Solving the Mysteries of Geek Code
Referrer spam is traffic from bots that impersonate a referral link. The pseudo traffic is designed to make their domain show up in your site analytics so that you’ll visit the site. Referrer spammers just forge the referrer of a http request to make their site show up in your logs/statistics.
More information:
rogue scripts, with the following two websites being useful for this practice:
http://www.stopthehacker.com/
http://www.exploit-db.com/
The following two websites can also be highly useful as additional resources when experiencing a security compromise.
http://google.com/webmasters/hacked/
http://stopbadware.org/webmaster-help
Check the header of an email
X-Spam-Status: No, score=0.1 X-Spam-Score: 1 X-Spam-Bar: / X-Ham-Report: Spam detection software, running on the system "server.domain.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see root\@localhost for details.
You can also add Barracuda RBL to Exim in WHM
For cPanel /home/username/.spamassassin/user_prefs as described:
Other Resources:
Improving SpamAssassin accuracy on cPanel (or any other) mail servers – with statistics
Check the mail queue in a plesk server:
# /usr/local/psa/admin/bin/mailqueuemng -s
mail queue is full of spam type messages like this:
Subject: Mr.: 14623c9d 65% off for you!
Sale Sale Sale!! Vigara – 0.54$, Cilias – 1.09$, Levtira – 1.15$.. and more more more… ”
Steps to take:
1. Check the mail queue for suspicious emails that are spam and remove them. Monitor the mail queue to see who is sending email and the content and locate the email account for spam delivery.
To remove all mail from the queue, enter:
# postsuper -d ALL
2. Check the passwords for the email accounts with this command logged in ssh as root:
# /usr/local/psa/admin/bin/mail_auth_view Change all weak passwords to more secure passwords. (There are many simple email passwords).
3. Check any wordpress and joomla web sites for updates. Make sure all plugins and core software is up to date.
4. Check any forms on websites and ensure that they have captcha enabled so that they cannot be submitted automatically.
Here are some links to assist in installing an email wrapper to see if the sever is sending spam via a script:
If Postfix – http://kb.parallels.com/en/114845
Once the server is verified spam free you can contact us and we can help with any de-listing submissions.
Please let us know if you have any other questions.
RE: http://kb.parallels.com/en/114845
[stextbox id=”info”]Symptoms: Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?[/stextbox]
[stextbox id=”warning”]Note: This article is for Postfix. If you are using the Qmail mail server, see this: http://geekdecoder.com/troubleshoot-qmail-spam/[/stextbox]
Resolution
Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running?
There is a way to determine from which folder the PHP script that sends mail was run.
Note: Depending on your OS and Parallels Plesk Panel (Plesk) version, the paths can slightly differ from those listed below.
Create a /usr/sbin/sendmail.postfix-wrapper script with the following content:
Create a file and open it for editing:
#touch /usr/sbin/sendmail.postfix-wrapper #vi /usr/sbin/sendmail.postfix-wrapper
Add the following content:
#!/bin/sh (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"
Note that this should be two lines, including #!/bin/sh.
Create a log file, /var/tmp/mail.send, and grant it a+rw rights. Make the wrapper executable, rename the old sendmail, and link it to the new wrapper. Then run the commands below:
~# touch /var/tmp/mail.send ~# chmod a+rw /var/tmp/mail.send ~# chmod a+x /usr/sbin/sendmail.postfix-wrapper ~# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin ~# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
Wait for an hour and change the sendmail back:
~# rm -f /usr/sbin/sendmail.postfix ~# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix
Check the /var/tmp/mail.send file. There should be lines starting with X-Additional-Header: pointing to the domain folders where the scripts that sent the mail are located.
You can see all the folders from which mail PHP scripts were run with the following command:
~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `
[stextbox id=”alert”]NOTE: If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Parallels Plesk Panel virtual hosts directory.[/stextbox]
Usually, that means one of the mail accounts has been compromised. Check login attempt count:
# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* /usr/local/psa/var/log/maillog:221000 /usr/local/psa/var/log/maillog.processed:362327 /usr/local/psa/var/log/maillog.processed.1.gz:308956
If you see an unusually high number of login attempts, it is very likely that accounts were compromised. You can try to identify these accounts in the following way:
# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com
To stop spam from being sent, change passwords for compromised accounts and restart the Postfix service.
PHP Spam Scripts
I finally decided this topic deserves its own page.
