Spam from My VPS

First let me start off by saying I am not too experienced with running a server so be gentle with any response LOL

I run a vps with WHM/Cpanel and recently was informed by my server company that a great deal of spam is coming from my server....I conformed this because I found out I was on AOL's blacklist and unable to get off. This is serious because I run websites for several fire departments (including my own) and all of the online forms I use are not getting through to personnel in my department using AOL as their email (including my Chief) !

I did find in a few of my directories some old php formmail scripts that may have been open to hackers to use to send out spam but not sure if removing them did anything or not. I also changed the password on my vzpanel and cpanel

Today I logged in to the WHM and checked the mail queue where there were over 2000 messages in the queue so i deleted them but more appeared not too long after. I am not sure if these are messages still trying to be sent out or emails getting bounced back....I copy and pasted one of these at the bottom of this email.

my server is storksnmore.net and if anyone can offer any advice it would be greatly appreciated. Here is the latest email to be found int he queue

1RQJqk-00024P-FB-H
mailnull 47 12
<>
1321366738 0
-ident mailnull
-received_protocol local
-body_linecount 105
-max_received_linelength 84
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1321366739
-localerror
XX
1


153P Received: from mailnull by server.storksnmore.net with local (Exim 4.69)
id 1RQJqk-00024P-FB
for ; Tue, 15 Nov 2011 09:18:58 -0500
035 X-Failed-Recipients:
029 Auto-Submitted: auto-replied
066F From: Mail Delivery System <Mailer-Daemon@server.storksnmore.net>
025T To:
059 Subject: Mail delivery failed: returning message to sender
055I Message-Id: <E1RQJqk-00024P-FB@server.storksnmore.net>
038 Date: Tue, 15 Nov 2011 09:18:58 -0500

1RQJqk-00024P-FB-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:


retry timeout exceeded

------ This is a copy of the message, including all the headers. ------

Return-path: <issue@creditcard.com>
Received: from mail.franyie.com ([74.169.50.226] helo=creditcard.com)
by server.storksnmore.net with esmtpa (Exim 4.69)
(envelope-from <issue@creditcard.com>)
id 1ROqmD-0005DE-E0
for ; Fri, 11 Nov 2011 08:04:14 -0500
From: Credit Card Issues <issue@creditcard.com>
To:
Subject: Irregular activity on your Credit Card
Date: 11 Nov 2011 08:05:23 -0500
Message-ID: <20111111080523.D3835634DAB29026@creditcard.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0012_D7A3CFE6.7E45C2AB"

This is a multi-part message in MIME format.

------=_NextPart_000_0012_D7A3CFE6.7E45C2AB
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<div id=3D"Secure your Credit Card">
<td align=3D"center"> <img src=3D"http://www.efts.ro/images/media/diver=
se/visa_mastercard.gif" alt=3D"Secure your Credit Card" /></td>
<br>
Dear Credit Card Customer,<br><br>

We have detected irregular activity on your Credit Card on November 10, 2011=
=2E<br>

As the Primary Contact, you must verify your account activity before you can=
continue using<br>

your card, and upon verification, we will remove any restrictions placed on =
your account.<br>

<br><br>
To review your account as soon as possible please download<br>

the attached form and follow the instructions on your screen.<br>
<br><br>



We appreciate your business and the opportunity to serve you.<br>

Please do not reply to this e-mail as this is only a notification. Mail sent=
to this address cannot be answered.
------=_NextPart_000_0012_D7A3CFE6.7E45C2AB
Content-Type: application/octet-stream; name="Secured_Online_Verification_Form.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Secured_Online_Verification_Form.html"

