nadeaup Posted November 20, 2007 Share Posted November 20, 2007 I need help!!! I am being told that spam is being sent by my server 209.17.190.78. I currently have deleted sendmail binaries and every other mail realted service. The email below seems to show a non-routable-ip address 172.18.52.79... How can I prove to my hosting campany and their NOC that this spam is not coming from my server and my ip is being spoofed??? OR am I wrong? Please help!!! Below is the emial with comments in the headers.. X-Apparently-To: x via 66.163.178.118; Sat, 10 Nov 2007 02:54:08 -0800 X-Originating-IP: [68.230.240.59] Authentication-Results: mta423.mail.re4.yahoo.com from=cox.net; domainkeys=neutral (no sig) Hmmm authentication-results: isn't a header I recognise Received: from 68.230.240.59 (EHLO eastrmmtao107.cox.net) (68.230.240.59) by mta423.mail.re4.yahoo.com with SMTP; Sat, 10 Nov 2007 02:54:08 -0800 This received header was added by your mailserver mta423.mail.re4.yahoo.com received this from someone claiming to be 68.230.240.59 (mta423.mail.re4.yahoo.com doesn't record the senders IP address in any way I recognise, so it's impossible to be sure. All received headers after this one should be treated with suspicion) Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao107.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20071110105208.STAY4189.eastrmmtao107.cox.net[at]eastrmimpo03.cox.net>; Sat, 10 Nov 2007 05:52:08 -0500 eastrmmtao107.cox.net received this from eastrmimpo03.cox.net (IP addresses match) Received: from eastrmwml20.mgt.cox.net ([172.18.52.79]) by eastrmimpo03.cox.net with bizsmtp id Ayrg1Y0051iXuec0000000; Sat, 10 Nov 2007 05:51:40 -0500 eastrmimpo03.cox.net received this from someone claiming to be eastrmwml20.mgt.cox.net but really from 172.18.52.79(No rDNS) All headers below may be forged Received: from 209.17.190.78 by webmail.east.cox.net; Sat, 10 Nov 2007 5:52:05 -0500 webmail.east.cox.net received this from someone claiming to be 209.17.190.78 (webmail.east.cox.net doesn't record the senders IP address in any way I recognise, so it's impossible to be sure. All received headers after this one should be treated with suspicion) Date: Sat, 10 Nov 2007 5:52:06 -0500 From: The free lotto sweepstakes <figgy45[at]cox.net> Reply-To: agtwilliams202[at]hotmail.com Many spams are forged to appear connected to hotmail.com. They probably aren't from there. If the spam is soliciting replies to a hotmail.com address tell abuse[at]hotmail.com and the mailbox will die. Subject: BATCH NUMBER: YPA/07-43658 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Sensitivity: Normal Hmmm sensitivity: isn't a header I recognise BATCH NUMBER: YPA/07-43658 REFERENCE NUMBER: 2007234522 PIN: 1206 This is to inform you that you have won a prize money of (GBP500,000.00) for the 2007 Prize Promotion which is Organized by The Free lotto Company The Free lotto Company! collects all the email addresses of the people that are active online, among the millions that subscribed to Yahoo and Hotmail and few from other e-mail providers. Ten people are selected monthly to benefit from this promotion and you are one of the Selected Winners. Fill and return to Agent Name: Rev.Jackson Williams E-Mail:agtwilliams202[at]hotmail.com Full name..... Winning email..... Occupation......... Nationality......... Phone no........... Age....... He shall commence the process that will facilitate the release of your fund to you. Regards, Mrs Pauline Walcott. Link to comment Share on other sites More sharing options...
Wazoo Posted November 20, 2007 Share Posted November 20, 2007 None of this has anything to do with the MailHost Configuration of your Reporting Account .. therefore moving this Topic out of that Forum section. As it also appears to have nothing to do with the SpamCop.net Parsing & Reporting system either, the SpamCopDNSBL does not seem to be involved, the Lounge is where this will end up. The alleged headers have simply been too contaminated .... I don't have the time at present to think about trying to reconstruct something useable out of this mess ..... Please provide an actual set of headers without the extra garbage .... Link to comment Share on other sites More sharing options...
