Spam problem - possible with bounce.php

[melanie]

We're seeing strings like the one below in our server logs.  We're also seeing hundreds, if not thousands, of spam emails in our mail logs.  Any thoughts?

******

[06/Oct/2005:00:10:05 -0700]|68.96.160.85|450|200|-|www.marsvenus.com|GET /favicon.ico|text/plain|AdvancedPoll43=1|-|Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
[06/Oct/2005:00:09:59 -0700]|209.249.155.145|145|200|-|www.marsvenus.com|GET /listmail/bounce.php?mt=&ui=&mi=&em=From%20MAILER-DAEMON%20
Thu%20Oct%20%206%2000%3A09%3A59%202005%0AReceived%3A%20
from%20localhost%20(localhost)%0A%09by%20ecaz.svwh.net%20(8.12.9
%2F8.12.9)%20id%20j9679wwR012338%3B%0A%09Thu,%206%20Oc
t%202005%2000%3A09%3A59%20-0700%20(PDT)%0ADate%3A%20
Thu,%206%20Oct%202005%2000%3A09%3A59%20-0700%20(PDT)%
0AFrom%3A%20Mail%20Delivery%20Subsystem%20%3CMAILER-
DAEMON%3E%0AMessage-Id%3A%20%3C200510060709.j9679ww
R012338%40ecaz.svwh.net%3E%0ATo%3A%20a1392%0AMIME-Ve
rsion%3A%201.0%0AContent-Type%3A%20multipart%2Freport%3
B%20report-type%3Ddelivery-status%3B%0A%09boundary%3D
.1128582599%2Fecaz.svwh.net%22%0ASubject%3A%20Returned
%20mail%3A%20see%20transcript%20for%20details%0AAuto-Sub
mitted%3A%20auto-generated%20(failure)%0A%0AThis%20is%20
a%20MIME-encapsulated%20message%0A%0A--j9679wwR012338
.1128582599%2Fecaz.svwh.net%0A%0AThe%20original%20messa
ge%20was%20received%20at%20Thu,%206%20Oct%202005%20
00%3A09%3A58%20-0700%20(PDT)%0Afrom%20a1392%40localh
ost%0A%0A%20%20%20-----%20The%20following%20addresses
%20had%20permanent%20fatal%20errors%20-----%0Amyrna182
%40marsvenus.com%0A%20%20%20%20(reason%3A%20550%2
05.1.1%20User%20unknown)%0A%0A%20%20%20-----%20Trans
cript%20of%20session%20follows%20-----%0A550%205.1.1%20m
yrna182%40marsvenus.com...%20User%20unknown%0A%0A--j96
79wwR012338.1128582599%2Fecaz.svwh.net%0AContent-Type%3
A%20message%2Fdelivery-status%0A%0AReporting-MTA%3A%20
dns%3B%20ecaz.svwh.net%0AArrival-Date%3A%20Thu,%206%20
Oct%202005%2000%3A09%3A58%20-0700%20(PDT)%0A%0AFin
al-Recipient%3A%20RFC822%3B%20myrna182%40marsvenus.
%0AX-Actual-Recipient%3A%20RFC822%3B%20nosuchuser%40ec
az.svwh.net%0AAction%3A%20failed%0AStatus%3A%205.1.1%0A
Diagnostic-Code%3A%20X-Unix%3B%20550%205.1.1%20User%2
0unknown%0ALast-Attempt-Date%3A%20Thu,%206%20Oct%2020
05%2000%3A09%3A59%20-0700%20(PDT)%0A%0A--j9679wwR0
12338.1128582599%2Fecaz.svwh.net%0AContent-Type%3A%20m
essage%2Frfc822%0A%0AReturn-Path%3A%20%3Ca1392%3E%0
AReceived%3A%20(from%20a1392%40localhost)%0A%09by%20e
caz.svwh.net%20(8.12.9%2F8.12.9)%20id%20j9679wwQ012338%3
B%0A%09Thu,%206%20Oct%202005%2000%3A09%3A58%20-07
00%20(PDT)%0ATo%3A%20myrna182%40marsvenus.com%0AFro
m%3A%20OurHottestIssue311%40aid4free.com%0ASubject%3A%
20Notice%20the%20volume,%20wise%20investors%20are%20beg
inning%20to%20accumlate%20xecarbec%0AMessage-ID%3A%20
%3C5504.3458%40aid4free.com%3E%0ADate%3A%20Thu,%2006
-Oct-2005%2007%3A09%3A16%20GMT%0AUser-Agent%3A%20M
ozilla%20Thunderbird%200.8%20(Windows%2F20040913)%0AX-A
ccept-Language%3A%20en-us,%20en%0AMIME-Version%3A%201
.0%0AContent-Type%3A%20multipart%2Falternative%3B%
%3D2G1hBus2H6Mc%0A%0A--2G1hBus2H6Mc%0AContent-Type%
