spam - acting as a relay
I have recently been informed that my machine is relaying spam.Need some help to identify the problem. I have had sendmail switched off on a suse 7.3 machine. here is the gist of the problem - my machine aaa.bbb.cc.dd. It seems they are using wwwrun - does that mean it is via php? Where and how should I block this ---> *******************************************************Since your system relays/originates SPAM, we are blocking all mail from it. (wwwrun@psych.unn.ac.uk [aaa.bbb.cc.dd]) When appropriate measures are implemented please inform postmaster@uottawa.ca and the block will be removed. Postmaster ******************************************************* Return-Path: <424848@bn.com.br> Received: from bn.com.br (wwwrun@zzz.yyy.ac.uk [aaa.bbb.cc.dd]) by UOttawa.CA (8.9.1/8.9.1) with SMTP id NAA192930 for Tue, 22 Jan 2002 13:13:31 -0500 Date: Tue, 22 Jan 2002 13:13:31 -0500 From: 424848@bn.com.br Reply-To: <424848@bn.com.br> Message-ID: <002a84a53bee$8847c4d2$7dc15ac6@mhrsyg> To: Smart.Investors Subject: What's next for the stock market? MiME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 =============================================================== '''''' ==================== This email advertisement is sent out to those who subscribed on our web site or one of our many affiliated web sites. If you received this email in error or you would like to opt-out from our database, please go to the following: mailto:mayblater@ozemail.com.au [2669gYQK6-198CUmg0349yrLD6-700VpH@31] -------< -- Dr. Delia Wakelin Tel: 44 (0) 191 227 4958 Division of Psychology email mailto:d.wakelin@unn.ac.uk University of Northumbria www http://www.unn.ac.uk/~evdw3 Newcastle upon Tyne NE1 8ST
Could be formmail.pl, if you are using it. Old Versions can be abused to send Spam. There's some scanners looking for it, too. Latest Version is 1.9, which allows you to specify the recipients and therefore prevents spam. You can get it at Matt's Script Archive: http://worldwidemart.com/scripts/ Of course, it could be any other Script sending Email, if not properly secured. You should scan your machine for forms sending Email. Mit freundlichen Grüßen, Roman Dörr Systemtechniker Tel. +49 30 767151-14 -- tro:net GmbH Berlin Network & New Media Solutions Raumerstr. 22 10437 Berlin Tel. +49 30 767151-0 Fax +49 30 767151-13 Web www.tro.net -----Ursprüngliche Nachricht----- Von: Delia Wakelin [mailto:d.wakelin@unn.ac.uk] Gesendet: Donnerstag, 24. Januar 2002 09:12 An: suse-security@suse.com Betreff: [suse-security] spam - acting as a relay I have recently been informed that my machine is relaying spam. Need some help to identify the problem. I have had sendmail switched off on a suse 7.3 machine. here is the gist of the problem - my machine aaa.bbb.cc.dd. It seems they are using wwwrun - does that mean it is via php? Where and how should I block this
Hi Delia, if it is via php, then try to find php-files with the expression "mail" in it. You can adapt these files to only allow mail to specified recipients. Or, if this is impossible, try to find out from where the form is submitted and restrict it to your server. No one will fill out 1000 forms to send 1000 spam Mails. Although - it is not impossible to write a script that still does it. But probably it's more work than finding another relay. Best regards, Ralf Delia Wakelin wrote:
I have recently been informed that my machine is relaying spam.Need some help to identify the problem. I have had sendmail switched off on a suse 7.3 machine.
here is the gist of the problem - my machine aaa.bbb.cc.dd.
It seems they are using wwwrun - does that mean it is via php? Where and how should I block this
---> *******************************************************Since your system relays/originates SPAM, we are blocking all mail from it. (wwwrun@psych.unn.ac.uk [aaa.bbb.cc.dd]) When appropriate measures are implemented please inform postmaster@uottawa.ca and the block will be removed. Postmaster ******************************************************* Return-Path: <424848@bn.com.br> Received: from bn.com.br (wwwrun@zzz.yyy.ac.uk [aaa.bbb.cc.dd]) by UOttawa.CA (8.9.1/8.9.1) with SMTP id NAA192930 for Tue, 22 Jan 2002 13:13:31 -0500 Date: Tue, 22 Jan 2002 13:13:31 -0500 From: 424848@bn.com.br Reply-To: <424848@bn.com.br> Message-ID: <002a84a53bee$8847c4d2$7dc15ac6@mhrsyg> To: Smart.Investors Subject: What's next for the stock market? MiME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700
=============================================================== '''''' ==================== This email advertisement is sent out to those who subscribed on our web site or one of our many affiliated web sites. If you received this email in error or you would like to opt-out from our database, please go to the following:
mailto:mayblater@ozemail.com.au
[2669gYQK6-198CUmg0349yrLD6-700VpH@31]
-------<
-- ------------------------------------------------------------ Ralf Ronneburger ralf@ronneburger.de Prefers to receive encrypted Mail, download public-key from http://www.ronneburger.net/gpg/ralf_ronneburger.asc ------------------------------------------------------------
Delia Wakelin wrote:
I have recently been informed that my machine is relaying spam.Need some help to identify the problem. I have had sendmail switched off on a suse 7.3 machine.
Take a look into the logfiles of sendmail (/var/log/mail?) and grep for the sending address, that helps you to identify the spam and the source. also grep your Webserver logfiles for *mail* maybe a script is on your maschine (uploaded by a user maybe?)
here is the gist of the problem - my machine aaa.bbb.cc.dd.
It seems they are using wwwrun - does that mean it is via php? Where and how should I block this
php is one possibility, another is cgi (perl etc.). you can try to use filterrules on your box that block mail from your webserver, but that makes you unable to send mails via the webserver (maybe a webmailer etc.) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Hi,
I have recently been informed that my machine is relaying spam.Need some help to identify the problem. I have had sendmail switched off on a suse 7.3 machine.
so sendmail is switched off, what smtpd is running on your system?
It seems they are using wwwrun - does that mean it is via php? Where and how should I block this
---> *******************************************************Since your system relays/originates SPAM, we are blocking all mail from it. (wwwrun@psych.unn.ac.uk [aaa.bbb.cc.dd]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you hide your ip-address, hide your hostname. Yours Thom -- ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
Delia Wakelin wrote:
I have recently been informed that my machine is relaying spam.Need some help to identify the problem. I have had sendmail switched off on a suse 7.3 machine.
here is the gist of the problem - my machine aaa.bbb.cc.dd.
It seems they are using wwwrun - does that mean it is via php? Where and how should I block this
You have an open HTTP-Proxy at port 3128. Anybody can use the CONNECT method to build a TCP connection through it to any IP address. You need to disable that proxy or restrict access so that only local users may use it. Cheers, Hans-Martin
participants (6)
-
Delia Wakelin -
Hans-Martin Mosner -
Ralf Ronneburger -
Roman Doerr -
Sven Michels -
Thorsten Marquardt