Fraudulent/Spam emails being sent from my server

OK so I got an email from the abuse department of my host, saying that my dedicated server is being used to send out fraudulent/spam emails. I'm sort of thinking that they're full of it, because I don't use the server as a mailserver (I use the hosts mail system instead), the server is secured against being an open relay, and there's no other evidence that the box has been hacked to empty the mail logs, which as best I can tell, are empty.


Here's a copy of the sample they sent me: (My ip is the 74.208.78.180, which you'll find towards the end of the headers)

  Return-Path: <davep32@cox.net>
  Received: from cdptpa-mxlb.mail.rr.com ([75.180.132.243])
            by cdptpa-imta06.mail.rr.com with ESMTP
            id
  <20070930200705.UHYJ27366.cdptpa-imta06.mail.rr.com@cdptpa-mxlb.mail.rr.com>
            for <rcflyer3@neo.rr.com>; Sun, 30 Sep 2007 20:07:05 +0000
  X-IronPort: cdptpa-mx03.mail.rr.com 172582339
  X-RR-Connecting-IP: 68.230.241.45
  Received: from fed1rmmtao101.cox.net ([68.230.241.45])
    by cdptpa-mxlb.mail.rr.com with ESMTP; 30 Sep 2007 20:07:04 +0000
  Received: from fed1rmimpo01.cox.net ([70.169.32.71])
            by fed1rmmtao101.cox.net
            (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP
            id
  <20070930200705.EMTV13309.fed1rmmtao101.cox.net@fed1rmimpo01.cox.net>;
            Sun, 30 Sep 2007 16:07:05 -0400
  Received: from fed1wml12.mgt.cox.net ([172.18.180.10])  by fed1rmimpo01.cox.net with bizsmtp  id uk721X00P0DrMWL0000000; Sun, 30 Sep 2007 16:07:03 -0400
  Received: from 74.208.78.180 by webmail.west.cox.net; Sun, 30 Sep 2007
  16:07:02 -0400
  Message-ID: <20070930160703.3X4XE.32023.root@fed1wml12.mgt.cox.net>
  Date: Sun, 30 Sep 2007 13:07:03 -0700
  From: 2007 TOYOTA LOTTERY <davep32@cox.net>
  Subject: Donation Award Winner
  MIME-Version: 1.0
  Content-Type: text/plain; charset=utf-8
  Content-Transfer-Encoding: 7bit
  X-Priority: 3 (Normal)
  Sensitivity: Normal
   
  This is to notify you that you have been chosen By the Board of trustees of the above International charity organization based in the Italy as one of the final recipients of a Cash Grant/Donation for your own personal,education and business development.
  In line with the 28 years anniversary program this year,the Vittorio Foundation in conjunction with the Economic community for West Africa States (ECOWAS),United Nations Organization (UNO) and th
  

Code (markup):

What I want to know is, is this crap REALLY coming from my server, and if so, how? And where would be a good process to follow to lock this problem down?

 

I just read a post along these lines here or at another forum. Check your logs. Apparently it is possible for some scammers to do this. The solution seemed to be to ban the IPs in question.

It is also possible to fake headers and your server may not be involved at all.

 

That's what I was thinking, that the headers were fake.

I've checked my mail logs - they're totally empty.

 

Check you access logs. These chinese clowns were using a script. I will try to find the post.


Edit: I found it the site in question was a proxy site. Here is the link

http://forums.digitalpoint.com/showthread.php?t=502589&highlight=bandwidth

 

My bad, I was looking in the wrong place for the logs.. Seems like my server is set up to put the logs in not the usual place.

But that other thread is also a likely candidate too, something else to try at least

Thanks

 

Spammers rarely show any restraint when sending spam. They're most likely to send spam out of your server as hard and fast as they can until they get caught. You will likely be able to see spikes on your bandwidth usage if they are actually using your system to send spam.

Another way to test this is to run tcpdump. Run the command below and it will spit out any connections to port 25 (SMTP) from your computer to any other computer or from any other computer to yours.

sudo tcpdump -i eth0 port 25

Code (markup):

This is no guarantee that you haven't been hacked, but it's a quick and easy test that will most likely expose what your system is actually doing. If you do see some traffic, you can add "-A -s 0" to make tcpdump output the entire packet. Like this:

sudo tcpdump -i eth0 -A -s 0 port 25

Code (markup):

If you see spammy looking content, then your server is contributing to the problem.

I hope this eases your mind a little, it's very difficult to prove that you have not been hacked but it's usually quite easy to spot when you have.