DavidT Posted November 20, 2007 Share Posted November 20, 2007 I need help!!! I am being told that spam is being sent by my server 209.17.190.78. Please help!!! Below is the emial with comments in the headers.. Please post it without all the comments, just as it appeared. The computer using the IP was indeed seen sending out a lot of spam starting Oct. 18th and ending Nov. 10th, the date of the spam you're talking about, so yes, you had a problem up until then. However, that IP address seems to be hosting some sort of anonymous proxy service...try visiting this URL: http://209.17.190.78/ You can Google the IP and find plenty of Wiki complaints about anonymous posts coming from that IP. Here's a list of some of the spam seen coming from your IP...all reported to SpamCop and then to your provider: Submitted: Saturday, November 10, 2007 11:24:31 AM -0700: BATCH NUMBER: YPA/07-43658 * 2611159891 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net * 2611159745 ( 209.17.190.78 ) To: abuse[at]gt.ca Submitted: Saturday, November 10, 2007 7:53:32 AM -0700: BATCH NUMBER: YPA/07-43658 * 2610668537 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Saturday, November 10, 2007 7:53:29 AM -0700: BATCH NUMBER: YPA/07-43658 * 2610668857 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Wednesday, November 07, 2007 5:15:18 PM -0700: Employment Opportunity * 2605604695 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Tuesday, November 06, 2007 1:32:54 PM -0700: Attention:- Freelotto Sweepstakes 2007 * 2603153383 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Tuesday, November 06, 2007 10:29:51 AM -0700: CONGRATULATIONS!!! * 2602981730 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Saturday, November 03, 2007 11:43:20 AM -0700: Details To File Your Claims Needed!!! * 2597318918 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Saturday, November 03, 2007 8:14:19 AM -0700: Details To File Your Claims Needed!!! * 2596988771 ( 68.230.240.47 ) To: abuse#cox.net[at]devnull.spamcop.net * 2596988770 ( 68.1.16.119 ) To: abuse#cox.net[at]devnull.spamcop.net * 2596988768 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Saturday, November 03, 2007 4:03:06 AM -0700: Details To File Your Claims Needed!!! * 2596597262 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Wednesday, October 31, 2007 9:12:18 AM -0700: Employment Opportunity (Part Time) * 2591150349 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net * 2591150345 ( 209.17.190.78 ) To: abuse[at]gt.ca Submitted: Wednesday, October 31, 2007 7:28:19 AM -0700: ARE YOU LOOKING FOR LOAN FUNDING? * 2590996052 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Tuesday, October 30, 2007 4:49:54 PM -0700: Employment Opportunity (Part Time) * 2589982592 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Tuesday, October 30, 2007 10:02:33 AM -0700: Lottery Winners International * 2589325681 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Saturday, October 20, 2007 5:44:00 PM -0700: =?utf-8?Q?FINAL_NOTICE_YOU_EMAIL_WAS_SE?= =?utf-8?Q?LECTED!!_(=C3=82=C2=A3500... * 2571880949 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net Submitted: Thursday, October 18, 2007 10:13:43 AM -0700: Seven Bell Yard ? Barristers * 2567610540 ( 209.17.190.78 ) To: abuse#gt.ca[at]devnull.spamcop.net So, perhaps you can see that the claims of spam are indeed real, M. Nadeau? But maybe you solved the problem by removing Sendmail, so maybe everything should now be OK? Unless some of your anonymous users do bad things on websites.... DT Link to comment Share on other sites More sharing options...
