Brand new spam attacks - Seems like an emergency

Posted by ub3r, 03-18-2007, 04:12 PM
This afternoon I noticed a pattern of spam on several different shared hosting servers, spanning several different shared hosting providers. The spam first takes the client's domain name, for example, plastic.com. Then adds the word "nac" to the beginning, and "gaf" to the end, making the from email address nacplasticgaf@plastic.com . If the domain were rockin.com, the email would be nacrockingaf@rockin.com . Byob.com, nacbyobgaf@byob.com, etc. It then grabs the ip address of the website, and creates a fake header which makes the email appear to have been sent from that server. Could some of you run this command on your servers, and let me know if anything turns up? Thanks. grep nac /var/log/exim_mainlog | grep gaf You could help us out by running this command: grep nac /var/log/exim_mainlog | grep gaf > /usr/local/apache/htdocs/nacgaf.txt then send us a link to http://your.server.com/nacgaf.txt . These commands only work on cpanel machines. You'll have to manipulate the path in the commands to the logs that your MTA keeps.

Posted by Yapluka, 03-18-2007, 04:46 PM
Check your MP I've found a bunch on my servers but the sender domain is usually not a client's domain. Hope this helps, anyway...

Posted by bear, 03-18-2007, 05:01 PM
Substantially more results were found by using the common origin in all the ones your grep returned: "thhebat.net" cat /var/log/exim_mainlog |grep thhebat.net None of the accounts in the sample I checked were accounts on that server. Here's a sample: As you can see, another pattern is heb*dab I'm sure there's more.

Posted by rdx, 03-18-2007, 05:05 PM
upped one for you with the nac gaf pattern: http://www.yourfilelink.com/get.php?fid=301031

Posted by ub3r, 03-18-2007, 06:29 PM
The bat is actually a bulk emailing program. I believe this might be a default setting it uses for for some kind of function. I'll try and dig the program up, and look at it. [edit] Also, root@grok [~]# grep -i heb /var/log/exim_mainlog | grep -i dab | wc -l 2377

Posted by bear, 03-18-2007, 06:56 PM
Yes, the bat is a mailing program, but it inserts "TheBat!", not "thhebat.net". Note the thhebat.net? Different, and this line is actually a mail ID number: "id=809701117.14625301181706@thhebat.net", not a program tag line.

Posted by zacharooni, 03-19-2007, 02:39 AM
http://www.sharpnet.net/nacgaf.txt

Posted by grandad, 04-05-2007, 06:05 PM
Just got bombarded by a similar spamming issue this time using 'max' &'dax' in the format maxdomaindax@domain.com

Posted by ekusteve, 05-06-2007, 12:37 PM
Same here except they are using "miq" and "few". Is there anything that can/should be done? I do have an spf record set on the account, but don't know what else to do. Steve

Posted by ub3r, 05-06-2007, 05:12 PM
Disable catchall email accounts too. It's probably just the same spammer, using some kind of randomizer for each spam he sends out.

Posted by himan45, 05-06-2007, 10:46 PM
WOW. I actually noticed same but didn't pay much attention.

Cette réponse était-elle pertinente?

 Imprimer cet article

Consultez aussi

Auto Block IP Windows 2003

Posted by directhostinguk, 05-06-2007, 02:39 PMAnyone got any ideas how to detect and block IP’s...

Need Shell script to add prefix to multiple files' name.

Posted by viettechorg, 03-25-2007, 02:09 PMHello, Does anyone know any of the shell script(or...

hello

Posted by swebz, 03-13-2010, 04:57 AMAny one know how to make jquery drop down. Thanks...

.htaccess problem

Posted by londonhogfan, 09-23-2008, 02:05 AMhi, I'm having quite a problem with my site on...

Free script that hides links?

Posted by bambinou, 11-12-2012, 04:29 AMHello, I would like to know if you have ever seen a...