Good luck,
Dave.

 

If you're hosting any user, add exim domain in header as well as Antiabuse info.

 

server abuse is possible for mailing spam since every server has mail services enabled for internal service mail to root or server owners.
hence all a hacker needs to do is to get into your server space by any means such as forum or any upload facility you might have or any means to publish posts or comments that remains open for hackers

long time ago on my previous host i was a victim - multiple times because at that time i was even more ignorant and more stupid and used software open for hackers.
later I analyzed the software hackers uplaoded and among the known shell - i also saw a mailer software used to send out massmails thru the server-systems mail program.

to analyze your server you need access to ALL logs, apache logs, error logs, mail logs, etc
you need IPs, etc related to the sending of mails
and LOTS of time to visually go thru the lines as well as search using grep / zgrep once you have the first clues or suspicious data to start expanding your research.

start at TIMES nearest and before the sending time of mails - the one your host sent you.
look at access log files
look at files used others than your CONTENT files
such as index.php or OTHER URLs in your web space NOT belonging to your content since most of the hackers enter your site via browser once the phishing site is setup
hence you have regular http requests and a number of files being requested NOT belonging to your regular content.
these files once used often may be deleted AFTER successful hackers use - hence all that is left might be access_log entries
OR sometimes hackers leave some or all of the files installed for LATER reuse ...

if you have a root server, then you have direct access to all logs

one way to start is within the folders / subfolders of ANY forum or other active SW allowing login OR upload you might have installed
google with the NAMES / versions of all your SW packages in use for your site : typical google search may be

your_SW/version security alert
do a Google search for all SW you have from blog to any SW somehow in use - make sure every published security alert/bug is fixed by YOU.

after my last such incident - i took TIME - some 4 weeks and MANY hundred hours, day and night, to STUDY until i understood, to fix until solved, to change and secure as solid as possible - then i move to my own server for even better security control.

if your host says YOU are sending mail/spam - chances are you really are since your host has log files you normally have NO access to unless you have a ROOT server and access to ALL files!!!

 

Thanks for the info, that gives me more to work with. I am running a root server, so I have access to all the logs. I think the problem has stopped for now, haven't heard anything back from the host about any further complaints, I ran the packet trace or whatever you want to call it as suggested before, after shutting down the open relays and such, left it overnight and didn't notice any suspicious mail activity (any mail activity at all, in fact)

I think the problem was also compounded by the fact that I had forgotten to change the default mail address for my server from default-domain.com, so all the bounced back emails and complaints were going there and not to me, which is actually a redirected domain to my webhost. LMAO so that might be why they jumped on me so quickly.

 

in my experience of past many years,
such hackers work in intervals
one session is enough to send ten thousands or millions of mails within minutes or hours
then a few or several MONTHS break to let you feel secure
then they RE-use the same security bug again when you lost your watch and become negligent again ... believing all is fine.

if hackers have been present on the server
then you will find traces in the access logs OR error logs or other logs like var/log/warn or /var/log/messages
the first several times it happened to me many years ago - my host informed me - i deleted the files my host pointed out - and i believed all to be fine
until much later when i spent the hundreds of hours to reseach until i found.

i have also noticed that often such hacker activities take place on holidays ( xmas) or weekends when many webmasters reduce their watch
a single hour or even less is enough for them to run a full session.

the current server / file system may show no evidence nor strange files - the only typical place to find traces are old logs ...

just take your time
and ask your host for ANY and all help they have, any evidence they may have, logs or other hints that might help you - even exact times for example or IPs involved.

in all known cases i have heard so far - the ORIGINAL beginning of a first hacker session always was a google search = hence a google referral with that search query in the referrer string of the access_log
the query string included a name of the software they needed to hack ..

hence one method to search your system and logs would be to search ALL - really ALL, even until the earliest time of your root server time - old access_logs using grep/ zgrep for all and ANY google search queries - then visually search thru and look if any strange query occurs - a name of a path or tool or SW you have or had

 

cut the amount of emails allowed down to 25 per hour (whm under tweak settings) disallow php from 'nobody' and try serverconfigs spam blocker.

 

Scan some of your directories for files like "root.php" or "hacked.php", etc. Spammers are almost always stupid when they upload things like this, so it's fairly easy to identify their scripts based on the file name. Upload directories (usually CHMOD'd to 777) are also notorious for this kind of thing. If you see any out-of-place PHP files in any writable directories, check them out and if they are suspicious, either post them here or delete them.

 

Look into http://spf.pobox.com