To find the script sending spam
Plesk
Ver -11.0
cat /var/www/vhosts/domain.com/statistics/logs/access_log | grep POST > /tmp/post.log
Ver 11.5+
cat /var/www/vhosts/system/domain.com/statistics/logs/access_log | grep POST > /tmp/post.log
WHM cPanel
cat /usr/local/apache/domlogs/domain.com | grep POST > /tmp/post.log
View the results
cat /etm/post.log 78.138.118.128 - - [02/Jan/2014:10:51:41 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-" 78.138.118.128 - - [02/Jan/2014:10:52:54 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-" 78.138.118.128 - - [02/Jan/2014:10:54:13 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-" 78.138.118.128 - - [02/Jan/2014:10:55:18 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-" 78.138.118.128 - - [02/Jan/2014:10:56:32 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"
Joomla
This file often appears in /tmp/sysNNNNNNNN.php file
1. /tmp is 777
2. the sysNNNNNNNN.php is usually accompanied by a .zip file
3. .php and .zip are owned by apache
To stop Spam:
drop SMTP on port 25, 465 and 587 to prevent further spam from being sent out by running the following commands:
# /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP # /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP # /sbin/iptables -A INPUT -p tcp --dport 465 -j DROP # /sbin/iptables -A OUTPUT -p tcp --dport 465 -j DROP # /sbin/iptables -A INPUT -p tcp --dport 587 -j DROP # /sbin/iptables -A OUTPUT -p tcp --dport 587 -j DROP
Restart:
# service iptables restart
Block an IP accessing the site:
# iptables -A INPUT -s 80.35.xx.xxx -j DROP
Restart:
# service iptables restart
After that – check the cpnael access logs for the domain and see that there is a 403 Error:
# tail -f /usr/local/apache/domlogs/gamedayboston.com 80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
If you cannot send emails to Outlook or Hotmail or MSN, then your server’s IP address maybe blacklisted. Here are some tips to get removed from the MSN blacklist.
Before jumping through the blacklist removal hoops, you may want to double-check that your emails are not simply going into the spam folder. This process will not help you with emails being dropped into the spam folder. This is for getting off of MSN’s blacklist. I am going to outline 3 steps.
Verify you are on the MSN blacklist.
Perform preliminary blacklist removal checks.
Submit MSN blacklist delisting request.
Delist Here – Sender Information for Outlook.com Delivery –
MSN Blacklist Check
If MSN has blacklisted your IP, you will receive a delivery rejection notice from MSN or Hotmail. If you check your server’s logs or your email bounce you may see something like this:
SMTP error from remote mail server after end of data: host mx1.hotmail.com [65.54.188.94]: 550 SC-001 (BAY0-MC2-F59) Unfortunately, messages from 216.55.xxx.xxx weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.
If you are seeing this or a similar email error, then your server’s IP has likely been blocked by MSN/Hotmail. There could be other response codes, but typically all MSN blacklist notifications will include a 500 series error. MSN’s postmaster service as a list of MSN’s blacklist codes.
I suggest you check this list to find the exact reason Hotmail or MSN is rejecting your emails.
There are some 400 series errors that deal with email volume rather than suspected spam. If you are sending high volumes of email to MSN, you may need to sign up for their bulk sender’s program.
If you are not seeing 500 errors, then you may not have an email blacklist problem but some other email delivery issue.
Preliminary Blacklist Delisting Tasks
Before requesting removal from MSN’s blacklist, you will want to take some steps to stop whatever caused the listing.
Make sure there is no unauthorized email going from your server.
If someone is forwarding email to Hotmail related addresses and then marketing it as spam, Hotmail will lower your server’s sender reputation. Window’s Live and related email services such as Hotmail and MSN.com emails work with Return Path to filter email. So email server reputation is more important for sending to these accounts than some of the other ISP’s covered in this series.
To start the process of getting removed from Hotmail’s blacklist, you will need to complete their sender information form.
Unfortunately since Microsoft maintains their own blacklist they have no obligation to accept email from anyone. Please have a look at some of their suggestions located at https://mail.live.com/mail/services.aspx
I would suggest signing up for both SNDS and Microsoft’s Junk Mail Reporting Program.
Sender Information for Outlook.com Delivery – https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&ccsid=636529520240187401&wa=wsignin1.0
Provide all of the requested information. Unlike some other ISPs, MSN Support requires you to run some telnet tests from the command line on your server. If you do not know how to run these tests, you will need to get someone to help you.
In working with MSN, I have found it very important to provide accurate email headers. If you provide reliable information and are truly not spamming their systems, you will typically see removal in 2-3 business days. MSN is very picky about DNS. So be sure your DNS, PTR and SPF/SenderID records are in order before requesting removal.
If you have root access and need to send email now, try below:
Partial Solution:
Re-route the IP on port 25 if you have a linux box and you have another IP that is not blacklisted.
apply an iptables rule to route your outbound SMTP to a new IP
216.55.xxx.xxx
# iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source 216.55.xxx.xxx