Jump to content
Sign in to follow this  
nadeaup

[Resolved] SPAM Header/Server help!

Recommended Posts

I need help!!! I am being told that spam is being sent by my server 209.17.190.78.

I currently have deleted sendmail binaries and every other mail realted service.

The email below seems to show a non-routable-ip address 172.18.52.79...

How can I prove to my hosting campany and their NOC that this spam is not coming from my server and my ip is being spoofed??? OR am I wrong?

Please help!!! Below is the emial with comments in the headers..

X-Apparently-To: x via 66.163.178.118; Sat, 10 Nov 2007

02:54:08 -0800

X-Originating-IP: [68.230.240.59]

Authentication-Results: mta423.mail.re4.yahoo.com

from=cox.net; domainkeys=neutral (no sig)

Hmmm authentication-results: isn't a header I recognise

Received: from 68.230.240.59 (EHLO eastrmmtao107.cox.net)

(68.230.240.59) by mta423.mail.re4.yahoo.com with SMTP;

Sat, 10 Nov 2007 02:54:08 -0800

This received header was added by your mailserver

mta423.mail.re4.yahoo.com received this from someone claiming

to be 68.230.240.59

(mta423.mail.re4.yahoo.com doesn't record the senders IP

address in any way I recognise, so it's impossible to be

sure. All received headers after this one should be

treated with suspicion)

Received: from eastrmimpo03.cox.net ([68.1.16.126])

by eastrmmtao107.cox.net (InterMail vM.7.08.02.01

201-2186-121-102-20070209) with ESMTP id

<20071110105208.STAY4189.eastrmmtao107.cox.net[at]eastrmimpo03.cox.net>; Sat, 10 Nov 2007 05:52:08 -0500

eastrmmtao107.cox.net received this from eastrmimpo03.cox.net

(IP addresses match)

Received: from eastrmwml20.mgt.cox.net ([172.18.52.79]) by

eastrmimpo03.cox.net with bizsmtp id

Ayrg1Y0051iXuec0000000; Sat, 10 Nov 2007 05:51:40 -0500

eastrmimpo03.cox.net received this from someone claiming

to be eastrmwml20.mgt.cox.net

but really from 172.18.52.79(No rDNS)

All headers below may be forged

Received: from 209.17.190.78 by webmail.east.cox.net; Sat,

10 Nov 2007 5:52:05 -0500

webmail.east.cox.net received this from someone claiming

to be 209.17.190.78

(webmail.east.cox.net doesn't record the senders IP

address in any way I recognise, so it's impossible to be

sure. All received headers after this one should be

treated with suspicion)

Date: Sat, 10 Nov 2007 5:52:06 -0500

From: The free lotto sweepstakes <figgy45[at]cox.net>

Reply-To: agtwilliams202[at]hotmail.com

Many spams are forged to appear connected to hotmail.com. They

probably aren't from there. If the spam is soliciting replies

to a hotmail.com address tell abuse[at]hotmail.com and the mailbox

will die.

Subject: BATCH NUMBER: YPA/07-43658

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8

Content-Transfer-Encoding: 7bit

X-Priority: 3 (Normal)

Sensitivity: Normal

Hmmm sensitivity: isn't a header I recognise

BATCH NUMBER: YPA/07-43658

REFERENCE NUMBER: 2007234522

PIN: 1206

This is to inform you that you have won a prize money of

(GBP500,000.00) for the 2007 Prize Promotion which is

Organized by The Free lotto Company

The Free lotto Company! collects all the email addresses of the

people that are active online, among the millions that subscribed to

Yahoo and Hotmail and few from other e-mail providers. Ten people

are selected monthly to benefit from this promotion and you are

one of the Selected Winners.

Fill and return to Agent Name: Rev.Jackson Williams

E-Mail:agtwilliams202[at]hotmail.com

Full name.....

Winning email.....

Occupation.........

Nationality.........

Phone no...........

Age.......

He shall commence the process

that will facilitate the release of your fund to you.

Regards,

Mrs Pauline Walcott.

Share this post


Link to post
Share on other sites

None of this has anything to do with the MailHost Configuration of your Reporting Account .. therefore moving this Topic out of that Forum section.

