Here is the clue:

- I don't host neovisiongroup.com on this server or on any other server
- I don't know neovisiongroup.com
- I don't know the company that is being advertised in the email
- The message ID is not in my maillogs

-According to my maillogs no unusual amount of emails have been send out.
- Did several open relay tests and all report negative

Yet spamcop flawlessly pins me down as being the one and only source of this email. (7 times reported in hrs).

This part is also strange:

Normaly this line says:
Received: from server1.mydomain.com (ns03.mydomain.com [64.xxx.xx.xx]

Someone suggested a formmail exploit but a) it should have showed up in the logs b) it should have showed up in the stats and c) exploiting formmail usually leaves a message "here are the results of your feedback form" on top of the email, which in this case was not there.


I need to respond to RS within 12 hours reporting what I have done to resolve this issue.

I'm lost on this one and am open for suggestions!

Did this email indeed go through our server? If so... HOW?
Or is there a possibility that the header was forged and Spamcop has it wrong this time?

If you host people on the server it could have been any one of them that did it. You can easily change the FROM address and still use the email server to send mail from. Check the X-ClientAddr and see if it matches any other ip's from someone logging in before. If the ip matches your server IP's (which I think it is) then the mail came from formmail on the server but is using a different FROM address to try to hide their identity. Honestly I'd go through all of the sites you host and search for any formmail scripts as well as sendmail logs to see who did it, then promptly remove them from your server.

It might be an exploit of a mail script, so the user may be innocent. It's important to find out how it was done, though.

-N

But if it was send from the server, regardless if it was done through a script of not should the message ID not be listed in my maillogs?

Can mail be send out without the maillogs capturing it?

pgware: The X-client IP is my main IP. mailserver IP

I have the exact same spam report on my IP as well.

I searched my mail logs for the messageID, the domain, the IP. Nothing shows up.

I have no idea if it indeed got sent out from my server but now my IP is blacklisted on spamcop.

Pilgrim, have you found out entries in your logs yet?

Abolutly Nada. Zilch! Nothing!

I'll copy/paste the email I send to abuse@rackshack.com about this. Maybe there is something there that can help you.

I'm not a hateful person but if something bad were to happen to neovisiongroup.com I wouldn't mind that much..

theses are samples of the spam being reported:



and

This happend to one of my servers last week: http://spamcop.net/w3m?action=checkblock&i...207.218.206.118

Seems RS Abuse have checked several of the servers and can't find any indications that the spam actually originated here. I have been through my server and don't find anything either. So far it looks like a spoof.

Someone living close to these guys could perhaps "have a word" with them ...

So far, 3 of us have been reported to spamcop because of the same email, yet none of us can find any proof that it was indeed sent from our servers.

Now, is there any way to proof to spamcop that we are infact not spamming?

BTW, madsere, your IP looks to be blacklisted again on spamcop.

I have been getting spam from sales@ and offers@neovisiongroup.com , I just put neovsiongroup.com into the spam filter to block them that way, I looked into it and it didn't come from my box it was just false.

God, this is really annoying.

My server just got blacklisted again on spamcop for the same email.

ARGH!

I've been lucky so far. Since I got delisted on june 13th they have not used my IP again.

But I checked one of the other IP's they used to send ME spam and that IP has been on and off the spamcop blocked list since May. That victims server is in the DN datacenter. So it's not exclusive to Rackshack.

I've never received a response to my email to abuse@rackshack.net. Neither have they disconnected the server so they probably accepted the explanation.

Friggin annoying though knowing it can happen again at any moment

madsere, have you been able to find any info on neovisiongroup?

No other info but what you see above. The address seems Russian to me, in which case there probably isn't much anyone can do legally.

As I already wrote previously it seems RS Abuse is aware that these are spoofed headers and are doing what they can to get Spamcop to delist our IP addresses.

Spamcop on the other hand seems to be sure the spam originates on our servers and hesitate to delist them.

