# I'm Spamming?!?!?



## Ruler2112 (Aug 5, 2010)

I've been off work for almost 2 months due to a concussion.  When I got back, I learned that the mail server I run for my company had been blacklisted twice over the last week due to sending out spam.  I have SASL enabled and sending mail to a domain other than mine is only allowed on a non-standard port, which requires TLS encryption.  I require a good password for all the users on my box.

The postmaster account received a message from junkemailfilter.com with a piece of spam that apparently originated from my server's IP.  I looked through the maillogs for the past 3 weeks and there is no record of any messages being sent to the address in the message.  There is no user on my system that the spam says the message came from (the FROM address), nor is there any reference to that user name in my logs.

I did notice that on the day in question, there was an inordinate amount of spam coming *in* to my box, almost all of which was blocked by the spamhaus zen RBL and postgrey.  Most of what got through bounced because they were addressed to bogus/random accounts that did not exist.

My question is, how did I get blacklisted?  How is it that my logs show nothing related to the spam forwarded back to my postmaster account?  This is the first time I've had something like this happen to my system in the ~3 years it's been live and am somewhat at a loss as to what to do next.


----------



## wblock@ (Aug 5, 2010)

If the system was sending spam, you might not get anything back to postmaster.  Many people don't bother reporting spam any more.

Do you have PHP on that server?  It wouldn't be in the maillog if sendmail didn't send it.

Does the forwarded spam have headers?

Most importantly, are you on any other block lists?

Also:

http://www.sdsc.edu/~jeff/spam/cbc.html


----------



## DutchDaemon (Aug 5, 2010)

Are you sure it isn't 'bounce spam'? This is a tactic where a spammer sends out a large amount of messages to random and known-to-bounce addresses, but with real From addresses (actually; <Return-Path> addresses). The bounces then bounce 'back' to the 'senders', which are more likely to accept the spam because it's from an unsuspected source (the bouncing bona-fide mailserver) and sent from an empty address (<>) or a specific role address (bounce@, postmaster@), which are usually exempted from spam filtering. And, of course, the spammer is nowhere to be found when the spam effectively flows between two unsuspecting and uninvolved parties. This might not have happened at all in your case, but it's something you might want to take a look at.


----------



## phoenix (Aug 6, 2010)

You definitely want to do some research into the junkemailfilter.com blacklist to make sure it's legit.  If it is, then contact the list administrator for more information on why you are listed, and to make sure you are listed correctly.

Personally, I've never heard of junkemailfilter.com, and would consider it suspect (phishing, perhaps?) without further investigation.


----------



## kpa (Aug 6, 2010)

If someone is accusing you of spamming and all they have is just one message that only looks to have originated from you and no real evidence in form of received headers/log entries just ignore it.

You can check if your mail server is blacklisted by any of the more reputable blacklists here:

http://www.dnsbl.info/

Edit: Are you actually using junkemailfilter.com's service and was your server really blocked from sending email?


----------



## Ruler2112 (Aug 6, 2010)

I do have PHP installed (for squirrelmail), and was not aware that mail sent with it would not be in the maillog.  How would I go about testing for such a vulnerability and closing it?

It does not appear to be bounce spam - I thought of that, but the message looks like any other spam message about sex pills from russia.

I had not heard of junkemailfilter.com before and do not use it.  They're just the one who sent a notice to me that I was spamming.  There are very few headers included in the sample message they sent me.

I was indeed blocked by the barracuda reputation thing, AT&T, and hotmail, so I'm guessing that somebody did indeed find a chink in my system and is exploiting it.

<sigh>  I hate spammers.


----------



## Ruler2112 (Aug 9, 2010)

I was blacklisted again over the weekend by several sites.

How would I go about finding if somebody is exploiting a flaw in PHP or the like???  My httpd-error.log files show that people are trying to access all sorts of files that are not on my web server for different versions of PHP, and there's nothing in any of my maillogs about the spam sent back to me, so I think that's likely the cause of the problems.  I don't know anything about PHP though, so don't even know where to look to find problems.

