[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] maillog shows email being sent from admin@localhost
- Subject: RE: [cobalt-users] maillog shows email being sent from admin@localhost
- From: "Phil Beynon" <Infolink@xxxxxxxxxxxxxxx>
- Date: Mon Apr 8 20:43:03 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> I am receiving many log entries in /var/log/maillog that indicate it has
> been sent from admin@localhost to addresses at AOL. (I am admin and am not
> sending email from the localhost!) Just to be returned to admin
> mail box as
> no user found. The admin email on the RaQ3 is filling at a
> phenominal rate.
> Any clues who/how to stop this? I did reject all aol for the time
> being but
> sendmail is continuously being started from an aol email server...
> Here is an entry from the log....
>
> Apr 9 00:13:57 ns173 sendmail[6449]: NOQUEUE: Null connection from
> omr-d07.mx.aol.com [205.188.159.13]
> Apr 9 00:13:59 ns173 sendmail[6497]: AAA06497: from=admin, size=912,
> class=0, pri=240912, nrcpts=8,
> msgid=<200204090413.AAA06497@editedhostname>,
> relay=admin@localhost
> Apr 9 00:13:59 ns173 sendmail[6499]: AAA06497:
> to=overall36@xxxxxxx,osarah8875@xxxxxxx,overdossed@xxxxxxx,orionri
> ot@xxxxxxx
> ,otaku999@xxxxxxx,oxabercrombie4xo@xxxxxxx,orionred7@xxxxxxx,orbit
> y11@xxxxxx
> m, ctladdr=admin (110/27), delay=00:00:00, xdelay=00:00:00, mailer=esmtp,
> relay=mailin-01.mx.aol.com. [205.188.156.122], stat=Sent (OK)
>
> Thanks in advance for guidance/assistance.
>
> Rick Bosch
> 360-606-9737
>>
Rick,
We just had something similar,
Check you don't have an exploitable version of FormMail running on the
server anywhere.
What you are seeing is bounces that AOL is sending back to you since the
user addresses that are being spammed are not resolving either since they
are dead addresses or are full.
Do a "locate formmail" on the server and see which sites have it on them,
then check to see if they are less than version 1.9 - if they are then
upgrade and test them. The refferer field needs to be set properly for 1.9
to work.
In the affected sites take a look at the web.log file in sitex/logs and
determine which site(s) have been compromised.
One thing that we saw was the scanner program that discovered the site had a
vulnerability is passing the site name into some central database which is
then being used by other spammers, so just blocking the i.p. address of the
main one is not going to stop others when they start using you.
You will see in the logs that every so often there are some lines that check
the following
cgi-bin for formmail.pl
cgi-bin for formmail.cgi
cgi-local for formmail.pl
cgi-local for fommail.cgi
It detects the script that way, not via looking at site pages for HTML forms
tags as far as I have been able to determine.
There is a slight bandwidth effect on these calls as formmail will be
responding with an error flag page which is what the scanner software is
looking for.
I would also suggest renaming the formmail script to something else to
effectively 404 error it when requested externally and change the name of
the script in any pages that call it on your sites.
I hope this helps, if there is anything I missed I'm sure others will give
more info.
Regards,
Phil
http://www.diygear.com THE Online DIY Toolstore For DIY & Business
Infolink Electronic Systems Ltd. Suppliers of:- PC based Computer Systems,
Peripheral & Hardware, Plus Web Design & Cobalt Raq4 Hosting Solutions
Contact the Sales desk at infolink@xxxxxxxxxxxxxxx or Tel 0121 458 4894
(office) 0121 441 3558 (home)