Spammers and dealing with the aftermath / 2002-04-18

2002-04-18 Spammers and dealing with the aftermath
Today I got an e-mail from a guy somewhere "I got this spamcop report and
I'm not really sure what this says.. looks like our webserver is sending

So, I logged into that machine, became root (something with old accounts
never getting cleaned up) and looked in the cgi-bin directory for my
favorite web-spamming script:

---------- 1 root other 13559 May 19 1999

That's after I did a 'chmod 0'. Indeed, that was the culprit
of the webserver starting to spam. After that I tried to get an idea of
the health of the mail-queue. It took the 'mailq' command way too long to
get any idea of the state of the mail-queue, so I did

:/var/spool/mqueue# echo * | wc -w

which came somewhere over 6700. I stopped the mail daemons and tried mailq
again, this time just to get an idea whether there was any legitimate
mail in there (from or to the owners of the machine). There wasn't.
The directory entry for the mail-queue had grown to 300 kilobyte. This on
a Solaris 2.6 machine with UFS which means that that directory entry
is hosed.. or at least very slow. I did an rm -rf on the directory mqueue,
remade it after that was done and restarted the mail system.

After mail was flowing again, I had a look in the web-logs. I decided to get
an idea of the IP numbers using FormMail.

apache/logs(584)# grep FormMail access_log | awk ' { print $1 } ' | sort | uniq -c

A few nslookups showed me that most of those are not in the DNS.
Interesting. A few hours later I decided to start digging for the
abuse addresses for all those networks to report the abuse. I first
cut out the ones with less then 10 entries and then started finding
the corresponding addresses using,,,, I do this kind
of searching so often I have a complete set of aliases just for
doing this work. Now for a smarter whois client that can find the
abuse@ address just given an IP.
The addresses turned out to be in the Middle East (Jordania and
Kuwait), Asia (Japan, Korea, Bangladesh) and something close-by
( Most interesting address was a 'broadband isp'
in Bangladesh giving a hotmail address for a contact address.
In the case of the .jp nic I could not get the right name for the
net because it thought the syntax of the query was incorrect. So I
tried to find upstream providers using traceroute in those cases.

So, all abuse addresses got a nice standard mail telling them that
a FormMail script was abused for spamming and that the FormMail
script was now closed but please flog the spammer accordingly.

Now, half an hour after sending all that I have only 6 auto-replies.
And I'm not sure I'll ever hear from some of the smaller ISP's.

Spammers have no problem abusing a small ISP somewhere in a country
they can't even find on a map. They may even have used a proxy at
that ISP or a hacked machine from a totally different location.

Now I have a bill for 2 hours of my time in cleaning up this mess.
Where do I send it ?

Tags: , ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.58 2022/12/12 15:34:31 koos Exp $ in 0.009700 seconds.