3A%20text%2Fplain%0AContent-Transfer-Encoding%3A%207bit%0
A%0A%3D3CHTML%3D3E%3D3CFONT%20%20SIZE%3D3D4%20P
TSIZE%3D3D12%20FAMILY%3D3D%3D22FIXED%3D22%20FACE%
3D3D%3D22%3D%0ACourier%20New%3D22%20LANG%3D3D%3
D220%3D22%3D3E%3D3CB%3D3EUniversal%20Property%20Dev
elopment%20S%3D%0Aubsidiary%20Reports%20Natural%20Gas%
20Production%20Exceeds%20Projections%20%3D2D%20Revenu%
3D%0Ae%20Expected%20to%20Be%20100%3D25%20Greater%2
0Than%20Forecast%3D3C%3D2FFONT%3D3E%3D3CFONT%20%2
0SIZE%3D%0A%3D3D3%20PTSIZE%3D3D10%3D3E%3D3C%3D2
FB%3D3E%3D3CBR%3D3E%3D3CBR%3D3E%3D3A%3D3A%3D3A
%3D3A%3D3AVERY%20HOT%20SE%3D%0ACTOR%20TO%20INV
EST%20IN%3D3A%3D3A%3D3A%3D3A%3D3A%3D3CBR%3D3E%
3D3CBR%3D3ESYMBOL%3D3A%20%20%20%20UPDA%3D3CBR%
3D3E%3D%0ACurrent%20price%3D3A%20%20%20%3D2E445%3
D3CBR%3D3EProjected%20Short%20Term%20Growth%3D3A%20
%201%3D2E00%3D%0A%3D2B%3D3CBR%3D3ERating%3D3A%2
010%20out%20of%2010%3D3CBR%3D3E%3D3CBR%3D3E%3D3C
BR%3D3EHOUSTON%3D2C%20Oct%3D%0A%3D2E%204%20%3D
2FPRNewswire%3D2DFirstCall%3D2F%20%3D2D%3D2D%20Cany
on%20Creek%20Oil%20%3D26%20Gas%20Inc%3D2E%3D%0A%
20%3D28A%20Joint%20Venture%20of%20Universal%20Property%
20Development%20and%20Acquisition%20C%3D%0Aorporation%
20%3D28OTC%20Bulletin%20Board%3D3A%20UPDA%3D29%20%
20has%20expanded%20its%20well%20revi%3D%0Atalization%20
program%20on%20a%20fast%20pace%20and%20will%20soon%2
0initiate%20oil%20and%20natura%3D%0Al%20gas%20production
%20at%20its%20Palo%20Pinto%20County%20Regular%20Field%2
0consisting%20of%206%3D%0A14%20acres%20with%2028%20w
ells%20completed%20in%20the%20Strawn%20formation%20in%2
0Northern%20Te%3D%0Axas%3D2E%3D3CBR%3D3ECanyon%20
Creek%20has%20scheduled%20a%20field%20meeting%20this%2
0week%20with%3D%0A%20the%20Railroad%20Commission%20o
f%20Texas%20to%20perform%20the%20required%20testing%20o
n%20fo%3D%0Aur%20of%20its%20permitted%20injector%20well
s%3D2E%20Canyon%20Creek%20will%20then%20implement%20
%3D%0Awater%20flood%20procedures%20to%20recover%20a%
20significant%20amount%20of%20oil%20remaining%3D%0A%20i
n%20place%3D2E%20Once%20the%20testing%20is%20completed
%3D2C%20the%20Company%20can%20begin%20oil%3D%0A%2
0and%20natural%20gas%20production%20from%20the%20wells%
3D2E%20%3D22Our%20plans%20include%20inje%3D%0Acting%2
0about%20a%20thousand%20barrels%20of%20water%20per%20d
ay%20to%20maximize%20the%20effects%3D%0A%20of%20wate
r%20flooding%3D22%3D2C%20says%20Canyon%20Creek%20Pr
esident%3D2E%20%3D22We%20are%20excit%3D%0Aed%20abo
ut%20this%20field%20because%20of%20the%20number%20of%2
0producing%20wells%20and%20the%20re%3D%0Alatively%20low
%20lifting%20cost%20to%20produce%20the%20oil%20at%201%3
D2C200%20feet%3D2E%20Once%20th%3D%0Ae%20water%20flo
oding%20procedures%20take%20effect%3D2C%20we%20could%
20exceed%201500%20barrels%3D%0A%20of%20oil%20per%20m
onth%20and%203%3D2C000%20mcfgpm%20of%20casinghead%2
0gas%3D2E%3D22%3D3CBR%3D3EOnc%3D%0Ae%20these%20w
ells%20are%20brought%20on%3D2Dline%3D2C%20it%20is%20pr
ojected%20that%20Canyon%20Cree%3D%0Ak%20will%20be%20
selling%20nearly%205000%20mcf%20of%20natural%20gas%20pe
r%20month%20from%20only%20ha%3D%0Alf%20of%20its%20cu
rrent%20portfolio%3D|text/html|-|-|Wget/1.8