I am having the same problem but with a different domain

Offending message:
Return-Path:
Received: from localhost (localhost [127.0.0.1])
by chickenandporn.com (8.12.9/8.12.9/Debian-3) with ESMTP id
h5O5U2E9023068
for ; Tue, 24 Jun 2003 01:30:03 -0400
Received: from vms.caldera.com [216.250.130.31]
by localhost with IMAP (fetchmail-6.2.2)
for x (single-drop); Tue, 24 Jun 2003 01:30:03 -0400 (EDT)
Received: from vms.caldera.com ([unix socket])
by vms.caldera.com (Cyrus v2.1.10) with LMTP; Mon, 23 Jun 2003
23:27:51 -0600
X-Sieve: CMU Sieve 2.2
Received: from vms.caldera.com (localhost [127.0.0.1])
by localhost (Postfix) with ESMTP id 9DE64A005
for ; Mon, 23 Jun 2003 23:27:50 -0600 (MDT)
Received: from mail.ut.caldera.com (mail.ut.caldera.com [216.250.130.2])
by vms.caldera.com (Postfix) with ESMTP id B51A6A004
for ; Mon, 23 Jun 2003 23:27:49 -0600 (MDT)
Received: (qmail 12155 invoked by alias); 24 Jun 2003 05:27:49 -0000
Delivered-To: x
Received: (qmail 12151 invoked by uid 84); 24 Jun 2003 05:27:49 -0000
Received: from lkfnklfn@canal21.com by clavin.ut.caldera.com with
qmail-scanner-1.00 (uvscan: v4.1.40/v4155. . Clean. Processed in 0.984248
secs); 24 Jun 2003 05:27:49 -0000
Received: from unknown (HELO mail.nm.chinamobile.com) (211.138.95.3)
by mail.ut.caldera.com with SMTP; 24 Jun 2003 05:27:48 -0000
Received: from smtp.canal21.com (unknown [207.44.158.4])
by mail.nm.chinamobile.com (Postfix) with SMTP
id 908922272CA; Tue, 24 Jun 2003 13:38:03 +0800 (CST)
From: "Donald"
To: "x"
Subject: IMs, emails and live chat...no typing requiredivanb
Cc: x
Cc: sherin@telocity.com
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <2003__________________72CA@mail.nm.chinamobile.com>
Date: Tue, 24 Jun 2003 13:38:03 +0800 (CST)
X-Spam: yes; 1.00; emarketsrus:98 emarketsrus:98 nono:98 ...:04 htm:94
htm:94 ffffff:93 ibm:10 ibm:10 donald:14 chat:78 and:31 21.:33 http:65
http:65

href="http://lkfnklfn@emarketsrus.com/link/viavoice9.htm">

href="http://}@emarketsrus.com/link/viavoice9.htm">

fkngnkj

href="http://lkfnklfn@emarketsrus.com/nono/">

***


I have searched my server high and low for this..but cannot find any records of this!

BTW: RS Abuse send me that in an email. I told them I could not find this on my server, but I have not got a reply after a few days and I called them and they said just wait for a response! I sure hope this gets solved.

I am on SpamCop as well. http://spamcop.net/w3m?action=checkblock&i...ip=207.44.158.4

Boy..this sucks.

right about now i FUC(*#&$(@#$KING HATE SPAMCOP, I'm having the same problem, and of course there isn't a human being in sight at spamcop.net, shows how "good" a service people say it is. so what the hell do I do, all my domains can't send to a bunch of servers, rackshack keeps sending me spam messages with forged headers.

phiberoptikk and aht,

Was the offending email from neovisiongroup.com?

The same was from another domain...as seen in the heard I posted above.

Can someone from Rackshack please respond to this matter!!

I am dealing with the same problem for more than a month.

Take a look... xx.xxx.xx.xx is my ip.

Return-Path:
Received: from localhost (rs-xx-xxx-xx-xx.ev1.net [xx.xxx.xx.xx] (may be forged))
by mailserver.ssnet.it (8.12.8/8.12.1) with SMTP id h5RIpB0D027588
for x; Fri, 27 Jun 2003 20:51:13 +0200
Received: from mail.com ([192.123.46.212])
by localhost (8.11.9/8.11.9) with ESMTP id qwert029568583
for ; Fri, 27 Jun 2003 13:50:01 -0500 (EST)
Message-ID: <0384___________________n55M@neovisiongroup.com>
From: "FlashCraft"
To: x
Subject: Flash logo animation and design
Date: Fri, 27 Jun 2003 13:50:01 -0500 (EST)
Status:


A couple of guys have check the server and they told it doesn't look like these emails are going through my server.

The abuse department keeps sending me spam warnings.

Just got relisted again for the same email:

s3kk3y

Are you using Exim and Cpanel ?

Yes, I am.

Me Too

I guess if this is only affecting exim and cpanel users...

I believe madsere offers Ensim as his CP, so I dont think its only affecting cpanel hosts.