nadeaup Posted November 20, 2007 Author Share Posted November 20, 2007 Here is the CLEAN header/email. I had all traffic to and from port 25 blocked with iptables. sendmail was not running. and there were no ssh logins other than mine... I am the only user on the server.. There was nothing in the mail logs... I guess deleting the sendmail binaries is the last thing I can do.. I also did a chkrootkit check and nothing was found... Tahnks for you help!!! Is there someone on this forum I can hire to go in an fix my mail setup to be secure??? X-Apparently-To: scoots592002[at]yahoo.com via 66.163.178.118; Sat, 10 Nov 2007 02:54:08 -0800 X-Originating-IP: [68.230.240.59] Authentication-Results: mta423.mail.re4.yahoo.com from=cox.net; domainkeys=neutral (no sig) Received: from 68.230.240.59 (EHLO eastrmmtao107.cox.net) (68.230.240.59) by mta423.mail.re4.yahoo.com with SMTP; Sat, 10 Nov 2007 02:54:08 -0800 Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao107.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20071110105208.STAY4189.eastrmmtao107.cox.net[at]eastrmimpo03.cox.net>; Sat, 10 Nov 2007 05:52:08 -0500 Received: from eastrmwml20.mgt.cox.net ([172.18.52.79]) by eastrmimpo03.cox.net with bizsmtp id Ayrg1Y0051iXuec0000000; Sat, 10 Nov 2007 05:51:40 -0500 Received: from 209.17.190.78 by webmail.east.cox.net; Sat, 10 Nov 2007 5:52:05 -0500 Date: Sat, 10 Nov 2007 5:52:06 -0500 From: The free lotto sweepstakes <figgy45[at]cox.net> Reply-To: agtwilliams202[at]hotmail.com Subject: BATCH NUMBER: YPA/07-43658 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Sensitivity: Normal BATCH NUMBER: YPA/07-43658 REFERENCE NUMBER: 2007234522 PIN: 1206 This is to inform you that you have won a prize money of (GBP500,000.00) for the 2007 Prize Promotion which is Organized by The Free lotto Company The Free lotto Company! collects all the email addresses of the people that are active online, among the millions that subscribed to Yahoo and Hotmail and few from other e-mail providers. Ten people are selected monthly to benefit from this promotion and you are one of the Selected Winners. Fill and return to Agent Name: Rev.Jackson Williams E-Mail:agtwilliams202[at]hotmail.com Full name..... Winning email..... Occupation......... Nationality......... Phone no........... Age....... He shall commence the process that will facilitate the release of your fund to you. Regards, Mrs Pauline Walcott. And yes I do run phproxy an anonymous web browsing scri_pt. I guess I should add one more thing. I recently was DDOS for 3 days until the NOC could block all the traffic and I changed my IP... I think somone does not like me out there... Maybe it's time to pick a new hobby.... Thanks in advance for any help you all can provide! Link to comment Share on other sites More sharing options...
DavidT Posted November 20, 2007 Share Posted November 20, 2007 Received: from 209.17.190.78 by webmail.east.cox.net; Sat, 10 Nov 2007 5:52:05 -0500 That's a valid Received header, put there by the Cox.net webmail system. I just sent myself a test message using Cox webmail (but not through your proxy server) and it had the same format. IOW, someone was using your proxy service to spam people using a hijacked Cox account. In fact, a search on your IP of the Usenet posts using Google Groups produces some hits to reports in the news.admin.net-abuse.sightings of similar spam coming from your IP. If you want to keep your hosting account, I think that you need to stop hosting an anonymous proxy. By providing spammers a way to hide their IP addresses, it seems that you're part of the problem, not the solution. DT Link to comment Share on other sites More sharing options...
Wazoo Posted November 20, 2007 Share Posted November 20, 2007 Is there someone on this forum I can hire to go in an fix my mail setup to be secure??? I find this to be more than a bit confusing. I had all traffic to and from port 25 blocked with iptables. sendmail was not running. and there were no ssh logins other than mine... I am the only user on the server.. There was nothing in the mail logs... I guess deleting the sendmail binaries is the last thing I can do The question at this point would be .... what e-mail? With no traffic allowed to/from, no e-mail server application running, ???? Can't get much more secure than that as far as e-mail goes <g> .. I also did a chkrootkit check and nothing was found... And yes I do run phproxy an anonymous web browsing scri_pt. I guess I should add one more thing. I recently was DDOS for 3 days until the NOC could block all the traffic and I changed my IP... I think somone does not like me out there... Maybe it's time to pick a new hobby.... Thanks in advance for any help you all can provide! There's yet more that leaves me wondering what's actually all involved with 'your server' .... 209.17.190.78 ==> h209-17-190-78.gtcust.grouptelecom.net Not sure about Bell Canada's definitions, but other research shows listings like; 139.142.154.254 ==> static-139-142-154-254.gtcust.grouptelecom.net So the scenario looks like this is not a 'business' account, more like a 'home' account .. for which most hosting ISP's don't like 'servers' being run .... You don't say what's really at / runnong on this server, but the question would be .... what's is actually 'using' this server / what services is this server actually hosting/providing. The point being .... the e-mail headers offered up don't actually show a typical e-mail (i.e. from an e-mail client to an e-mail server) .... what is seen is a connection via this IP Address to a web-mail application ... what this means is that 'your issue' isn't actually an e-mail server issue, rather it's "access to your server" that's in question. SSH access would be noted for someone actually wanting that kind of acess, but .. as DavidT notes, your suggested use of an application kinds of hints that SSH access wouldn't be required to tap into this running app. If you have access to the logs on 'your' server, who else has been accessing any other services running on it? Does this web-surfing tool require any kind of login priviledges? Basically, I'm saying that your focus on the e-mail server/service is pointed to the wrong target. As DavidT suggests, the real question appears to be .. who has been using your server to contact other places, in this case, the Cox webmail server??? Just kind of confused as to having a 'server' involved if you are 'the only user' .... and having services other than firewall, NAT, and such still running if they actually aren't used .... Yes, I have servers running 'here' at the house, but they are for my own use, not connected to the net (except for those update runs) Link to comment Share on other sites More sharing options...