[DW]

The string you quoted is typical of a ListMail installation utilizing bounce.cgi.  If any messages (ie spam)  are sent to the bounce email address they will be seen in the log.   At this time the CGI script simply forwards bounced messages to the ListMail PHP script.  The reason I did this was to prevent you having to enter your MySQL information in more than one place (ie ListMail config.php AND config.cgi...).    Soon, I will be providing the bounce.php processing right in the CGI script since, while it's a tad more time consuming to set up, it is far more efficient and will not result in the log entries you are reporting which I, personally, also find annoying and wasteful.

Regards

[melanie]

I'm not sure I explained this correctly.  Someone is using our server to send this spam somehow - we haven't figured out how yet and are trying everything to stop it.  The timestamps on the emails received by those receiving the spam match the log files in the server for entries like the ones above exactly.  

Is it possible that someone is using bounce.php to send spam?

[DW]

This is a very concerning thought.

I wonder if your server is actually sending the spam or if someone is simply using your domain name/return address as the "From" email in their email (very easy to forge).  Were you forwarded a copy of the message that was said to be spam?  If so, I would be interested in seeing the headers.

Can I access your server, by any chance, so I can do some of my own troubleshooting?   You can securely submit your info here.

Regards

[melanie]

Its definitely coming from our server - the headers show our IP and we've had several complaints - our IP has been blocked from AOL already and more to come if we don't get this stopped.  I'll be giving you access to the server in a few minutes, please note that I will be unavailable for the next 4-5 hours (it is Saturday after all) but I will check email this evening when we return home.

Thanks for checking into this for us - we appreciate it.

Header Information:


Return-Path: <a1392@ecaz.svwh.net>
Received: from  rly-xa01.mx.aol.com (rly-xa01.mail.aol.com [172.20.64.37]) by air-xa03.mail.aol.com (v107.13) with ESMTP id MAILINXA34-474347c8411d6; Sat, 08 Oct 2005 09:24:30 -0400
Received: from  ecaz.svwh.net (209.133.1.14.svwh.net [209.133.1.14]) by rly-xa01.mx.aol.com (v108.21) with ESMTP id MAILRELAYINXA11-474347c8411d6; Sat, 08 Oct 2005 09:23:21 -0400
Received: (from a1392@localhost)
   by ecaz.svwh.net (8.12.9/8.12.9) id j963MfUs028130;
   Wed, 5 Oct 2005 20:22:41 -0700 (PDT)
To: <Undisclosed Recipients>
From: UrgentIssueAlert532@cityonline.com
Subject: Hi kvdrguml
Message-ID: <5815.16001@cityonline.com>
Date: Thu, 06-Oct-2005 03:20:13 GMT
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=z0a41STmf
X-AOL-IP: 209.133.1.14
X-AOL-SDI: PROFILE
X-Mailer: Unknown (No Version)

[melanie]

Any thoughts - did you access the server?  We will be revoking the access we set up for you on Saturday.

[DW]

I replied to the support ticket.  It's hard to investigate this issue without Administrator access.  The first log entry you sent to start off this post does not seem problematic - it's from "MAILER-DAEMON" so it's probably a legitimate bounce.  I think the issues could be separate.  Your server could have been compromised.  I highly recommend that you download and run the latest versions of rkhunter and chkrootkit on the server.  These programs find common hacks.  I have a fair amount of experience with servers.  I could investigate further with administrator access, otherwise I'm not sure what I can do.

Regards, DW