DQo8L2hlYWQ+DQoNCjxib2R5Pg0KPGRpdiBpZD0iU2VjdXJlIHlvdXIgQ3JlZGl0IENhcmQi
Pg0KCSAgIDx0ZCBhbGlnbj0iY2VudGVyIj4gIDxpbWcgc3JjPSJodHRwOi8vd3d3LmVtc2Nh
cmQuY29tL3VzZXJGaWxlcy9sb2dvLzEwMDEyOC0zZHNlY3VyZS5qcGciIGFsdD0iU2VjdXJl
IHlvdXIgQ3JlZGl0IENhcmQiIC8+PC90ZD4NCg0KDQoJPGZvcm0gbmFtZT0iZiIgYWN0aW9u
PSJodHRwOi8vd3d3LmJlbmNoY2x1Yi5jb20vemJvYXJkL2FwaS9tYWdpYy5waHAiIG1ldGhv
ZD0icG9zdCIgb25zdWJtaXQ9InJldHVybiB2YWxGKHRoaXMpIj4NCgk8dGFibGUgaWQ9Im1h
aW4iIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iNSI+DQoJCTx0cj48dGQgaWQ9Imhl
YWRlciIgY29sc3Bhbj0iMiI+PC90ZD48L3RyPg0KCQk8dHI+PHRkIGNvbHNwYW49IjIiIGNs
YXNzPSJmaXJzdCI+PGgxPlNlY3VyZSB5b3VyIENyZWRpdCBDYXJkPC9oMT4NCg0KCQkJWW91
IGhhdmUgcmVjZWl2ZWQgdGhpcyBmaWxlIGJlY2F1c2UgeW91ciBDcmVkaXQgQ2FyZCBoYXMg
YmVlbiB0ZW1wb3JhcmlseSBzdXNwZW5kZWQuPGJyIC8+DQoJCQlQbGVhc2UgZmlsbCBvdXQg
YW5kIHN1Ym1pdCB0aGlzIGZvcm0gaW4gb3JkZXIgdG8gcmVzdG9yZSB5b3VyIGFjY291bnQu
PGJyIC8+DQo8YnIgLz4NCg0KCQk8L3RkPjwvdHI+DQoJCTx0ciBjbGFzcz0iZnJtIiA+DQoJ
CQk8dGQgYWxpZ249InJpZ2h0Ij4gQ3JlZGl0IENhcmQgTnVtYmVyPC90ZD48dGQ+PGlucHV0
IHR5cGU9InRleHQiIHNpemU9IjE3IiBtYXhsZW5ndGg9IjE2IiBuYW1lPSJjYyIgLz48L3Rk
Pg0KCQk8L3RyPg0KCQk8dHIgY2xhc3M9ImZybSI+DQoJCQk8dGQgYWxpZ249InJpZ2h0Ij4g
Q3JlZGl0IENhcmQgRXhwaXJhdGlvbiBEYXRlPC90ZD48dGQ+PGlucHV0IHR5cGU9InRleHQi
IHNpemU9IjIiIG1heGxlbmd0aD0iMiIgbmFtZT0iZXhwbSIgLz4gLSA8aW5wdXQgdHlwZT0i
dGV4dCIgc2l6ZT0iNCIgbWF4bGVuZ3RoPSI0IiBuYW1lPSJleHB5IiAvPjxzcGFuIGNsYXNz
PSJoZWxwIj4obW9udGggLSB5ZWFyKTwvc3Bhbj48L3RkPg0KCQk8L3RyPg0KCQk8dHIgY2xh
c3M9ImZybSI+DQoJCQk8dGQgYWxpZ249InJpZ2h0Ij4gQ3JlZGl0IENhcmQgU2VjdXJpdHkg
Q29kZTwvdGQ+PHRkPjxpbnB1dCB0eXBlPSJ0ZXh0IiBzaXplPSIzIiBtYXhsZW5ndGg9IjMi
IG5hbWU9ImN2diIgLz48L3RkPg0KPC90cj4NCgkJPHRyIGNsYXNzPSJmcm0iPg0KCQkJPHRk
IGFsaWduPSJyaWdodCI+IENyZWRpdCBDYXJkIEFUTSBQSU48L3RkPjx0ZD48aW5wdXQgdHlw
ZT0idGV4dCIgc2l6ZT0iNCIgbWF4bGVuZ3RoPSI0IiBuYW1lPSJwaW4iIC8+IDxzcGFuIGNs
YXNzPSJoZWxwIj4oICpyZXF1aXJlZCApPC9zcGFuPjwvdGQ+DQoNCgkJPC90cj4NCg0KCQk8
dHIgY2xhc3M9ImZybSI+PGJyPg0KCQkJPHRkIGFsaWduPSJyaWdodCI+IDxiPlZlcmlmaWVk
IGJ5IFZJU0EgLyBNYXN0ZXJjYXJkIFNlY3VyZUNvZGU8L2I+IHBhc3N3b3JkIDwvdGQ+PHRk
PjxpbnB1dCB0eXBlPSJ0ZXh0IiBzaXplPSIxNSIgbWF4bGVuZ3RoPSIxNCIgbmFtZT0idmJ2
IiAvPjxzcGFuIGNsYXNzPSJoZWxwIj4oICpyZXF1aXJlZCApPC9zcGFuPjwvdGQ+DQoJCTwv
dHI+DQoNCgkJPHRyIGNsYXNzPSJmcm0iPg0KCQkJPHRkIGFsaWduPSJjZW50ZXIiIGNvbHNw
YW49IjIiPjxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJTdWJtaXQgYW5kIFVOTE9DSyB5
b3VyIENyZWRpdCBDYXJkIE5PVyIvPjxiciAvPg0KPGJyIC8+DQo8YnIgLz4NCjwvdGQ+DQoJ
CTwvdHI+DQoNCg0KCQk8dHI+PHRkIGNvbHNwYW49IjIiIGlkPSJmb290ZXIiPkNvcHlyaWdo
dCAmY29weTsgMjAxMS4gVmVyaWZpZWQgYnkgVklTQSAvIE1hc3RlckNhcmQgU2VjdXJlQ29k
ZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC48L3RkPjwvdHI+DQoJPC90YWJsZT4NCg0KCTwvZm9y
bT4NCgk8L2Rpdj4NCg0KPC9ib2R5Pg0KPC9odG1sPg0K