Here is a history of my server on spamcop due to this spam situation:

listed: Tuesday, June 24, 2003 12:01:03 PM -0400
delisted: Sunday, June 22, 2003 2:40:06 PM -0400
listed: Friday, June 20, 2003 7:10:04 PM -0400
delisted: Friday, June 20, 2003 12:20:02 PM -0400
listed: Friday, June 20, 2003 11:30:01 AM -0400

delisted: Tuesday, June 17, 2003 12:30:04 PM -0400
listed: Tuesday, June 10, 2003 10:10:02 PM -0400
listed: Monday, June 09, 2003 7:15:02 AM -0400
delisted: Sunday, June 08, 2003 7:35:02 AM -0400
listed: Thursday, June 05, 2003 3:15:05 PM -0400
delisted: Thursday, June 05, 2003 2:10:02 PM -0400
listed: Tuesday, June 03, 2003 11:04:03 AM -0400



Someone from spamcop scanned the ports of my server and told me I have a wingate on port 26. They sent me a copy of the results. When I read the results, my server responded "We do not authorize the use of this system to transport unsolicited email".

Getting tired of this already.

spamcop is the biggest piece of crap...I even took down my SECURE proxy and it still thinks I'm a freakin spammer...this has to be like...unlawful or something

daveL,

Were all those listings due to neovisiongroup?

The first set yes.

The second set, half from neovision, and half from another domain which I believe are the same guys.

I just got delisted from spamcop.

Let's see how long it takes for it to be listed again

I got relisted again for the same email, except that it has a different RETURN address:



I just finished combing through my exim_mainlog's looking for any traces of this email and did not find anything. I also checked my exim_rejectlog and found nothing as well.

Has anyone else gotten the same spam reports?

I did a ping to that server site and this is what I get
Bad IP address neovisongroup.com.

either its blocked from where I work or something is VERY odd

Are y'all still having problems with this type of spam? (i.e. apparently being sent from your server though without any traces)

Yes. Don't keep the solution a mystery

Heh. I wish.

same here.

Sorry, I didn't mean to raise anybody's hope. Just that it seems to come in waves .. suddenly you start getting a bunch of hatemail from people getting the spam ... I've got a polite reply to them and most are quite understanding. Still, I'd really like to know how they manage to get my domain name/ip address on their mail headers without any traces on my server. (just one server affected btw).

This is happening on my server as well.

I am getting about 2000 emails returned a day.

The weird thing is.. they appear to be coming FROM assorted users on my server.. but the IP address is wrong. It is:

61.171.241.156

CHINANET Shanghai province network - figures.

My server is now banned from sending emails to AOL users.. this is not good. My server is not open for relaying.

<<< 554-(RLY:B1) The information presently available to AOL indicates this
<<< 554-server is generating high volumes of member complaints from AOL's
<<< 554-member base. Based on AOL's Unsolicited Bulk E-mail policy at
<<< 554-http://www.aol.com/info/bulkemail.html AOL may not accept further
<<< 554-e-mail transactions from this server or domain. For more information,
<<< 554 please visit http://postmaster.info.aol.com.
... while talking to mailin-04.mx.aol.com.:


WHAT IS GOING ON? Why is this happening to everyone at the same time? .. are they targeting RS servers... is there a hole?

I have no idea how to track this down.. there are no formmail scripts on my server.

HELP! This is getting out of hand!

It isn't necessary to send outbound mail through your mail server. A customer could have installed a program or script to connect directly to port 25 on the destination systems.

The other possibility is that you've been hacked, and an open proxy installed on the box.

It would help if you guys would indicate which received line in the headers is pointing to your system.

I've not been hacked. Chkrootkit comes up blank and anyway, I'm convinced I would know for a number of reasons I don't want to disclose publicly.

If there was an open proxy on this server we would have found
1) an unknonwn process listening on a port somewhere (it doesn't, been through netstat quite extensively)
2) traces of outgoing spam in /var/log/maillog (nothing)
3) one of the endless open-proxy tests already run on my server would surely have flagged it down

It's possible that a client may have installed his own "sendmail" program, though I've alrady been through all client accounts many times, gone through the directories where they could possible have stored such a binary, i.e. /tmp, /var/tmp, /home/* etc. but not been able to find anything. But then again, it could be possible for someone to login, upload his binary, use it and delete it. I've checked history files, again nothing. Again, could be edited by a knowledgable user.

Of course I've also done the usual checks for any open formmail scripts - even gone so far as to grep through the httpd logs to see if there were any scripts executed with email addresses in the URL bar. None found, and even if they were, they would still generate entries in the maillog.

Question is: If this is indeed the way it happened how can we possible find the guilty? I'm really open for suggestions here but feel a bit at a dead end.

Below is an example of such a spam. Avi-systems.com is my server (the green lines). The IP address matches, but the sendmail version doesn't. There is, as always, no trace of the receiving server in my maillog.


