Re: [toaster] attacked by spammer
On Mar 30, 2006, at 3:10 PM, Bill Shupp wrote: Bob Hutchinson wrote: depending on how many users you have, try to find any php scripts containing 'mail'. If they also contain the above your're getting somewhere. Of course cgi-bin is also a possibility. Look for 'mailform' or formmail' etc hope you get lucky Note that POST values are not logged, so searching logs may not reveal anything. I have better luck looking for dates that correspond to the date of the message. When I was under a similar attack, the spams were going out but the web logs were going to an error_log. My solution was to write a short Perl script that checked all of the log file sizes, waited a minute and then checked again. This narrowed down the list of possible virtual hosts that were under attack. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
Re: [toaster] attacked by spammer
Dera, Would you provide me the script. thnx, saki --- Tom Collins [EMAIL PROTECTED] wrote: On Mar 30, 2006, at 3:10 PM, Bill Shupp wrote: Bob Hutchinson wrote: depending on how many users you have, try to find any php scripts containing 'mail'. If they also contain the above your're getting somewhere. Of course cgi-bin is also a possibility. Look for 'mailform' or formmail' etc hope you get lucky Note that POST values are not logged, so searching logs may not reveal anything. I have better luck looking for dates that correspond to the date of the message. When I was under a similar attack, the spams were going out but the web logs were going to an error_log. My solution was to write a short Perl script that checked all of the log file sizes, waited a minute and then checked again. This narrowed down the list of possible virtual hosts that were under attack. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [toaster] attacked by spammer
On Mar 30, 2006, at 1:51 PM, saki wrote: please would you suggest me how to coup with this attack? If you think your machine may be an open relay, try running the tests here : http://www.abuse.net/relay.html If any of the tests fail, you should note which test failed. That will help you get started on closing the hole. alex .
Re: [toaster] attacked by spammer
saki wrote: Dear all, My mail server is attacked by spammer. I could not find any solution to stop this attack. Here is output from /var/log/qmail/current @4000442c433d07da23b4 status: local 0/10 remote 19/20 @4000442c433d07da373c starting delivery 588: msg 1170472 to remote [EMAIL PROTECTED] @4000442c433d07da4ac4 status: local 0/10 remote 20/20 @4000442c433d0f2e44c4 delivery 558: success: 168.95.5.17_accepted_message./Remote_host_said:_250_EAA20464_Message_accepted_for_delivery/ @4000442c433d0f2e601c status: local 0/10 remote 19/20 @4000442c433d0f2e778c starting delivery 589: msg 1170472 to remote [EMAIL PROTECTED] @4000442c433d0f2e8b14 status: local 0/10 remote 20/20 @4000442c433f226d7bf4 delivery 568: failure: 202.160.80.150_does_not_like_recipient./Remote_host_said:_554_M.5_[EMAIL PROTECTED]..._User_unknown(Local_Mailbox)/Giving_up_on_202.160.80.150./ @4000442c433f226d9b34 status: local 0/10 remote 19/20 please would you suggest me how to coup with this attack? Sounds like you have a web based email form or a compromised user or machine that is feeding the spam into your machine. I'd check the messages themselves to see where the headers said they came from. Rick
Re: [toaster] attacked by spammer