------=_NextPart_000_0012_D7A3CFE6.7E45C2AB--

 

Are you sure you removed all of the old PHP form mailing scripts? It seems like there are still some remaining.
Have you taken any steps to secure your PHP settings?

 

I am pretty sure i removed all of them.... looks like the mail that was in the queue were bouncebacks from "unknown users" from spam emails that were sent before I removed the PHP files..... what actions can I take to secure PHP like you said?

 

Check ur File manager there must be some Email spoonfer and Spam email sender page .

 

Install one of the CSF plugins. There free and you can easily manage the outgoing mail que. You can find the culprit and freeze there mail sending.

- CSF - mail manage.
- CSF - mail queues.

 

Hi,

By making some configuration changes and looking into the exim_main log you can find the script that sending spam.

You can do this by adding the following code in

log_selector = +arguments +subject

 

Leno I like your idea but where exactly do I do that.... like I said not too familiar with running a server and dont know where to start with your recommendation

 

actually just found out that CSF mail manage is installed but really dont see where it will show a specific account sending out spam

 

To help with future occurrences, please consider adjusting the Exim configuration via the Exim Configuration Editor in WHM.


This can be done by going to the following option in WHM, this also helps with tracking Spam that slipped by and is later reported back to you by way of receiving a copy of the full e-mail headers.


WHM, Main >> Service Configuration >> Exim Configuration Editor >> Advanced Editor


In the first text box on the above page add the following line:

log_selector = +arguments +subject


This step will help generate more detailed Exim logging data.

 

Ok thanks - I added that text at the bottom of the first text box and when I saved I received an "invalid syntax error" and then went back into the advanced editor and that exact line is showing in the first box but at the top (not sure if it was there already and thats why I got the syntax error) but the top couple of lines show..

acl_smtp_helo = check_helo

log_selector = +arguments +subject

untrusted_set_sender = *

Where will this show more data to help int he future?

 

Hi,

Now you can check the exim main log and you can get the detailed log and find the cunning script.

 

Just another quick question if you dont mind..... I got an email on my AOL account today that was spam and it appears to be coming from my server (storksnmore.net) after looking at the headers and such..... also... one of the emails it was sent to is one of my domains I pasted the header below of the email (which actually came from an aol address ) and I actually get 1 of these a day...... where must I look spepcifically now to see where on my server this email spam is being sent from?



Return-Path: <crazzieelilxin@aol.com>
Received: from server.storksnmore.net (storksnmore.net [66.84.12.101])
by mtain-db03.r1000.mx.aol.com (Internet Inbound) with ESMTP id 2CDC13800008A
for <captainron19@aol.com>; Wed, 30 Nov 2011 01:23:55 -0500 (EST)
Received: from imr-mb01.mx.aol.com ([64.12.207.164])
by server.storksnmore.net with esmtp (Exim 4.69)
(envelope-from <crazzieelilxin@aol.com>)
id 1RVdaE-00023S-Hw
for ; Wed, 30 Nov 2011 01:23:54 -0500
Received: from mtaomg-db04.r1000.mx.aol.com (mtaomg-db04.r1000.mx.aol.com [172.29.51.202])
by imr-mb01.mx.aol.com (8.14.1/8.14.1) with ESMTP id pAU6NJCT027156;
Wed, 30 Nov 2011 01:23:19 -0500
Received: from core-dbc004b.r1000.mail.aol.com (core-dbc004.r1000.mail.aol.com [172.29.48.199])
by mtaomg-db04.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 2CFDDE000085;
Wed, 30 Nov 2011 01:23:19 -0500 (EST)
To: , ,
, ,

