- mail.log = /var/log/phpmail.log

I created a file phpmail.log at the good place with CH777 to report all the PHP scripts that uses PHP mail function and then restarted Apache.

After this, I could read the scripts and found the spam source: It's a script on a website in China with IP 124.173.132.30 => http://www.faret.cn/anzo.txt

How is it possible to send spam from an external script?

I wanted to blacklist spammer IP with "Blocked Hosts" option in Kloxo Panel but this option does not work as I reported here in this post => http://forum.mratwork.com/kloxo-mr-technical-helps/blocked-hosts-for-localhost-do-not-blacklist-ip-in-kloxo-mr/

What do you suggest to protect my server from external scripts like this one? Is Spamdyke useful for this?

Thanks for helping :-)

Here is below the spam sent by spammer to many recipients: this mail is blocked in mail queue by the way.

mail() on [http://www.faret.cn/anzo.txt????:193]: To: bin@iptransit.net -- Headers: From: Kenneth Williams <kwilliams174@yahoo.com>  Reply-To: kwilliams174@yahoo.com  MIME-Version: 1.0  Content-Type: text/plain  Content-Transfer-Encoding: 7bit    Hello ,  My name is Mr.Kenneth Williams,A America citizen that live in Liberia ,Am  sick for Ebola Virus Disease , Am an oil business man that  made so much wealth in Africa,Right here my family and associate cannot come to see me because of the disease , Doctor has  confirm to me that i will be death in 9 days time,I have wrote to my  bank account officer to transfer $10 million to you ,so that you will  take 20% and help me donate 80% to the charity home,This is my last wish  as doctor has confirmed that i cannot live any more, Please kindly  contact her now on Ms.Helen Adams Email: helenadams842@yahoo.com ,I have  instructed her to work out the modalities and you will disburse the funds to various charity home in the world.May God bless you as you work with my instruction,You may not hear  from me again as am very weak,Just manage to type this message,cooperate with  my account officer Ms.Helen,Bye Kenneth Williams

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #1 on: 2014-12-06, 19:36:43 »
Check your plugins of website apps (like wordpress). Possible one of plugins have a backdoor code.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #2 on: 2014-12-08, 11:58:09 »
Try check maillog in 'log manager'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #3 on: 2014-12-09, 12:01:35 »
thank you for advice,

maillog checked, not spam at the moment, i will use IP tables to block IPs if I identify spammer.

Offline altomarketing

  • Junior Member
  • *
  • Posts: 34
  • Karma: +0/-0
    • View Profile
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #4 on: 2015-02-05, 11:32:31 »
Hi, i follow your tip but my phpmail.log is empty, but i still receive bounce-back in (anonymous@myrealserver.net) my server main email like this..

How can i search if the original message was sent by my server.

Code: [Select]
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
 
<iceman66@centrum.cz>:
User and password not set, continuing without authentication.
<iceman66@centrum.cz> 77.93.216.15 failed after I sent the message.
Remote host said: 554 message refused by the scanner (#5.7.1) - for more information visit https://www.virusfree.cz/faq--- Below this line is a copy of the message.
 
Return-Path: <anonymous@myrealserver.net>
Received: (qmail 21668 invoked by uid 496); 5 Feb 2015 13:09:29 -0000
Date: 5 Feb 2015 13:09:29 -0000
Message-ID: <20150205130929.21666.qmail@rudraksha.myrealserver.net>
To: iceman66@centrum.cz
Subject: Read and reply me
From: D.Mitch <de_mitche3797@aol.ca>
Reply-To: De Mitch <d.m7002@yahoo.co.uk>
Content-Type: text/plain
 
Hope you get to read this important message in good health.
 
I have a business opportunity to urgently share with you which involves a total amount of 18 Million (USD). The money was left behind by a deceased customer of my bank, and I am contacting you to seek your trusted partnership in receiving these funds. If you are interested, please reply immediately for detailed information.
 
Best regards,
Derek.

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #5 on: 2015-02-05, 11:44:07 »
hi,

did you restart Apache ?

Offline altomarketing

  • Junior Member
  • *
  • Posts: 34
  • Karma: +0/-0
    • View Profile
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #6 on: 2015-02-05, 16:59:11 »
of course i did

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #7 on: 2015-02-05, 17:45:49 »
Here is my php.ini :

[mail function]
SMTP = localhost
smtp_port = 25
sendmail_path = /usr/sbin/sendmail -t -i
mail.add_x_header = On
mail.log = /var/log/phpmail.log

Create the file at the right place phpmail.log with CH777, retart Apache.

This trick works only with PHP 5.3.0 and after.

Let me know of you manage to get it work.

Offline lenawaii

  • Valuable Member
  • *
  • Posts: 102
  • Karma: +0/-0
    • View Profile
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #8 on: 2015-02-05, 17:52:40 »
About spam,

I use now a php function to secure my forms and protect my server from spammers, i share it here:

function nospam($text){
$text = str_replace(array("\r", "\n", "%OA", "%oa", "%OD", "%od","Content-Type:","BCC:","bcc:", "CC:","cc:"), "", $text);
$text = strip_tags($text);
$text = stripslashes($text);
return $text;
}

especially for forms that send automatic emails to buyers or subscribers.

Offline altomarketing

  • Junior Member
  • *
  • Posts: 34
  • Karma: +0/-0
    • View Profile
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #9 on: 2015-02-06, 07:56:37 »
Well, i have now logs on /var/log/phpmail.log but spammer is not using php to send emails, as here nothing appears.

I search into forums and i found that i should look as bounce said Received: (qmail 21406 invoked by uid 496); 6 Feb 2015 09:43:03 -0000

Who is uid 496 ? It's Varnish   :o

Quote
varnish:x:496:496:Varnish Cache:/var/lib/varnish:/sbin/nologin

Is Varnish sending emails ?

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #10 on: 2015-02-06, 08:39:48 »
With the new qmail-toaster for Kloxo-MR, sendmail (including from php) will be report something like:
Code: [Select]
Feb  2 03:31:16 server1 root: sendmail: CALLER="php-fpm: pool devel" PWD="/home/xyz/xyzdomain.com" BAN="no"

So, if you think domain mratwork.com as send spam mail, you can add their PWD ("/home/xyz/xyzdomain.com") to /var/qmail/control/badsendmailfrom file.

And if domain xyzdomain.com try again sendmail, the report will recorded as:
Code: [Select]
Feb  2 03:31:16 server1 root: sendmail: CALLER="php-fpm: pool devel" PWD="/home/xyz/xyzdomain.com" BAN="yes"
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Spammer sending spam from my web server with Kloxo MR
« Reply #11 on: 2015-02-06, 08:41:39 »
You can see sendmail report via running 'cat /var/log/maillog|grep PWD' from ssh or 'command center' in panel.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

 


MRatWork Affiliates:    BIGRAF(R) Inc.    House of LMAR    EFARgrafix
Click Here

Page created in 0.056 seconds with 22 queries.

web stats analysis