Jump to content

johnm1

Members
  • Content Count

    9
  • Joined

  • Last visited

Community Reputation

0 Neutral

About johnm1

  • Rank
    Newbie
  1. The problem is solved ! A php mail scri_pt seems to be abused on our second server. The scri_pt had a problem wit <cr><lf> injections.. as all others scripts on that server have.. so fixing the problem on all scripts right now. The second server has an trusted connection to the mail server and was not logged at all. I think zombie computers were used to post. 68-112-178-169.dhcp.fdul.wi.charter.com - - [07/Dec/2005:01:33:45 +0100] "POST /contact.php HTTP/1.0" 200 3557 "http://www.destip.nl/"'>http://www.destip.nl/" "-" 68-112-178-169.dhcp.fdul.wi.charter.com - - [07/Dec/2005:01:33:49 +0100] "POST http://www.destip.nl/contact.php HTTP/1.1" 200 1615 "http://www.destip.nl/"'>http://www.destip.nl/" "-" 61.84.16.157 - - [07/Dec/2005:02:27:22 +0100] "POST /contact.php HTTP/1.1" 200 3549 "http://www.destip and lots more of this in the webserver log. most of the request done by ppp-82-3-217-212.dialup.iam.net.ma It seems that it is been going on a very long time... Hope the fix will work (replacing the characters)
  2. Hi Missbetsy, You are right it must be somewhere in anykind of log.. We found it in the php log so checking it right now. Hi Snowbat, Thanks for the tips, the "for i in var/log..." is very usefull, i was just doing it the basic way.. saves lots of time with your scri_pt. I let you know when i found out more.
  3. We found the problem. The mail is send by the php engine.. so there must be a hacked or abused php scri_pt. We're searching right now..
  4. Yes sometimes it could happen.. Last week we ran a check on all computers on all company's.. for spyware, hacktools etc. All systems are clean. So: OR somebody is sending mail and not telling.. (but still strange that all other mail is in the logs and this isnt) OR somebody has given his account info to somebody else (or somebody knows a username and password) I with 2 other system managers (best friends) are the only one who can login to the server and change stuff / make new accounts etc.) so that wouldnt be the problem.
  5. The server is Collocated.. There are about 10 company's on that server. We share the costs of the server.. So in fact we are the ISP self. Me and some friend manage the server.
  6. Hi, Telarin ! Thanks for your response. It is indeed strange that it was send by ns1.noxa.nl.. same server, but it should send mail from mx1. I will check that, but i think it just slipped in by changing so much things to find out where the spam came from. The server looks to be clean, we also changed the passwords to be sure. Tomorrow morning i will try just disabling all outbound mail. It's bedtime for me now (in Netherland it is 11:45 PM so.. bedtime ) I think it must be a verificated user.. but now it is the trick to find out who.
  7. Hi, turetzsr ! Thanks for your advice, i read the FAQ before.. and also tried disabling sending mail trough our servers for "destip.nl", it didn't work. We started logging a while ago, outbound e-mail and all rejected / bounced messages. There wasn't any send message from "destip.nl", There were a lot of incoming spam mail and rejected mail, but all incoming. Then we inspected the computer of my customer.. all seems to be clean, no spyware / viruses / rootkit viruses, hacksoftware. In outlook he even never used our server for outgoing mail, he used the one of his internet provider. It is really freaking me out, cause the only names used for the spam are "destip.nl" names, none of my other customers have this problem. At this moment my colleague is checking the Squirrelmail environment.... i dont think that spammers found a way to hack into webmail enviroments but you never know. Thanks for all the hard thinking and response.
  8. Thanks for your advice. The server is a colocated server, dedicated for mail only. There are still coming lots of bounced messages [at]destip.nl I think i will disable all outbound e-mail, and see if there are still coming (new) messages. If there are people who want to test my server for relay, let me know. Im willing to pay for it.
  9. Hello, First of all, sorry for my bad english. My mail server got reported, but the reported spam mail doesn't seems to be send from my mail server. I checked all the logs and i really cant find the message or any of the strange xxxx[at]destip.nl messages. All the bounced mail / spam mail have aol servers in the headers. A copy of the message reported by spamcop message: > [ Offending message ] > Return-Path: <www[at]noxa.nl> > Received: from rly-yc04.mail.aol.com (rly-yc04.mail.aol.com > [172.18.205.147]) by air-yc01.mail.aol.com (v107.13) with ESMTP id > MAILINYC14-1d4438bb6b1c3; Mon, 28 Nov 2005 21:02:37 -0500 > Received: from mx1.noxa.nl (ns1.noxa.nl [82.192.89.201]) by rly- > yc04.mail.aol.com (v107.13) with ESMTP id MAILRELAYINYC48- > 1d4438bb6b1c3; Mon, 28 Nov 2005 21:02:31 -0500 > Received: by mx1.noxa.nl (Postfix, from userid 80) > id EB840170D3; Tue, 29 Nov 2005 02:56:24 +0100 (CET) > To: x > Subject: astonishment9857[at]destip.nl > From: UnknownSender[at]UnknownDomain > X-AOL-ORIG-From: "astonishment9857[at]destip.nl" <him> > Content-Type: text/plain; charset=\"us-ascii\" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Subject: Companies positioned to move > Message-Id: <2005_________________70D3[at]mx1.noxa.nl> > Date: Tue, 29 Nov 2005 02:56:24 +0100 (CET) > X-AOL-IP: 82.192.89.201 > X-AOL-SDI: PROFILE > > > UNDERVALUED SPECIAL SITUATION -- Huge Appreciation Potential! > .... etc etc... The server mx1.noxa.nl (ns1.noxa.nl) is my server, "destip.nl" is a customer of me.. Also lots of this kind of mail got bounced to my account (<catchall>[at]noxa.nl, orig: www[at]noxa.nl) Even after disabling the "destip.nl" accounts it still goes on. Is there anybody who knows this kind of problems ? i use FreeBSD with postfix + clamav + spamassasin For me it looks like some kind of spammer uses fake headers. Is there anybody with the same problem ? Help urgent needed...
×