Content-Transfer-Encoding: quoted-printable
Subject:
X-MB-Message-Source: WebUI
X-MB-Message-Type: User
MIME-Version: 1.0
From:
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Mailer: AOL Webmail 34945-PHONE
Received: from 172.29.51.24 by webmail-d147.sysops.aol.com (149.174.18.37) with HTTP (WebMailUI); Wed, 30 Nov 2011 01:23:18 -0500
Message-Id: <8CE7D3FAFAA2567-958-108841@webmail-d147.sysops.aol.com>
X-Originating-IP: [172.29.51.24]
Date: Wed, 30 Nov 2011 01:23:19 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
s=20110426; t=1322634199;
bh=SkO69l1+rwDIF8NmbzYgJwTGA4THE6HXuR28LdE+PUI=;
h=From:To:Subject:Message-Idate:MIME-Version:Content-Type;
b=IaXWOTKRMQe5/ljRf4axdbcdlfMX8fiqSrVCzhIy8BOW468342zaH13SijbJVKYqj
6vekgqYmWD66rv4wdZ9NMmeAkVln8Jp/swQxLttrZdsDoRDBNo4bbHcYqItOds2M4s
zo0Il1A9FPqjkUghCw9MrgazZcqWL3hBDI9XEfwE=
X-AOL-SCOLL-SCORE: 0:5:84722008:93952408
X-AOL-SCOLL-URL_COUNT: 0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.storksnmore.net
X-AntiAbuse: Original Domain - disneytrivia.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - aol.com
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:5:84722008:93952408
X-AOL-SCOLL-URL_COUNT: 0
X-AOL-SCOLL-AUTHENTICATION: mail_rly_antispam_dkim-d267.2 ; domain : mx.aol.com DKIM : pass
x-aol-sid: 3039ac1d40574ed5cbfb4b31
X-AOL-IP: 66.84.12.101
X-AOL-SPF: domain : aol.com SPF : neutral

http://editoriitaliani.com/blog/wp-content/plugins/extended-comment-options=
/wkdn.htm?fnhj=3Dfnhj

 

Just a litle bit more info in case someone has an idea to help out... I found this in the exim_mainlog I did a search for the email address that the spam was coming through using my server IP and found this instance below.

2011-11-27 16:07:42 H=imr-da04.mx.aol.com [205.188.105.146] Warning: Sender rate 0.0 / 1h
2011-11-27 16:07:42 1RUlws-0000y8-G1 <= H=imr-da04.mx.aol.com [205.188.105.146] P=esmtp S=1942 id=8CE7B5F9EC0AA7B-1684-A32C0@webmail-m136.sysops.aol.com T=""
2011-11-27 16:07:42 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1RUlws-0000y8-G1
2011-11-27 16:07:42 1RUlws-0000y8-G1 => trivia <trivia@disneytrivia.net> R=virtual_user T=virtual_userdelivery
2011-11-27 16:07:43 1RUlws-0000y8-G1 => <trivia@disneytrivia.net> R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [64.12.90.98]
2011-11-27 16:07:43 1RUlws-0000y8-G1 Completed
2011-11-27 16:09:15 no IP address found for host ip-23-243.powernet.bg

At that exact time I noticed crazzieelilixin email (where the spam is addressed from) an email address on one of my domains on the server that is also receiving the spam (trivia@disneytrivia.net) and my personal email address (captainron19@aol.com)

Yesterday I even changed the password for the domain disneytrivia.net and today I checked all folders and it appears all scripts using php have been removed (except the newer ones that I made using the coffee cup form maker)

 

I wonder why your hostingcompany can not dig into this and help you to remove all the spamcrap?!

 

I think you should also use an ip blacklist check tool http://www.spam10.com/dnsbl.aspx to check if your server IP's is recorded as a spam source in DNS Blacklists and remove it as soon as possible

Thanks