As it also appears to have nothing to do with the SpamCop.net Parsing & Reporting system either, the SpamCopDNSBL does not seem to be involved, the Lounge is where this will end up.

The alleged headers have simply been too contaminated .... I don't have the time at present to think about trying to reconstruct something useable out of this mess ..... Please provide an actual set of headers without the extra garbage ....

Share this post


Link to post
Share on other sites

I need help!!! I am being told that spam is being sent by my server 209.17.190.78.

Please help!!! Below is the emial with comments in the headers..

Please post it without all the comments, just as it appeared. The computer using the IP was indeed seen sending out a lot of spam starting Oct. 18th and ending Nov. 10th, the date of the spam you're talking about, so yes, you had a problem up until then. However, that IP address seems to be hosting some sort of anonymous proxy service...try visiting this URL:

http://209.17.190.78/

You can Google the IP and find plenty of Wiki complaints about anonymous posts coming from that IP.

Here's a list of some of the spam seen coming from your IP...all reported to SpamCop and then to your provider:

Submitted: Saturday, November 10, 2007 11:24:31 AM -0700:

BATCH NUMBER: YPA/07-43658

* 2611159891 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

* 2611159745 ( 209.17.190.78 ) To: abuse[at]gt.ca

Submitted: Saturday, November 10, 2007 7:53:32 AM -0700:

BATCH NUMBER: YPA/07-43658

* 2610668537 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Saturday, November 10, 2007 7:53:29 AM -0700:

BATCH NUMBER: YPA/07-43658

* 2610668857 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Wednesday, November 07, 2007 5:15:18 PM -0700:

Employment Opportunity

* 2605604695 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Tuesday, November 06, 2007 1:32:54 PM -0700:

Attention:- Freelotto Sweepstakes 2007

* 2603153383 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Tuesday, November 06, 2007 10:29:51 AM -0700:

CONGRATULATIONS!!!

* 2602981730 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Saturday, November 03, 2007 11:43:20 AM -0700:

Details To File Your Claims Needed!!!

* 2597318918 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Saturday, November 03, 2007 8:14:19 AM -0700:

Details To File Your Claims Needed!!!

* 2596988771 ( 68.230.240.47 ) To: abuse#cox.net[at]devnull.spamcop.net

* 2596988770 ( 68.1.16.119 ) To: abuse#cox.net[at]devnull.spamcop.net

* 2596988768 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Saturday, November 03, 2007 4:03:06 AM -0700:

Details To File Your Claims Needed!!!

* 2596597262 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Wednesday, October 31, 2007 9:12:18 AM -0700:

Employment Opportunity (Part Time)

* 2591150349 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

* 2591150345 ( 209.17.190.78 ) To: abuse[at]gt.ca

Submitted: Wednesday, October 31, 2007 7:28:19 AM -0700:

ARE YOU LOOKING FOR LOAN FUNDING?

* 2590996052 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Tuesday, October 30, 2007 4:49:54 PM -0700:

Employment Opportunity (Part Time)

* 2589982592 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Tuesday, October 30, 2007 10:02:33 AM -0700:

Lottery Winners International

* 2589325681 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Saturday, October 20, 2007 5:44:00 PM -0700:

=?utf-8?Q?FINAL_NOTICE_YOU_EMAIL_WAS_SE?= =?utf-8?Q?LECTED!!_(=C3=82=C2=A3500...

* 2571880949 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

Submitted: Thursday, October 18, 2007 10:13:43 AM -0700:

Seven Bell Yard ? Barristers

* 2567610540 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net

So, perhaps you can see that the claims of spam are indeed real, M. Nadeau? But maybe you solved the problem by removing Sendmail, so maybe everything should now be OK? Unless some of your anonymous users do bad things on websites....

DT

Share this post


Link to post
Share on other sites

Here is the CLEAN header/email.

I had all traffic to and from port 25 blocked with iptables. sendmail was not running. and there were no ssh logins other than mine... I am the only user on the server.. There was nothing in the mail logs...

I guess deleting the sendmail binaries is the last thing I can do.. I also did a chkrootkit check and nothing was found...

Tahnks for you help!!!

Is there someone on this forum I can hire to go in an fix my mail setup to be secure???

