OT: spammers are using my domain again

Mike Ramirez mike at thexxxhost.com
Sat Oct 9 22:54:15 UTC 2004 

On Thu, 2004-10-07 at 21:59, Trevor Smith wrote:
> So I'm getting tons of bounces because the spammers have made their way back 
> around to my personal domain and are sending out their crap with 
> <something>@haligonian.com as the forged From: address.
> 
> I don't really care since I have bogofilter installed and it puts every damn 
> one of them in my "unsure" folder and I never need to see them, but just to 
> be thorough...
> 
> Does anyone know of anything I could do to get them to move on from spoofing 
> my domain to spoofing the next victim's domain?
> 
> Is there any real harm to me that they are spoofing my domain, btw? I assume 
> that network admins are smart enough now that they realize almost all spam 
> addresses are spoofs and they don't go arbitrarily blacklisting poor suckers 
> like me. :-(
> 
> Now, I'm assuming this is straight forging, and that no spammers are actually 
> using any network resources related to me (since I pay $10/yr for a web/mail 
> hosting account for haligonian.com and don't run my own servers).
> 
> -- 
> Trevor Smith // trevor at haligonian.com

hi Trevor and everyone who is reading this.  
I haven't read the full thread, yet, but I want to relate my
"adventures" of the two days to you guys.  I run a hosting company that
has similar packages to what Trevor is getting.  

On Thursday I get the Logwatch come through plus I get nobodys mail for 
our virtual hosting servers and boom 150 returned emails from the
sending domain InternetBanking.com on one of them. Which we don't host
or have any records of what so ever.  So I know its spam.  Well after
searching form the subject matter with grep through out the home dirs of
each user.  Only one user had it but it was in his spam file.

Thats not enough to do anything about it but made us  watch this guy
closer all day exim was sending as nobody. Headers had nothing but the
hostname.  Started grepping through the mail logs for the time but
nothing came up.  Kept looking for the subject matter through out the
DBs and the whole system.  Only found it in the one spam file and
returned emails.  I also turned off mailman if that was the culprit
because he was running at times and we don't have any list on that
server.

I was stumped on Thursday trying to figure this out, my partners were
also.  Then on Friday it was still going on.  Server load wasn't jumping
and I couldn't take down the server because of the numerous accounts on
the server and lack of space on the other servers for them. 

But Friday I wake up to 2000 returned emails in my inbox from nobody at
this server.  Ok I then started to realize that it has to be a script
being ran from the web.  Yeah, I'm little slow sometimes call it tunnel
vision, should have realize that it was that when I saw nobody.  But I
then grepped the domlogs for the time the emails were being sent and
then also POST and then checked the suspect scripts by checking them
from the web.  I found it that way.

Its a simple script that is written in php and can use a DB to retrieve
the email info or you can manually enter it.  The recipients are a text
area you put an email into line by line.  It also has a text box for the
sending address and everything else and attempts to write the headers
also.  One of the emails from Friday had a sub dir that it used for the
source that was called in to me from an irate recipient of the email and
verified that it was this script.

Ok now that I found the target, my question was who was using that
script? I grepped for the scripts name in the domglogs and found only 2
IPs using that script mine and another.  That IP wasn't my customers but
someone elses.  It was a comcast IP, and nmap showed me it was a windows
box so I'm not going to say that that IP is the spammers but I'm
reporting it to comcast.  Could be the user of this computer is
compromised also.  But that IP accessed the script at the time the
emails were running. 

Also Friday only one file was upped using the ftp.  That was this script
from another hosting companies server.  He used two scripts with the
same code.  One called mailer.php in the root of the html dir and
services.php in a sub dir of that users html dir.  in the sub dir it was
easy to spot because it was the only php file in a sea of htm files. 
The mailer.php was in a sea of php files and harder to catch. 
mailer.php was used on Thursday and services.php was used on Friday.

All this was caused by one of two things.  My client shared his pw with
someone or it got cracked somewhere.  I still have to check the logs for
the IP to check to see if it was a brute force attack.  But it was a
weak password and I have reset it with something a little stronger.

Because of the nature of the email, its a phishing on asking for you to
reset your personal info for your bank. I'm going to be reporting this
to Interent Fraud Watch, the US FTC, comcast (I hear its a good luck if
they do anything) and the other hosting company that the file was
uploaded from.

Now I do have a question any one else I should notify about this?  I
don't want to email them I want to call this in and talk to someone.  So
phone numbers would be greatly appreciated to any groups or
organizations that would help in tracking this guy down?

TIA and I hope you enjoyed this.



Mike Ramirez <mike at thexxxhost.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041009/3a072c75/attachment-0001.sig>

More information about the fedora-list mailing list