Log sample - the IP shown is from China:


```
61.152.207.5 - - [09/Aug/2010:13:01:49 -0400] "GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" 404 236 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:01:49 -0400] "GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" 404 236 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:01:49 -0400] "GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" 404 232 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:01:50 -0400] "GET /phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1" 404 236 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:01:50 -0400] "GET /phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1" 404 236 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:01:50 -0400] "GET /phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1" 404 232 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:01:51 -0400] "GET /phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1" 404 236 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:01:51 -0400] "GET /phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1" 404 232 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
<many, many, many more like this, and then...>
61.152.207.5 - - [09/Aug/2010:13:02:18 -0400] "GET /phpmy/scripts/setup.php HTTP/1.1" 404 221 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:02:19 -0400] "GET /phpmyad-sys/scripts/setup.php HTTP/1.1" 404 227 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:02:19 -0400] "GET /phpmyad/scripts/setup.php HTTP/1.1" 404 223 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:02:19 -0400] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 226 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:02:20 -0400] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 227 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:02:20 -0400] "GET /pma/scripts/setup.php HTTP/1.1" 404 219 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
61.152.207.5 - - [09/Aug/2010:13:02:20 -0400] "GET /pma2005/scripts/setup.php HTTP/1.1" 404 223 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
```


Here are the headers for one of the spam message samples that was sent back to my by junkemailfilter.com; I replaced the IP/machine name and have notes inline with all CAPS:


```
======== Original Headers ========

Received: from mail.MYDOMAIN.com ([MYIPADDRESS] helo=MYDOMAIN.com)
        by pascal.junkemailfilter.com with esmtp (Exim 4.72)
        id 1OhieI-0005BU-2d on interface=65.49.42.60
        for old_black@crunet.com; Sat, 07 Aug 2010 05:37:14 -0700
From: <eveveke3351@MYDOMAIN.com>
     EVEVEKE3351 IS NOT A VALID ACCOUNT ON MY BOX
To: old_black@crunet.com
     NEITHER EVEVEKE, OLD_BLACK, OR CRUNET.COM ARE LISTED ANYWHERE IN MY MAILLOG FOR THE PAST 2+ WEEKS
Date: Sat, 7 Aug 2010 08:37:10 -0400
Subject: Leak right into her mouth
Reply-To: <eveveke3351@MYDOMAIN.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Sender-Domain: MYDOMAIN.com
X-Spamfilter-host: pascal.junkemailfilter.com - http://www.junkemailfilter.com
X-Mail-from: eveveke3351@MYDOMAIN.com
X-Spam-Class: SPAM-HIGH-VERY - MULTI-BLACKLIST - [S=9 - rep.mailspike.net
cbl.abuseat.org bl.spamcop.net] -  OurBl BlList - X=pascal H=mail.graffsales.com
[MYIPADDRESS] HELO=[MYDOMAIN.com] F=[eveveke3351@MYDOMAIN.com]
T=[old_black@crunet.com] S=[Leak right into her mouth]
X-Honeypot: Yes - MULTI-BLACKLIST - [S=9 - rep.mailspike.net cbl.abuseat.org
bl.spamcop.net] -  OurBl BlList - X=pascal H=mail.MYDOMAIN.com [MYIPADDRESS]
HELO=[MYDOMAIN.com] F=[eveveke3351@MYDOMAIN.com] T=[old_black@crunet.com]
S=[Leak right into her mouth]
X-Abuse-email: 
X-Abuse-email: postmaster@MYDOMAIN.com
X-Sender-Host-Address: MYIPADDRESS
X-Sender-Host-Name: mail.MYDOMAIN.com
X-Original-helo: MYDOMAIN.com
```

sockstat -l does not show anything out of the ordinary.

The only odd thing in /var/log/messages is the following - the IPs are from Taiwan:


```
Aug  7 12:07:05 graffsales kernel: icmp redirect from 61.219.191.226: 61.219.191.228 => 61.219.191.228
Aug  7 12:07:05 graffsales kernel: icmp redirect from 61.219.191.226: 61.219.191.227 => 61.219.191.227
```

I'm frankly at a loss as what to do next.  I'm currently in the process of updating all the ports that went out of date during the time I was off with my concussion (apache, php, python, amavisd-new, squirrelmail, some libraries and perl modules), but I don't have much confidence in it solving the problem.  The only problems reported by portaudit was a DOS vulnerability in apache22 and an infinite loop in cabextract.

My apologies if this is something I should know.  (My memory definitely isn't right since I hit my head - I'm trying to work through the pain and mental problems I'm still having.)  I appreciate any help.


----------



## Ruler2112 (Aug 10, 2010)

I think I was able to figure this one out.  Turns out that a machine that accesses the wifi hotspot that the mail server feeds was infected with rustock - a stealth rootkit that sends spam.  I've since updated the firewall on the server and have tested that outgoing traffic destined for port 25, no matter which port it originates on, is now blocked.  Still haven't ascertained which device is infected, but it's not my admin box or either of the two employees who use the wifi - I really don't care if our customers are infected, though it is kind of embarrassing that they caused me to be blacklisted.


----------



## wblock@ (Aug 11, 2010)

Ruler2112 said:
			
		

> ... I really don't care if our customers are infected, though it is kind of embarrassing that they caused me to be blacklisted.



That's exactly why you should care.  Not only is it bad for the world in general, it can cause direct problems for you.


----------