nadeaup Posted November 20, 2007 Author Share Posted November 20, 2007 It is a dedicated server running at esecuredata.com. They are based in Canada. The only user on the system is root (me). I host about 30 websites there... razorlife.com actionhunting.com razorproxy.com (this site is hosted on the same server but a different IP) to name a few... The PHPProxy scri_pt runs via apache and does not have any system access at all. I do not run any webmail software. Apache is the user that apache is run under. There are no known exploiut for that version of the scri_pt. The mixed ip's you pointed out has me even more confused... I'll continue digging and check the web logs. Thank you for the responses. -Patrick Link to comment Share on other sites More sharing options...
DavidT Posted November 20, 2007 Share Posted November 20, 2007 The PHPProxy scri_pt runs via apache and does not have any system access at all. I do not run any webmail software. It's very simple. People are using your HTTP proxy service to access *other* webmail systems, and are spamming from those other systems. Therefore, you're helping them to spam anonymously, so as long as you keep running that anonymous proxy, you're likely to keep having this problem. The mixed ip's you pointed out has me even more confused... Mixed IPs? Wazoo gave an example of an*other* IP on the same provider as yours. I don't think he was linking the other IP to your situation. DT Link to comment Share on other sites More sharing options...
GraemeL Posted November 20, 2007 Share Posted November 20, 2007 It's very simple. People are using your HTTP proxy service to access *other* webmail systems, and are spamming from those other systems. Therefore, you're helping them to spam anonymously, so as long as you keep running that anonymous proxy, you're likely to keep having this problem. David is correct. The open proxy is your problem, kill it and you will stop relaying spam. Link to comment Share on other sites More sharing options...
nadeaup Posted November 21, 2007 Author Share Posted November 21, 2007 Thanks guys, that was it.. Is there a place to get a list of webmail servers? Taht way I could block those sites... Link to comment Share on other sites More sharing options...
nadeaup Posted November 21, 2007 Author Share Posted November 21, 2007 FYI -- I found a list of webmail sites in the SquidGuard blacklist databases!!! Link to comment Share on other sites More sharing options...
GraemeL Posted November 22, 2007 Share Posted November 22, 2007 FYI -- I found a list of webmail sites in the SquidGuard blacklist databases!!! You may well still get complaints people using your proxy to comment spam or using it to launch attacks against other systems. I hope your ISP is understanding. I wont even comment on the possible liability issues. Link to comment Share on other sites More sharing options...
Wazoo Posted November 22, 2007 Share Posted November 22, 2007 Thanks guys, that was it.. Is there a place to get a list of webmail servers? Taht way I could block those sites... FYI -- I found a list of webmail sites in the SquidGuard blacklist databases!!! Question and follow-up seem totally backwards. The actual issue is dealing with who accessed your system and then generated the webmail connections. The only user on the system is root (me). I host about 30 websites there... razorlife.com actionhunting.com razorproxy.com (this site is hosted on the same server but a different IP) to name a few... I read what this says, but .... this doesn't say that you 'run/admin' all these hosted sites. You seem to imply that the server acess logs don't show someone actually making a ;direct; connection to the proxy. (By the way, looking that up, I see that there's only a few dozen "PHPProxy" scripts floating around out there, all tied to different author names. The most prominent of these [found on Freshmeat and Sourceforge] haven't been updated in years, much in contrast to the rise in PHP scripting/SQL-injection attacks over the same time-frame .. also noting that none of these are 'advertised' as a way to post into webmail applications ....) So the spectre of one of these hosted sites being compromised, thus allowing access to other parts of your sever cannot be overlooked. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 22, 2007 Share Posted November 22, 2007 Thanks guys, that was it.. Is there a place to get a list of webmail servers? Taht way I could block those sites... You don't want to stop your server from going to those sites. You want to stop the outsiders from using your system in the first place. If they can use your system to send webmail, they can use it for other things as well. Link to comment Share on other sites More sharing options...