X-Apparently-To: scoots592002[at]yahoo.com via 66.163.178.118; Sat, 10 Nov

2007 02:54:08 -0800

X-Originating-IP: [68.230.240.59]

Authentication-Results: mta423.mail.re4.yahoo.com from=cox.net;

domainkeys=neutral (no sig)

Received: from 68.230.240.59 (EHLO eastrmmtao107.cox.net)

(68.230.240.59)

by mta423.mail.re4.yahoo.com with SMTP; Sat, 10 Nov 2007 02:54:08

-0800

Received: from eastrmimpo03.cox.net ([68.1.16.126])

by eastrmmtao107.cox.net

(InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP

id

<20071110105208.STAY4189.eastrmmtao107.cox.net[at]eastrmimpo03.cox.net>;

Sat, 10 Nov 2007 05:52:08 -0500

Received: from eastrmwml20.mgt.cox.net ([172.18.52.79])

by eastrmimpo03.cox.net with bizsmtp

id Ayrg1Y0051iXuec0000000; Sat, 10 Nov 2007 05:51:40 -0500

Received: from 209.17.190.78 by webmail.east.cox.net; Sat, 10 Nov 2007

5:52:05 -0500

Date: Sat, 10 Nov 2007 5:52:06 -0500

From: The free lotto sweepstakes <figgy45[at]cox.net>

Reply-To: agtwilliams202[at]hotmail.com

Subject: BATCH NUMBER: YPA/07-43658

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8

Content-Transfer-Encoding: 7bit

X-Priority: 3 (Normal)

Sensitivity: Normal

BATCH NUMBER: YPA/07-43658

REFERENCE NUMBER: 2007234522

PIN: 1206

This is to inform you that you have won a prize money of

(GBP500,000.00) for the 2007 Prize Promotion which is

Organized by The Free lotto Company

The Free lotto Company! collects all the email addresses of the

people that are active online, among the millions that subscribed to

Yahoo and Hotmail and few from other e-mail providers. Ten people

are selected monthly to benefit from this promotion and you are

one of the Selected Winners.

Fill and return to Agent Name: Rev.Jackson Williams

E-Mail:agtwilliams202[at]hotmail.com

Full name.....

Winning email.....

Occupation.........

Nationality.........

Phone no...........

Age.......

He shall commence the process

that will facilitate the release of your fund to you.

Regards,

Mrs Pauline Walcott.

And yes I do run phproxy an anonymous web browsing scri_pt. I guess I should add one more thing. I recently was DDOS for 3 days until the NOC could block all the traffic and I changed my IP... I think somone does not like me out there... Maybe it's time to pick a new hobby....

Thanks in advance for any help you all can provide!

Edited by nadeaup

Share this post


Link to post
Share on other sites

Received: from 209.17.190.78 by webmail.east.cox.net; Sat, 10 Nov 2007

5:52:05 -0500

That's a valid Received header, put there by the Cox.net webmail system. I just sent myself a test message using Cox webmail (but not through your proxy server) and it had the same format. IOW, someone was using your proxy service to spam people using a hijacked Cox account.

In fact, a search on your IP of the Usenet posts using Google Groups produces some hits to reports in the news.admin.net-abuse.sightings of similar spam coming from your IP. If you want to keep your hosting account, I think that you need to stop hosting an anonymous proxy. By providing spammers a way to hide their IP addresses, it seems that you're part of the problem, not the solution.

DT

Share this post


Link to post
Share on other sites
Is there someone on this forum I can hire to go in an fix my mail setup to be secure???

I find this to be more than a bit confusing.

I had all traffic to and from port 25 blocked with iptables. sendmail was not running. and there were no ssh logins other than mine... I am the only user on the server.. There was nothing in the mail logs...

I guess deleting the sendmail binaries is the last thing I can do

The question at this point would be .... what e-mail? With no traffic allowed to/from, no e-mail server application running, ???? Can't get much more secure than that as far as e-mail goes <g>

.. I also did a chkrootkit check and nothing was found...

And yes I do run phproxy an anonymous web browsing scri_pt. I guess I should add one more thing. I recently was DDOS for 3 days until the NOC could block all the traffic and I changed my IP... I think somone does not like me out there... Maybe it's time to pick a new hobby....

Thanks in advance for any help you all can provide!

There's yet more that leaves me wondering what's actually all involved with 'your server' ....

