Cannot trace this spammer

COMLAINT:

your customer using IP address XXX.232.65.171 has been
spamming our web submission form at
http://www.trialware.org/join.html. You can see the form results
attached. Please consider doing all you can to prevent such
incidents in the future.


Thank youFrom: "Geoff" <Geoff@inm.ras.com>
To: <trialwar@trialware.org>
Subject: Join Trialware Professional Association
Date: Mon, 6 Feb 2006 10:24:40 -0600
Message-ID: <E1F69AO-00008E-NP@eta.asmallorange.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0013_01C62C0D.DA007D60"
X-Mailer: cgiemail 1.6(form="http://www.trialware.org/join.html")(action="/cgi-bin/cgiemail/join.txt")
X-Spam-Level:
X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AMATEUR_PORN,BAYES_00,HOT_NASTY autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on eta.asmallorange.com
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
thread-index: AcYrOd0lnYQUn2maS1mEwxk2fNoqUg==
x-cc-diagnostic: The F word (40)
x-pmflags: 33570944 0 1 PXHZ2PQY.CNM

This is a multi-part message in MIME format.

------=_NextPart_000_0013_01C62C0D.DA007D60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

IP: XXX.232.65.171

Update: False

email: Geoff@inm.ras.com

input_company: Health Management Associates Inc.

name: Geoff

HideEMail: True

input_website: http://www.big-woman.be

input_desc: Any girls/ladies that like random phone sex? Someone like it I
saw on <a
href=&#039;http://www.big-woman.be&#039;>http://www.big-woman.be</a> What
do you like about it? Details please!

keywords: sex,porn,porno,adult,xxx, hardcore, fu*,sexy girls, hot girls,
amateur porn, bbw, big woman, big wonderful women

input_linktype: Other



I tried the following:

grep asmallorange.com /usr/local/apache/domlogs
grep E1F69AO-00008E-NP@eta.asmallorange.com /var/log/messages (all)
grep E1F69AO-00008E-NP@eta.asmallorange.com /var/log/mailog (all)

My settings in EXIM:

untrusted_set_sender = *
local_from_check = false
local_sender_retain = true

timeout_frozen_after = 2d
ignore_bounce_errors_after = 12h

domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist
message_size_limit = 5M
log_selector = +arguments +subject
log_selector = +all

timeout_frozen_after = 2d
ignore_bounce_errors_after = 12h

acl_not_smtp = acl_check_pipe

acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

domainlist local_domains = lsearch;/etc/localdomains

domainlist relay_domains = lsearch;/etc/localdomains : \
lsearch;/etc/secondarymx
hostlist relay_hosts = lsearch;/etc/relayhosts : \
localhost
hostlist auth_relay_hosts = *

#!!# ACL that is used after the RCPT command


##Added Sendmail Bcc and Cc Spam Removal##
acl_check_pipe:
#drop condition = ${if match {$message_body}\
#{\N.*\
#MIME-Version:.*\N}{true}}
#log_message = "Spam MIME-Version:$header_subject: "

#drop condition = ${if match {$message_body}\
#{\N.*\
#Reply-To:.*\N}{true}}
#log_message = "Spam Reply-To:$header_subject: "

# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Type:.*\N}{true}}
# log_message = "Spam: Content-Type: $header_subject: "

# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Transfer-Encoding:.*\N}{true}}
# log_message = "Spam: Content-Transfer-Encoding: $header_subject: "

drop condition = ${if match {$message_body}\
{\N.*\
[Bb][Cc][Cc]:.*\N}{true}}
log_message = "Spam: BCC: $header_subject: "

drop condition = ${if match {$message_body}\
{\N.*\
[Cc][Cc]:.*\N}{true}}
log_message = "Spam: CC: $header_subject: "
accept

accept
##End of Additions ##

check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack


drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient

# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}


# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

#if it gets here it isn't mailman

#sender verifications are required for all messages that are not sent to lists

require verify = sender
accept domains = +local_domains
endpass

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests

message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
verify = recipient

accept domains = +relay_domains

warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts

warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept

nobody@lsearch;/etc/localdomains "${if !eq {$header_From:}{}{$header_sender:$header_From:}fai l}" Fs

(rest of exim.conf default)

I do have enabled also:

Track the origin of messages sent though the mail server by adding the X-Source headers
Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail
Always set the Sender
Verify the existance of email senders
Use callouts to verify the existance of email senders.
Discard emails for users who have exceeded their quota

I also did the following tweaks:

php spammer
http://www.eth0.us/exim-logging

stop php nobody spammers
http://www.webhostgear.com/232.html


What else to do?

 

 

 

 

Top