spam coming from my server

Discussion in 'Linux VPS/Dedicated - cPanel' started by Jleagle, Oct 24, 2007.

  1. Jleagle

    Jleagle New Member

    In another post i mentioned my server goes into the black at a similar time ever morning. Well, i just received a spam email saying it was mailed by my own server at that same time. Could somebody be using my server to send out spam? I don't have any accounts other than mine on WHM.

    Or could it mean that it was sent to *@mydomain.com and then automatically forwarded to me, that's why it says it was mailed by my domain.

    Here is the full email. I own grabaforum.com and jimeagle.com


    Thanks.
     

    Attached Files:

  2. stormrider

    stormrider New Member

    Hello Jleagle,

    I would recommend to get in touch with support. This isn't a simple question and requires some investigation. Was someone able to discover one of yours SMTP account login? Or is someone using a script to do this?

    Also sometimes the spam that is sent to *@domain.com has the From: changed to *@domain.com. In this case, you shouldn't worry.
     
  3. Dan

    Dan Moderator

    Howdy Jleagle,

    You need to examine the full header of the email to determine where it actually originated from and what servers it went through.

    Odds are that it's simply someone sending out spam with your address as the from address.

    Hope that helps
     
  4. khiltd

    khiltd New Member

    Dan's probably right, but by simply taking advantage of your generous offer for free phpBB admin accounts devoid of any serious accountability, I was up and spamming my "users" from your server in about five minutes:

    Code:
    Received: from hostname.grabaforum.com (HELO hostname.grabaforum.com) (65.99.235.72)
    	by mail.sneakemail.com with SMTP; 24 Oct 2007 17:43:05 -0000
    Received: from nobody by hostname.grabaforum.com with local (Exim 4.68)
    	(envelope-from <[email protected]>)
    	id 1Ikjs5-0008Ud-EQ; Wed, 24 Oct 2007 17:18:21 +0000
    To: [email protected]
    Subject: we have this viagra
    Reply-To: <[email protected]>
    From: <[email protected]>
    Message-ID: <[email protected]>
    MIME-Version: 1.0
    Content-type: text/plain; charset=iso-8859-1
    Content-transfer-encoding: 8bit
    Date: Wed, 24 Oct 2007 17:18:21 +0000
    I didn't even attempt any of the various XSS/CSRF/SQL Injection attacks that have been responsible for decimating phpBB installations beyond recognition over the years, I just went to the admin panel and clicked a button. Sure, the resulting messages contained a preamble with an administrative contact to report spam to, but since that contact belongs to the spammer in question (me), that's not going to help much.

    I'm not trying to be insulting here, but honestly, given your current level of experience administering Linux systems, how many thousands of these do you think I'd be able to send out before you figured out what was going on? Probably enough to get you on a few blacklists, and maybe even attract a couple DDoS attacks that make life miserable for a lot of other completely innocent people on your node who weren't out there begging for it--including the KH staff members who will have to clean up the mess.

    Your server troubles are really only going to get worse if you choose not to alter your current business model, and I have to wonder what benefit could possibly justify the risks involved. There are safer ways of tricking people into looking at ads if that's the goal.

    Edit: You're also advertising the specific names and version numbers of most of your software to the world, making vulnerabilities even easier to find:

    Code:
    HTTP/1.1 302 Found
    Date: Wed, 24 Oct 2007 18:55:17 GMT
    Server: Apache/1.3.37 (Unix) PHP/5.2.3 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_ssl/2.8.28 OpenSSL/0.9.7a
    X-Powered-By: PHP/5.2.3
    Location: http://grabaforum.com/home/
    Content-Type: text/html
    Yikes!
     
  5. Jleagle

    Jleagle New Member

    Thanks alot for the long reply khiltd.

    As for the problem in my first post, i think it was a false alarm. I think it only has my server in the headers because it was passed through my server when it was automatically redirected to my personal email, which i set it up to do in cPanel.

    I don't believe my offer of free phpBBs would attract spammers, it means every email they want to add to the list they need to create a new account for with a unique user name etc. There are many easier ways to spam someone.

    If things ever get serious with a rise in spam all i would have to do is disable the mass email admin page which isn't too tricky.

    Your right about me not knowing enough about Linux to detect somebody creating accounts and abusing php mail. I would however find their phpBB account by realising that they have thousands of users and no real posts.

    Could you please explain what you mean by "tricking people into looking at ads". I have a Google ad at the top of most forums, but that's all.

    One last thing... What did you do to find out the Apache details and where abouts would i have to go to hide them?

    Thanks!
     
  6. khiltd

    khiltd New Member

    If it were impossible for one to write a script which registers bogus accounts on internet forums for purposes of spamming them then why are there so many mods for phpBB designed to prevent this specifically? You seem to be forgetting that this is very popular software that is deployed insecurely in enough places to make it extremely worthwhile for attackers to poke holes in.

    Remember this gem?

    http://it.slashdot.org/it/04/12/21/2135235.shtml?tid=220&tid=217&tid=169

    Think the developers got smarter after that? Here's a defacing that happened this month:

    http://www.phpbb.com/community/viewtopic.php?f=1&t=585242

    Sticking your head in the sand and saying "it'll never happen to me" is never a particularly effective security policy, even if it is the one that phpBB themselves generally choose to adopt.

    And when would you do this? After a few days of downtime for everyone on your node and a couple threads asking why it happened to you? It's unlikely that the world will miss a handful of videogame boards during that null-routed time, but many people rely on their servers for business purposes. Finding out that a handful of videogame boards are responsible for the fact that you're suddenly on every blacklist in the world and can't process orders is enraging enough to make people dedicate inordinate amounts of time to complaining about it; just like me.

    I'm trying to figure out what made you think that giving out free, anonymous, easily abusable phpBB accounts was a worthwhile use of time and resources in the first place, and generating ad revenue is the only thing I can come up with. I'm genuinely curious to know what you get out of this because I am absolutely baffled.

    They're in every single HTTP header your server puts out:

    Code:
    curl -I http://www.grabaforum.com
    They are controlled by the ServerTokens and expose_php configuration directives in your httpd.conf and php.ini files respectively. Apache info can be masked completely with mod_security. You should really upgrade and harden your PHP installation at the very least.
     
  7. Jleagle

    Jleagle New Member

    Hmm, yes i forgot about bots etc.. I do have several mods in place to stop them but where i have no registration logs i cant tell if bots have come and failed or not come at all.

    I'm a big fan of phpBB and generally believe im safe if i have the latest version, even though i know this isn't 100% true. Alot of the time people get hacked through other software and blame phpBB because its all they use actively, but i do realise phpBB has had a rough history lol.

    Yes, the only reason i give away free phpBBs is for ad revenue, im not making much atm but its slowly increasing every month. I still don't understand what you mean by tricking my visitors. The ads are targeted to the forum content (as im sure you know) so people generally click if they are interested in what the website advertised is offering.

    Oh yes, i forget they were in the headers and thanks for sharing how to hide them.. ill do this when i get some spare time.
     

Share This Page