209.17.190.78 ==> h209-17-190-78.gtcust.grouptelecom.net

Not sure about Bell Canada's definitions, but other research shows listings like;

139.142.154.254 ==> static-139-142-154-254.gtcust.grouptelecom.net

So the scenario looks like this is not a 'business' account, more like a 'home' account .. for which most hosting ISP's don't like 'servers' being run ....

You don't say what's really at / runnong on this server, but the question would be .... what's is actually 'using' this server / what services is this server actually hosting/providing.

The point being .... the e-mail headers offered up don't actually show a typical e-mail (i.e. from an e-mail client to an e-mail server) .... what is seen is a connection via this IP Address to a web-mail application ... what this means is that 'your issue' isn't actually an e-mail server issue, rather it's "access to your server" that's in question.

SSH access would be noted for someone actually wanting that kind of acess, but .. as DavidT notes, your suggested use of an application kinds of hints that SSH access wouldn't be required to tap into this running app. If you have access to the logs on 'your' server, who else has been accessing any other services running on it? Does this web-surfing tool require any kind of login priviledges?

Basically, I'm saying that your focus on the e-mail server/service is pointed to the wrong target. As DavidT suggests, the real question appears to be .. who has been using your server to contact other places, in this case, the Cox webmail server???

Just kind of confused as to having a 'server' involved if you are 'the only user' .... and having services other than firewall, NAT, and such still running if they actually aren't used .... Yes, I have servers running 'here' at the house, but they are for my own use, not connected to the net (except for those update runs)

Share this post


Link to post
Share on other sites

It is a dedicated server running at esecuredata.com. They are based in Canada.

The only user on the system is root (me). I host about 30 websites there...

razorlife.com

actionhunting.com

razorproxy.com (this site is hosted on the same server but a different IP)

to name a few...

The PHPProxy scri_pt runs via apache and does not have any system access at all. I do not run any webmail software. Apache is the user that apache is run under. There are no known exploiut for that version of the scri_pt.

The mixed ip's you pointed out has me even more confused...

I'll continue digging and check the web logs.

Thank you for the responses.

-Patrick

Share this post


Link to post
Share on other sites
The PHPProxy scri_pt runs via apache and does not have any system access at all. I do not run any webmail software.

It's very simple. People are using your HTTP proxy service to access *other* webmail systems, and are spamming from those other systems. Therefore, you're helping them to spam anonymously, so as long as you keep running that anonymous proxy, you're likely to keep having this problem.

The mixed ip's you pointed out has me even more confused...

Mixed IPs? Wazoo gave an example of an*other* IP on the same provider as yours. I don't think he was linking the other IP to your situation.

DT

Share this post


Link to post
Share on other sites

It's very simple. People are using your HTTP proxy service to access *other* webmail systems, and are spamming from those other systems. Therefore, you're helping them to spam anonymously, so as long as you keep running that anonymous proxy, you're likely to keep having this problem.

David is correct. The open proxy is your problem, kill it and you will stop relaying spam.

Share this post


Link to post
Share on other sites

Thanks guys, that was it.. Is there a place to get a list of webmail servers? Taht way I could block those sites...

Share this post


Link to post
Share on other sites
FYI -- I found a list of webmail sites in the SquidGuard blacklist databases!!!

You may well still get complaints people using your proxy to comment spam or using it to launch attacks against other systems. I hope your ISP is understanding. I wont even comment on the possible liability issues.

Share this post


Link to post
Share on other sites
Thanks guys, that was it.. Is there a place to get a list of webmail servers? Taht way I could block those sites...

FYI -- I found a list of webmail sites in the SquidGuard blacklist databases!!!

Question and follow-up seem totally backwards. The actual issue is dealing with who accessed your system and then generated the webmail connections.

The only user on the system is root (me). I host about 30 websites there...

razorlife.com

actionhunting.com

razorproxy.com (this site is hosted on the same server but a different IP)

to name a few...

I read what this says, but .... this doesn't say that you 'run/admin' all these hosted sites.

You seem to imply that the server acess logs don't show someone actually making a ;direct; connection to the proxy. (By the way, looking that up, I see that there's only a few dozen "PHPProxy" scripts floating around out there, all tied to different author names. The most prominent of these [found on Freshmeat and Sourceforge] haven't been updated in years, much in contrast to the rise in PHP scripting/SQL-injection attacks over the same time-frame .. also noting that none of these are 'advertised' as a way to post into webmail applications ....)

