Re: Please help stop spam relaying with my server

In article <hZm1i.581$145.476@trnddc02>, "Mark C" <notmyemail@xxxxxxxx>
wrote:

Thank you for the prompt reply. I am a bit less sure about the situation
today, but I believe I can answer all your questions. Let me provide some
background. The first email was typed well into a very frustrating night.

I host a web site that generates emals to subscribers based on weather
conditions. The email address that is used to send the emails is not
monitored do to high spam load and returned emails from subscribers who have
moved on, are out of the office, have a full mail box etc. Recently I
decided to try to trim the dead wood out of my subscribers list so I began
to monitor the returned mail.

A good choice. Not dealing with the bounces on such a service is risky,
because you may end up hitting addresses that have been turned into
spamtraps with automated countermeasures behind them OR hitting people
who have have newly acquired the old addresses of former subscribers,
and find their nice new address getting a bunch of mystery mail.


I found several returned spam massages to
multiple recipients. My applications never send a message to more than on
address. I immediately retested my server to confirm it was not an open
relay. It was reported okay by every test I found. I assumed the spammers
found a way though my scripts, however unlikely that was. I now log all
outbound mail through the PHP scripts and they seem okay. I have increased
my loglevel to 15 in sendmail to help diagnose the situation. I continue to
get returned spam. You can review these messages as well as my current
sendmail log file at http://casazza.net/ems However, I can't find any of
these emails that are being returned in the sendmail log. I don't know
sendmail all that well, so I may be missing something very obvious. I will
remove my sendmail log in a few days to protect the privacy of my
subscriber's.

Those 4 mails don't look like they ever touched your machine, and are in
fact simple straightforward forgery. Look at those mails with a text
editor (i.e. not some mailer that makes the pretty) and look at the
Received headers. If your machine was being abused for this, you would
find your IP noted by the next MTA in sequence.

Using PHP web scripts to generate mail and an old unpatched OS and old
unpatched sendmail are significant concerns, but in this case there's
no sign of you actually being part of this problem except as far as
anyone with a valid address that gets used by spammers is part of the
widespread forged spam problem.

The server itself is running RedHat 9.0 and acts as a mail, name, web. and
mysql server. Since RedHat stopped automatic updates years ago I have not
patched my server. I am running sendmail 8.12.8. I know this is a problem;
please read on. I am not comfortable enough with the manual update process
to attempt this on a production server.

Be aware that if you lose your bet here on having your machine taken
over and used for Bad Things, the above excuse won't save you. You are
behaving negligently, and if you end up providing a platform for
criminal activity, you could end up in deep legal trouble. What your
system does is your responsibility, even if it is compromised, and
you've now published both a public signpost pointing at an insecure
system and a confession of your own negligence.

I wish you good luck and godspeed. Really.

I think your biggest holes are likely to be in the PHP scripts, but
that's a guess. The holes in later sendmails are not readily exploited
to send spam and while my awareness on the RH front is not great, I
cannot recall hearing of anything really spectacular in the past 2
years. On the other hand, PHP and commonly used free scripts written in
it have been a favorite target of system crackers (and spammers) in the
past few years.

About a year ago I purchased
another server to "upgrade" to. It is running Debian and I keep it up to
date and with Debian's free forever policy I don't see why I will get into
this position again. I have configured the web server and mysql server on
the new server. I still need to configure DNS and Mail. If that is my best
solution I will make the effort to complete that process in the next few
weeks.

You should try to make that faster.

I can't see any reason why a spammer would be using my Return-Path if they
are not using my server.

You run a service that people ask to be part of, sending mail that they
want. This puts a particular value to using that Return-Path for
spammers, because there's a better than average chance that your address
is 'whitelisted' compared to some randomly invented address.

That said, there's a very strong probability that the spammer(s) sending
these have no idea that the particular target address is trusted
anywhere. Those spams look like the work of 'botnet' spammers, and most
of them are extremely random in their address usage: any address they
send to has about the same chance of being used as a Return-Path as any
other.

I my just be naive to how spammers work.

They work in a broad variety of ways, but it looks like this bunch are
part of the volume leader class of spammer, the 'botnet' spammer. The
ultimate source of the messages in a SMTP sense is some compromised
system running some flavor of trojan horse software, part of a network
controlled either by the spammer or someone who is pimping it out to
spammers. Mostly Windows boxes, but there are some cases where spammers
have corralled large sets of neglected Linux machines for their work.

I'm
concerned this will make it difficult to clear the name of my server. I am
currently blacklisted by AOL and ATT. Obviously for my web site to work I
need to resolve the black list issues, but I don't want to start that
process until I know I am clean. Not to mention that I feel rather violated
in general.

Your blacklisting issues are likely not a result of this particular
issue. AOL blacklists based on source IP when enough users hit the 'this
is spam' button and a lot of AOL users use that button as 'unsubscribe
me.' You might find a path to remediating the AOL situation at
http://postmaster.aol.com

I can't provide any advice on AT&T since they have about 4 systems
(including the big leacy-SBC consumer system run by Yahoo) and have long
displayed spectacular stupidity in their mail handling on both the AT&T
and SBC sides.

--
Now where did I hide that website...
.