For comparison, find below a bona-fida mail sent from my server:

The supposed spam coming from my server have the same return address as yours:

greatbizservices.com

I have also seen kellyoffers.com as the return email as well.

The one constant in all the headers is:

Received: from mail.com ([192.123.xx.xx])

THe last 2 sets vary but it always has 1.92.123.

It's possible to be hacked and not be able to find any trace of it on the machine itself. I haven't ever seen a spammer get this sophisticated with taking over a machine, but I have seen other examples of it.



With a sophisticated hack job, netstat and other programs would have been changed to lie to you. But this is beyond the sophistication or motivation of most spammers, so it is unlikely. It is however, possible that the spammer is opening the port at a time that he/she believes you are not on to monitor the box.



An open proxy (or a closed one set up solely for the spammer's use) will not leave log entries in /var/log/maillog. The spammer connects to the proxy and back out again directly to port 25 of the spammee without bothering with your mailserver, thus no log entries.



It could be a closed proxy that gives no sign of being there to outside scanners except to previously defined IP's.



Uploading at a time they believe you are not monitoring, and deleting later is quite possible. I used this myself in the commission of an April Fools joke (harmless). Are your customers allowed to have binaries of any kind on the machine? How would you know what the binary did if you found one? As for history files, yes, they can be edited, but there are other ways to do things without leaving traces.



First we'd have to establish that the spam in question was in fact coming from your box, and that the headers were not forged. I'll address that below. If the spammer were just hopping in and out when you are presumably not watching the box, you could just check in the middle of the night and see if anything was going on, for instance. If your mail server uses one port or a specific range of ports below 1024, you could use a firewall to stop all packets from source ports on your machine above 1024 from going to port 25 anywhere else. That way, nothing but your mail server can send email anywhere. In the unlikely event that you have been rooted and the hacker is sophisticated enough to use tools to completely hide himself, the only way to detect what is going on is by outside traffic analysis (such as by Rackshack) or by booting off other media and doing a forensic analysis of the hard disk. Both are not fun to do and would need to get Rackshack involved, so hope this isn't the case. Most spammers are stupid gits, but there are a few who are very bright and technically talented and could pull this off.



At first appearance, the spam appears likely to have your server in as a forged header. The green lines are the *second* received header on the mail, and the first appears to have unrelated mailservers, which is usually a sign of a forged header through a proxy. However, 216.218.215.35 is not listed as a spam source anywhere, appears to be a normal mail server, and if you'll notice, the "for" destination email changes on the last (topmost) Received line. This indicates that this last hop was probably due to mail forwarding, and that mx.user.kolo.net did in fact receive this email from your machine. If you have other example spams that show your server in the topmost (last hop) received header, then you can be certain that the spam did in fact originate on your machine. Note that mx.user.kolo.net says that the transmission from you box originated at port 61588, and that you helo'd as "localhost". These are not things your *mailserver* program is likely to do, but would be something that a spamming program would (high port number, meaning they probably haven't rooted you, and use of a generic HELO). The third received line is forged, which is why the sendmail version isn't right, and why it doesn't look like your usual received headers. mail.com is likely forged here because they are known to be rabidly antispam and have pissed off a large number of spammers. The IP address listed in the third received header doesn't belong to mail.com, but to Kraft Foods. Why they are being used is anybody's guess.

trif,

Do you think you could analyze mine as well.




The bold is my server. I got this sample from spamcop so the email it was sent to has been removed which may make it a bit harder for you analyze.

Yours is not conclusive either, because there appears to be another mail forwarding at the last hop. Domaindiscover does email forwarding, so it appears very likely that your server is the source of the spam, and the mail.com line is forged. Get one with headers where your server is cited in the topmost (last hop) received line, and it will be conclusive.

It is disconcerting that this appears to be happening to a lot of different machines on different networks, and nobody has yet tracked down how it is being done. It smells of either unknown ratware or a very organized operation.

Do you think it's possible to force sendmail to use a specific privileged port for outgoing mail, then block any other outgoing packets to port 25 in the firewall?

I use KISS firewall which generally blocks outgoing accesses - except as I believe sendmail default to use a random port outgoing?

Actually I just installed APF on this server from the assumption that it produces logs that might shed some light on the story.

Regarding the spam .. The spam I received (in hatemails from the spam victims) are always the same format ... here's another example:

Here is one that sent to me by the spam recipient directly:



The bold is my server.

It does in fact appear that this spam is originating from your machines. I'm not a sendmail guru (I use Exim), but I'll dig out my old bat book and see if I can find something.

trif,

My servers are cpanel so I am using exim as well.

Also, I know that all emails sent from my server have the antiabuse lines in the header, yet none of the reported spam emails contain it.