nadeaup Posted November 26, 2007 Author Share Posted November 26, 2007 Your misunderstanding the situation. No one is accessing my system and using webmail. I do not have webmail or any other mail servers/services configured, web based or not. People are using a free service I offer "anonymous web browsing". They are using that service to access web sites anonymously - in 99% of the cases this is a good thing. There is a small number of people that were using that service to log into a webmail account (likely one they hacked or a fake one they setup and don't care if it get's closed), compose an email and send out spam. The real problem to me is that the webmail service they are using allows them to send emails to many recipients. So, to do what I can on my end to eliminate spam, I decided to block access to as many webmail sites that I could find. This allows me to keep my service up and running which has many good and positive uses and makes it annoying to use for someone with the intention of hiding their IP when connecting to a webmail account to send spam... Hopefully this will greatly reduce the problem. Thanks again for the help. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 27, 2007 Share Posted November 27, 2007 People are using a free service I offer "anonymous web browsing". They are using that service to access web sites anonymously - in 99% of the cases this is a good thing. Not really. I see no reason at all to use "annonymous web browsing" unless you are doing something you do not want tracked. I see no "good thing" in that. Please tell me what "good things" can be done via anonymous web browsing that can not be done via a public IP? If someone is using an anonymous web browser to view some spam link they receive, the spammer is likely going to make money from that spam hit, the same way they do if it were not anonymized, either by someone buying the "product" or just the "hit" on the site itself. The IP address a web request is coming from will not help a spammer determine which email address generated the successful hit, the link itself will. Link to comment Share on other sites More sharing options...
rconner Posted November 27, 2007 Share Posted November 27, 2007 People are using a free service I offer "anonymous web browsing". They are using that service to access web sites anonymously - in 99% of the cases this is a good thing. You may be playing whack-a-mole here, since there are many, many webmail portals out there, and no doubt more of them coming every day (including perhaps even those set up for purposes of spamming). Using anonymous HTTP to send spam via a third-party webmail site is a bit like using an open-relay mail server to send spam via "normal" SMTP. In this context, if SpamCop detects an open-relay SMTP host, it will send reports on it the same as it would for the "ultimate" source of the spam; likewise, open-relay blocking lists will add the addresses of such relays to their lists, which can lead to mail (even non-spam mail) being blocked. The operators of open relays might protest that they did not send the spam, but their fingerprints are on it and they wind up bearing at least part of the consequences for it. I appreciate your desire to offer a useful service (i.e., anonymous HTTP), but in so doing you are taking a big burden on yourself -- you either become a traceable conduit for spam (as has happened) or other more nefarious exploits, or else you wind up becoming a policeman for the traffic that traverses your server, spending too much of your time trying to block access to various sites here and there, and keeping a sharp eye on the activities of your users (which brings the notion of 'anonymous' browsing into some doubt). Not a judgment or a suggestion, just an observation. -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted November 27, 2007 Share Posted November 27, 2007 Your misunderstanding the situation. No one is accessing my system and using webmail. I do not have webmail or any other mail servers/services configured, web based or not. Can't speak for others, but ... I understand quite well what you are providing, what is happeneing, etc. etc. The 'issue' is that you explained originally that "you are the only user, there is no (web)access to this proxy" ... you have now totally changed that story. You are now stating that this proxy is in fact open to any and all, which is what has been the discussion pioint in the latter posts ... the question about just 'who' has been accessing the proxy were based on your "I'm the only one with access" .... As pointed out by others and my previous remark about "none of these are 'advertised' as a way to post into webmail applications" .. running an anonomyzing-proxy carries a lot of responsibilities and issues. You are showing that users simply can't be trusted, yet you are the one held responsible for those actions by these unknown people. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.