So the spectre of one of these hosted sites being compromised, thus allowing access to other parts of your sever cannot be overlooked.

Share this post


Link to post
Share on other sites

Thanks guys, that was it.. Is there a place to get a list of webmail servers? Taht way I could block those sites...

You don't want to stop your server from going to those sites. You want to stop the outsiders from using your system in the first place. If they can use your system to send webmail, they can use it for other things as well.

Share this post


Link to post
Share on other sites

Your misunderstanding the situation. No one is accessing my system and using webmail. I do not have webmail or any other mail servers/services configured, web based or not.

People are using a free service I offer "anonymous web browsing". They are using that service to access web sites anonymously - in 99% of the cases this is a good thing.

There is a small number of people that were using that service to log into a webmail account (likely one they hacked or a fake one they setup and don't care if it get's closed), compose an email and send out spam. The real problem to me is that the webmail service they are using allows them to send emails to many recipients.

So, to do what I can on my end to eliminate spam, I decided to block access to as many webmail sites that I could find. This allows me to keep my service up and running which has many good and positive uses and makes it annoying to use for someone with the intention of hiding their IP when connecting to a webmail account to send spam... Hopefully this will greatly reduce the problem.

Thanks again for the help.

Share this post


Link to post
Share on other sites

People are using a free service I offer "anonymous web browsing". They are using that service to access web sites anonymously - in 99% of the cases this is a good thing.

Not really. I see no reason at all to use "annonymous web browsing" unless you are doing something you do not want tracked. I see no "good thing" in that. Please tell me what "good things" can be done via anonymous web browsing that can not be done via a public IP?

If someone is using an anonymous web browser to view some spam link they receive, the spammer is likely going to make money from that spam hit, the same way they do if it were not anonymized, either by someone buying the "product" or just the "hit" on the site itself. The IP address a web request is coming from will not help a spammer determine which email address generated the successful hit, the link itself will.

Share this post


Link to post
Share on other sites
People are using a free service I offer "anonymous web browsing". They are using that service to access web sites anonymously - in 99% of the cases this is a good thing.
You may be playing whack-a-mole here, since there are many, many webmail portals out there, and no doubt more of them coming every day (including perhaps even those set up for purposes of spamming).

Using anonymous HTTP to send spam via a third-party webmail site is a bit like using an open-relay mail server to send spam via "normal" SMTP. In this context, if SpamCop detects an open-relay SMTP host, it will send reports on it the same as it would for the "ultimate" source of the spam; likewise, open-relay blocking lists will add the addresses of such relays to their lists, which can lead to mail (even non-spam mail) being blocked. The operators of open relays might protest that they did not send the spam, but their fingerprints are on it and they wind up bearing at least part of the consequences for it.

I appreciate your desire to offer a useful service (i.e., anonymous HTTP), but in so doing you are taking a big burden on yourself -- you either become a traceable conduit for spam (as has happened) or other more nefarious exploits, or else you wind up becoming a policeman for the traffic that traverses your server, spending too much of your time trying to block access to various sites here and there, and keeping a sharp eye on the activities of your users (which brings the notion of 'anonymous' browsing into some doubt).

Not a judgment or a suggestion, just an observation.

-- rick

Share this post


Link to post
Share on other sites
Your misunderstanding the situation. No one is accessing my system and using webmail. I do not have webmail or any other mail servers/services configured, web based or not.

Can't speak for others, but ... I understand quite well what you are providing, what is happeneing, etc. etc.

The 'issue' is that you explained originally that "you are the only user, there is no (web)access to this proxy" ... you have now totally changed that story. You are now stating that this proxy is in fact open to any and all, which is what has been the discussion pioint in the latter posts ... the question about just 'who' has been accessing the proxy were based on your "I'm the only one with access" ....

As pointed out by others and my previous remark about "none of these are 'advertised' as a way to post into webmail applications" .. running an anonomyzing-proxy carries a lot of responsibilities and issues. You are showing that users simply can't be trusted, yet you are the one held responsible for those actions by these unknown people.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×