On Thu, 2004-10-07 at 21:59, Trevor Smith wrote: > So I'm getting tons of bounces because the spammers have made their way back > around to my personal domain and are sending out their crap with > <something>@haligonian.com as the forged From: address. > > I don't really care since I have bogofilter installed and it puts every damn > one of them in my "unsure" folder and I never need to see them, but just to > be thorough... > > Does anyone know of anything I could do to get them to move on from spoofing > my domain to spoofing the next victim's domain? > > Is there any real harm to me that they are spoofing my domain, btw? I assume > that network admins are smart enough now that they realize almost all spam > addresses are spoofs and they don't go arbitrarily blacklisting poor suckers > like me. :-( > > Now, I'm assuming this is straight forging, and that no spammers are actually > using any network resources related to me (since I pay $10/yr for a web/mail > hosting account for haligonian.com and don't run my own servers). > > -- > Trevor Smith // trevor@xxxxxxxxxxxxxx hi Trevor and everyone who is reading this. I haven't read the full thread, yet, but I want to relate my "adventures" of the two days to you guys. I run a hosting company that has similar packages to what Trevor is getting. On Thursday I get the Logwatch come through plus I get nobodys mail for our virtual hosting servers and boom 150 returned emails from the sending domain InternetBanking.com on one of them. Which we don't host or have any records of what so ever. So I know its spam. Well after searching form the subject matter with grep through out the home dirs of each user. Only one user had it but it was in his spam file. Thats not enough to do anything about it but made us watch this guy closer all day exim was sending as nobody. Headers had nothing but the hostname. Started grepping through the mail logs for the time but nothing came up. Kept looking for the subject matter through out the DBs and the whole system. Only found it in the one spam file and returned emails. I also turned off mailman if that was the culprit because he was running at times and we don't have any list on that server. I was stumped on Thursday trying to figure this out, my partners were also. Then on Friday it was still going on. Server load wasn't jumping and I couldn't take down the server because of the numerous accounts on the server and lack of space on the other servers for them. But Friday I wake up to 2000 returned emails in my inbox from nobody at this server. Ok I then started to realize that it has to be a script being ran from the web. Yeah, I'm little slow sometimes call it tunnel vision, should have realize that it was that when I saw nobody. But I then grepped the domlogs for the time the emails were being sent and then also POST and then checked the suspect scripts by checking them from the web. I found it that way. Its a simple script that is written in php and can use a DB to retrieve the email info or you can manually enter it. The recipients are a text area you put an email into line by line. It also has a text box for the sending address and everything else and attempts to write the headers also. One of the emails from Friday had a sub dir that it used for the source that was called in to me from an irate recipient of the email and verified that it was this script. Ok now that I found the target, my question was who was using that script? I grepped for the scripts name in the domglogs and found only 2 IPs using that script mine and another. That IP wasn't my customers but someone elses. It was a comcast IP, and nmap showed me it was a windows box so I'm not going to say that that IP is the spammers but I'm reporting it to comcast. Could be the user of this computer is compromised also. But that IP accessed the script at the time the emails were running. Also Friday only one file was upped using the ftp. That was this script from another hosting companies server. He used two scripts with the same code. One called mailer.php in the root of the html dir and services.php in a sub dir of that users html dir. in the sub dir it was easy to spot because it was the only php file in a sea of htm files. The mailer.php was in a sea of php files and harder to catch. mailer.php was used on Thursday and services.php was used on Friday. All this was caused by one of two things. My client shared his pw with someone or it got cracked somewhere. I still have to check the logs for the IP to check to see if it was a brute force attack. But it was a weak password and I have reset it with something a little stronger. Because of the nature of the email, its a phishing on asking for you to reset your personal info for your bank. I'm going to be reporting this to Interent Fraud Watch, the US FTC, comcast (I hear its a good luck if they do anything) and the other hosting company that the file was uploaded from. Now I do have a question any one else I should notify about this? I don't want to email them I want to call this in and talk to someone. So phone numbers would be greatly appreciated to any groups or organizations that would help in tracking this guy down? TIA and I hope you enjoyed this. Mike Ramirez <mike@xxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
