Spam from my server! How? Please help.
the last month.
I already have RBL installed. I run freebsd 4.8 with plesk 2.5 (qmail)
66.36.236.4 is my IP.
Here is an email I recieved from spamcop with a few of the old reports they recieved. To me it seems like all the spam is about the same. It's spam for Internet Services or Web Design.
They also all appear to be from the same company.
http://www.goldmonkeys.biz/
http://www.greatbizservices.com/
I get the same page with a few URLs...they are obviously a spammer. How they either spoof my box or use it to spam I have no idea and I need to get it corrected. This could lose me my hosting if it continues.
Please help me figure this out. I have spent about 150 hours on this to no avail. I can't even confirm this email is coming from my server. My server is NOT and open relay and it's set only for SMTP auth. There is nothing in Suexec logs, this is not a client, and I just don't know what to do anymore. Could it be a spoof of some sort? How can I either prove that the spam is from my system or stop the spam altogether. I have setup rDNS as suggested from spamcop but that hasnt done a thing.
Thanks for your expertise in this. I can supply any logs needed.
-Jesse
------- Forwarded message -------
From: SpamCop Admin
Subject: Re: Pricing
Date: Tue, 26 Aug 2003 23:08:26 -0600
While you're certainly welcome to use our blocking list and/or donate to
the cause, it won't help keep 66.36.236.4 off our blocking list. The
only way to do that is to stop the spam coming from the server.
http://spamcop.net/sc?id=z149747619z...233188fa1e5faz
http://spamcop.net/sc?id=z149439497z...dbcdd5791ad8cz
http://spamcop.net/sc?id=z149408223z...889f6ef2c10cfz
http://spamcop.net/sc?id=z147935876z...d9cc4ef7ded0az
You can use those links to review the headers from some recent
complaints.
http://www.ordb.org/lookup/?host=66.36.236.4
The server looks like an open relay to me, but it's been tested by ORBD
recently, and none of the probes have been relayed, so it may not be
open.
66.36.236.4 fails DNS lookup, and it appears to be calling itself
"localhost," which is not a valid server name.
It could be all you have to do is get the DNS straightened out so it
resolves both ways, and our parse will find the true source of the spam
and stop tagging 66.36.236.4 as the source.
SpamCop will ignore any server that resolves on DNS/rDNS lookup,
identifies itself with the name the DNS resolves to, and records the
connecting IP when it gets mail.
It's also possible that the server is suffering from an open proxy port
exploit.
Look for an open SOCKS or HTTP proxy, or maybe there's an open
wingate/connection sharing/analogx or PHP type problem.
A free Unix port scanner is available from:
http://www.insecure.org/nmap/
Windows portability for Nmap:
http://www.insecure.org/nmap/nmap_portability.html
http://news.zdnet.co.uk/story/0,,t269-s2122679,00.html
http://spamcop.net/fom-serve/cache/278.html
http://spamcop.net/fom-serve/cache/269.html
http://www.socks.permeo.com/
The "localhost" part can also indicate that there is an unsecured
formmail script running somewhere.
A secure edition of Formmail by Ronald F. Guilmette can be found here:
ftp://ftp.monkeys.com/pub/formmail/1.9s/
http://www.monkeys.com/anti-spam/formmail-advisory.pdf
Complaints are going to abuse@hopone.net.
Routing Info: http://spamcop.net/fom-serve/cache/94.html
Routing Changes: http://spamcop.net/w3m?action=routeform
Those links provide the information you need to start getting reports
about your network. Switching reports away from an upstream provider
requires their permission, but you can get copies of complaints without
anyone's permission by using the "Third Party" option.
If you get one of the "hasn't responded to a confirmation request"
errors, send me the abuse address it refers to and I'll reset it so the
next confirmation request will be sent when you try again.
- Don -
I have a server that recently seems to be compromised on one domain for
spam.
I have learned that I have been listed and delisted numerous times over
the last month.
I have narrowed the problem to one domain but I need that domain. What
is the solution you offer for ISPs and at what cost.
I already have RBL installed. I run freebsd 4.8 with plesk 2.5
66.36.236.4 is my IP
--------------------------------------------