Sounds like you have a web based email form or a compromised user or machine that is feeding the spam into your machine. I'd check the messages themselves to see where the headers said they came from. Rick Yes, Your doubt is right. This is output from -bash-2.05b# tail -f /var/spool/qmailscan/qmail-queue.log Fri, 31 Mar 2006 03:16:10 BDT:22486: -- Process 22486 finished. Total of 7.66887 secs Fri, 31 Mar 2006 03:16:13 BDT:22492: w_c: elapsed time from start 4.618193 secs Fri, 31 Mar 2006 03:16:13 BDT:22492: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]' Fri, 31 Mar 2006 03:16:13 BDT:22492: from='§K¶O¡B§K¶O¡B§K¶O¡B§K¶O [EMAIL PROTECTED]', subj='·Q¤F¸Ñ°Ó«~ªº¦æ¾PÁͶնܡH^^Åý±M®a§K¶O¬°±z¿Ô¸ß¡I^^navigable', via SMTP from 192.168.0.1 Fri, 31 Mar 2006 03:16:14 BDT:22492: clamdscan: finished scan of dir /var/spool/qmailscan/tmp/ns1.infobd.net114375336862022492 in 1.038585 secs Fri, 31 Mar 2006 03:16:14 BDT:22492: SA: don't scan as RELAYCLIENT implies this was sent by a local user Fri, 31 Mar 2006 03:16:14 BDT:22492: p_s: finished scan in 0.003957 secs Fri, 31 Mar 2006 03:16:14 BDT:22492: ini_sc: finished scan of /var/spool/qmailscan/tmp/ns1.infobd.net114375336862022492... Fri, 31 Mar 2006 03:16:14 BDT:22492: ini_sc: elapsed time from start 5.667414 secs Fri, 31 Mar 2006 03:16:14 BDT:22492: -- Process 22492 finished. Total of 5.68355 secs Fri, 31 Mar 2006 03:16:14 BDT:22487: w_c: elapsed time from start 12.394417 secs Fri, 31 Mar 2006 03:16:14 BDT:22487: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]' Fri, 31 Mar 2006 03:16:14 BDT:22487: from='¡®¤£¥Î§A¦hªá¿ú¡A¥i¥H¬Ù¿ú¤S¥i¥HÁÈ¿ú(§Þ¥©¡B¤èªk°Ý§Ú)http:\¤£¥Î§A¦hªá¿ú¡A¥i¥H¬Ù¿ú¤S¥i¥HÁÈ¿ú(§Þ¥©¡B¤èªk°Ý§Ú)vv [EMAIL PROTECTED]', subj='¢ð¨C¤ë¦æ°Ê¹q¸Ü¶O¶W¹L1,000¤¸ªº¤H¡A½Ðª`·N!!!([EMAIL PROTECTED])¡¦¡¦', via SMTP from 192.168.0.1 Fri, 31 Mar 2006 03:16:15 BDT:22487: clamdscan: finished scan of dir /var/spool/qmailscan/tmp/ns1.infobd.net114375336262022487 in 1.0 secs Fri, 31 Mar 2006 03:16:15 BDT:22487: SA: don't scan as RELAYCLIENT implies this was sent by a local user Fri, 31 Mar 2006 03:16:15 BDT:22487: p_s: finished scan in 0.003948 secs Fri, 31 Mar 2006 03:16:15 BDT:22487: ini_sc: finished scan of /var/spool/qmailscan/tmp/ns1.infobd.net114375336262022487... Fri, 31 Mar 2006 03:16:15 BDT:22487: ini_sc: elapsed time from start 13.438296 secs Fri, 31 Mar 2006 03:16:16 BDT:22487: -- Process 22487 finished. Total of 13.460671 secs Fri, 31 Mar 2006 03:16:17 BDT:22514: +++ starting debugging for process 22514 by uid=89 Fri, 31 Mar 2006 03:16:21 BDT:22516: +++ starting debugging for process 22516 by uid=89 Fri, 31 Mar 2006 03:16:23 BDT:22518: +++ starting debugging for process 22518 by uid=89 Fri, 31 Mar 2006 03:16:23 BDT:22520: +++ starting debugging for process 22520 by uid=89 And also output from: -bash-2.05b# tail -f /var/log/qmail/smtpd/current @4000442c4d421a03c464 tcpserver: end 24467 status 256 @4000442c4d421a03d7ec tcpserver: status: 19/20 @4000442c4d421a03eb74 tcpserver: status: 20/20 @4000442c4d421a03fefc tcpserver: pid 24468 from 192.168.0.1 @4000442c4d421a041284 tcpserver: ok 24468 0:202.174.137.19:25 :192.168.0.1::3393 @4000442c4d421a0429f4 tcpserver: end 24468 status 256 @4000442c4d421a0458d4 tcpserver: status: 19/20 @4000442c4d421a046c5c tcpserver: status: 20/20 @4000442c4d421a047fe4 tcpserver: pid 24469 from 192.168.0.1 @4000442c4d421a04936c tcpserver: ok 24469 0:202.174.137.19:25 :192.168.0.1::2435 @4000442c4d452cc0a464 tcpserver: end 23417 status 256 @4000442c4d452cc0bfbc tcpserver: status: 19/20 @4000442c4d452cc0d344 tcpserver: status: 20/20 @4000442c4d452cc0e6cc tcpserver: pid 24484 from 192.168.0.1 @4000442c4d452cc0fa54 tcpserver: ok 24484 0:202.174.137.19:25 :192.168.0.1::1671 Above local ip is my local gateway IP. And moreover there is no valid user name or valid local IP from my subnet. So now how could I stop it? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [toaster] attacked by spammer
On Thursday 30 Mar 2006 22:33, saki wrote: Sounds like you have a web based email form or a compromised user or machine that is feeding the spam into your machine. I'd check the messages themselves to see where the headers said they came from. Rick Yes, Your doubt is right. This is output from -bash-2.05b# tail -f /var/spool/qmailscan/qmail-queue.log use grep to look through your web logs for return-path= recips= depending on how many users you have, try to find any php scripts containing 'mail'. If they also contain the above your're getting somewhere. Of course cgi-bin is also a possibility. Look for 'mailform' or formmail' etc hope