I think I am being used as a relay for spam

Discussion regarding the Standard version.
Post Reply
pcs800
Posts: 99
Joined: Mon Nov 07, 2005 7:58 pm

I think I am being used as a relay for spam

Post by pcs800 »

I have relay enabled because I have a php form or two that need to send emails when filled out. Since php.ini has no SMTP authentication fields, I have to enable relay.
I have enabled relay for 127.0.0.1 only, so it seems this would stop any spammers from sending bulk through my server.
BUT, I keep getting tons of returned email to one of my addresses that I never sent.
I can provide screen shots or whatever it takes to get this resolved, please help.
Eric

pqxl
Posts: 48
Joined: Mon May 15, 2006 12:01 pm

Post by pqxl »

Returned mail only means someone used your email address as the sender or reply-to address.

You can sign up with these and test your server to see if it is an open relay:

http://www.abuse.net/relay.html

Note that usually it fails on the last test if you have a catch all defined, that doesn't mean it's an open relay, but the other tests shoudl be blocked.

DO NOT use ordb.org since you will be instantly black listed before you have chance to fix any problems.

pcs800
Posts: 99
Joined: Mon Nov 07, 2005 7:58 pm

re

Post by pcs800 »

Thanks, I will try that now.
How might I find out who is using my address as a return????

Toepes
Posts: 13
Joined: Mon May 15, 2006 10:31 am

Post by Toepes »

I have the same problem. It looks like a PHP script that is sending the mail out, as it uses the sender address that is used in PHP ini.

I searched all hosted websites, but can't find the source.

I also need to have the localhost 127.0.0.1 to be abled to send mail for some websites.

Even if i disable this localhost in the "allow relay from" the mails keeps on going out. Sometimes several times a day :?

pcs800
Posts: 99
Joined: Mon Nov 07, 2005 7:58 pm

re

Post by pcs800 »

The return address of mine that was being used is not the one specified in php.ini

Toepes
Posts: 13
Joined: Mon May 15, 2006 10:31 am

Post by Toepes »

This is what i Posted in the forum for MailEnable Professional & Webmail, this problem is not limited to any version I think.


http://forum.mailenable.com/viewtopic.p ... 92&start=0

pqxl
Posts: 48
Joined: Mon May 15, 2006 12:01 pm

Post by pqxl »

So, why do you think this is a configuration issue in mailenable when you obviously have a php script on your server sending out spam ?

Anything located on your servers can be malicious, this is a basic thing to understand, if you cannot or do not want to prevent malicious scripts on your server you have no chance of getting to the bottom of this.

I would suggest you disable the possibility to send emails until you can figure it out, or limit the number of outgoing emails, the number of recipients and so on.

Toepes
Posts: 13
Joined: Mon May 15, 2006 10:31 am

Post by Toepes »

I never said it is a configuration issue, i am quite sure it is a script. Problem is finding it as there are 70+ domains hosted.

A trojan hunter didn't find anything, and a search in several domains wasn't succesfull as well.

Toepes
Posts: 13
Joined: Mon May 15, 2006 10:31 am

Post by Toepes »

well problem is that it is sent from local. And i can't find what is starting this. It must be a PHP script. This is just a little piece of the logfile.

See log below.

06/04/06 14:05:27 SMTP-IN A12B220BA1D845BFA45DE136DCDD6EE6.MAI 452 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 92CDAA1425EB41C5AA61469D7A646123.MAI 452 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 RCPT RCPT TO:<abranohana@msn.com> 250 Requested mail action okay, completed 43 30
06/04/06 14:05:28 SMTP-IN 8C987112A0B648BABCBEB5F3E8DB3062.MAI 468 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 12E2DF1C793F4F84A7AF6085B28CBAC7.MAI 468 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 RCPT RCPT TO:<pologrlva@yahoo.com> 250 Requested mail action okay, completed 43 31
06/04/06 14:05:28 SMTP-IN 5A47E03DF71144F2BCC82DD765CE174F.MAI 576 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 47C25A86BED44889A27CC9FFA7E78600.MAI 576 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 RCPT RCPT TO:<larroyo03@yahoo.com> 250 Requested mail action okay, completed 43 31
06/04/06 14:05:28 SMTP-IN 2997344A6F5F4286841B862761ABF486.MAI 576 82.133.136.237 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN 439A254EE22946B3925F22BFE0D23A64.MAI 388 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN 4A3DD270487846D2A606FF02F0BE3756.MAI 388 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 220 servername.address from PHP.ini ESMTP MailEnable Service, Version: 1.95-- ready at 06/04/06 14:05:28 0 0
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 HELO HELO servername 250 Requested mail action okay, completed 43 10
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 MAIL MAIL FROM:<address from PHP.ini > 250 Requested mail action okay, completed 43 44
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 RCPT RCPT TO:<rmins@txcyber.com> 250 Requested mail action okay, completed 43 29
06/04/06 14:05:28 SMTP-IN DA040E34F5DB4EA7BFF3C39FFE7FCA2E.MAI 404 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
06/04/06 14:05:28 SMTP-IN A61571650CB94D2482C969EC89C577D3.MAI 404 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6

pqxl
Posts: 48
Joined: Mon May 15, 2006 12:01 pm

Post by pqxl »

I see in the other thread your server was compromised, did you do a full antivirus scan ?

Toepes
Posts: 13
Joined: Mon May 15, 2006 10:31 am

Post by Toepes »

- full virusscan is done and found 2 trojans (that was already 2 weeks ago)
after removing them, the mailsending remains.

- I installed Trojanhunter, no results.

- problem is finding the script(s) that is/are the reason. I already asked customers to delete their websites and upload them again.

Formatting the server and restoring the domains don't make sence as it would also restore the bad script

Toepes
Posts: 13
Joined: Mon May 15, 2006 10:31 am

Post by Toepes »

GOT IT !

A customer had installed an old version of a PHP script (VWAR) that is used by online gamers. That website was hacked and unfortunately the customer didn't inform us.

That site was used to sent out all mail.

More info about VWAR: http://secunia.com/advisories/19524/

Post Reply