you get lucky Fri, 31 Mar 2006 03:16:10 BDT:22486: -- Process 22486 finished. Total of 7.66887 secs Fri, 31 Mar 2006 03:16:13 BDT:22492: w_c: elapsed time from start 4.618193 secs Fri, 31 Mar 2006 03:16:13 BDT:22492: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] .tw,[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],luckt [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],luckvictor@ yahoo.com.tw,[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] .tw,[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],luckwi [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] .tw,[EMAIL PROTECTED]' Fri, 31 Mar 2006 03:16:13 BDT:22492: from='§K¶O¡B§K¶O¡B§K¶O¡B§K¶O [EMAIL PROTECTED]', subj='·Q¤F¸Ñ°Ó«~ªº¦æ¾PÁͶնܡH^^Åý±M®a§K¶O¬°±z¿Ô¸ß¡I^^navigable', via SMTP from 192.168.0.1 Fri, 31 Mar 2006 03:16:14 BDT:22492: clamdscan: finished scan of dir /var/spool/qmailscan/tmp/ns1.infobd.net114375336862022492 in 1.038585 secs Fri, 31 Mar 2006 03:16:14 BDT:22492: SA: don't scan as RELAYCLIENT implies this was sent by a local user Fri, 31 Mar 2006 03:16:14 BDT:22492: p_s: finished scan in 0.003957 secs Fri, 31 Mar 2006 03:16:14 BDT:22492: ini_sc: finished scan of /var/spool/qmailscan/tmp/ns1.infobd.net114375336862022492... Fri, 31 Mar 2006 03:16:14 BDT:22492: ini_sc: elapsed time from start 5.667414 secs Fri, 31 Mar 2006 03:16:14 BDT:22492: -- Process 22492 finished. Total of 5.68355 secs Fri, 31 Mar 2006 03:16:14 BDT:22487: w_c: elapsed time from start 12.394417 secs Fri, 31 Mar 2006 03:16:14 BDT:22487: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED],[EMAIL PROTECTED],chatt [EMAIL PROTECTED]' Fri, 31 Mar 2006 03:16:14 BDT:22487: from='¡®¤£¥Î§A¦hªá¿ú¡A¥i¥H¬Ù¿ú¤S¥i¥HÁÈ¿ú(§Þ¥©¡B¤èªk°Ý§Ú)http:\¤£¥Î§A¦hªá¿ú ¡A¥i¥H¬Ù¿ú¤S¥i¥HÁÈ¿ú(§Þ¥©¡B¤èªk°Ý§Ú)vv [EMAIL PROTECTED]', subj='¢ð¨C¤ë¦æ°Ê¹q¸Ü¶O¶W¹L1,000¤¸ªº¤H¡A½Ðª`·N!!!([EMAIL PROTECTED])¡¦¡¦', via SMTP from 192.168.0.1 Fri, 31 Mar 2006 03:16:15 BDT:22487: clamdscan: finished scan of dir /var/spool/qmailscan/tmp/ns1.infobd.net114375336262022487 in 1.0 secs Fri, 31 Mar 2006 03:16:15 BDT:22487: SA: don't scan as RELAYCLIENT implies this was sent by a local user Fri, 31 Mar 2006 03:16:15 BDT:22487: p_s: finished scan in 0.003948 secs Fri, 31 Mar 2006 03:16:15 BDT:22487: ini_sc: finished scan of /var/spool/qmailscan/tmp/ns1.infobd.net114375336262022487... Fri, 31 Mar 2006 03:16:15 BDT:22487: ini_sc: elapsed time from start 13.438296 secs Fri, 31 Mar 2006 03:16:16 BDT:22487: -- Process 22487 finished. Total of 13.460671 secs Fri, 31 Mar 2006 03:16:17 BDT:22514: +++ starting debugging for process 22514 by uid=89 Fri, 31 Mar 2006 03:16:21 BDT:22516: +++ starting debugging for process 22516 by uid=89 Fri, 31 Mar 2006 03:16:23 BDT:22518: +++ starting debugging for process 22518 by uid=89 Fri, 31 Mar 2006 03:16:23 BDT:22520: +++ starting debugging for process 22520 by uid=89 And also output from: -bash-2.05b# tail -f /var/log/qmail/smtpd/current @4000442c4d421a03c464 tcpserver: end 24467 status 256 @4000442c4d421a03d7ec tcpserver: status: 19/20 @4000442c4d421a03eb74 tcpserver: status: 20/20 @4000442c4d421a03fefc tcpserver: pid 24468 from 192.168.0.1 @4000442c4d421a041284 tcpserver: ok 24468 0:202.174.137.19:25 :192.168.0.1::3393 @4000442c4d421a0429f4 tcpserver: end 24468 status 256 @4000442c4d421a0458d4 tcpserver: status: 19/20 @4000442c4d421a046c5c tcpserver: status: 20/20 @4000442c4d421a047fe4 tcpserver: pid 24469 from 192.168.0.1 @4000442c4d421a04936c tcpserver: ok 24469 0:202.174.137.19:25 :192.168.0.1::2435 @4000442c4d452cc0a464 tcpserver: end 23417 status 256 @4000442c4d452cc0bfbc tcpserver: status: 19/20 @4000442c4d452cc0d344 tcpserver: status: 20/20 @4000442c4d452cc0e6cc tcpserver: pid 24484 from 192.168.0.1 @4000442c4d452cc0fa54 tcpserver: ok 24484 0:202.174.137.19:25 :192.168.0.1::1671 Above local ip is my local gateway IP. And moreover there is no valid user name or valid local IP from my subnet. So now how could I stop it? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around