Brand new spam attacks - Seems like an emergency

Posted by ub3r, 03-18-2007, 04:12 PM
This afternoon I noticed a pattern of spam on several different shared hosting servers, spanning several different shared hosting providers. The spam first takes the client's domain name, for example, plastic.com. Then adds the word "nac" to the beginning, and "gaf" to the end, making the from email address nacplasticgaf@plastic.com . If the domain were rockin.com, the email would be nacrockingaf@rockin.com . Byob.com, nacbyobgaf@byob.com, etc. It then grabs the ip address of the website, and creates a fake header which makes the email appear to have been sent from that server. Could some of you run this command on your servers, and let me know if anything turns up? Thanks. grep nac /var/log/exim_mainlog | grep gaf You could help us out by running this command: grep nac /var/log/exim_mainlog | grep gaf > /usr/local/apache/htdocs/nacgaf.txt then send us a link to http://your.server.com/nacgaf.txt . These commands only work on cpanel machines. You'll have to manipulate the path in the commands to the logs that your MTA keeps.

Posted by Yapluka, 03-18-2007, 04:46 PM
Check your MP I've found a bunch on my servers but the sender domain is usually not a client's domain. Hope this helps, anyway...

Posted by bear, 03-18-2007, 05:01 PM
Substantially more results were found by using the common origin in all the ones your grep returned: "thhebat.net" cat /var/log/exim_mainlog |grep thhebat.net None of the accounts in the sample I checked were accounts on that server. Here's a sample: As you can see, another pattern is heb*dab I'm sure there's more.

Posted by rdx, 03-18-2007, 05:05 PM
upped one for you with the nac gaf pattern: http://www.yourfilelink.com/get.php?fid=301031

Posted by ub3r, 03-18-2007, 06:29 PM
The bat is actually a bulk emailing program. I believe this might be a default setting it uses for for some kind of function. I'll try and dig the program up, and look at it. [edit] Also, root@grok [~]# grep -i heb /var/log/exim_mainlog | grep -i dab | wc -l 2377

Posted by bear, 03-18-2007, 06:56 PM
Yes, the bat is a mailing program, but it inserts "TheBat!", not "thhebat.net". Note the thhebat.net? Different, and this line is actually a mail ID number: "id=809701117.14625301181706@thhebat.net", not a program tag line.

Posted by zacharooni, 03-19-2007, 02:39 AM
http://www.sharpnet.net/nacgaf.txt

Posted by grandad, 04-05-2007, 06:05 PM
Just got bombarded by a similar spamming issue this time using 'max' &'dax' in the format maxdomaindax@domain.com

Posted by ekusteve, 05-06-2007, 12:37 PM
Same here except they are using "miq" and "few". Is there anything that can/should be done? I do have an spf record set on the account, but don't know what else to do. Steve

Posted by ub3r, 05-06-2007, 05:12 PM
Disable catchall email accounts too. It's probably just the same spammer, using some kind of randomizer for each spam he sends out.

Posted by himan45, 05-06-2007, 10:46 PM
WOW. I actually noticed same but didn't pay much attention.

Помог ли вам данный ответ?

 Распечатать статью

Также читают

User nobody?

Posted by BrightStar, 01-14-2008, 02:53 PMHi there, I am not quite sure but I read a tutorial...

Any PHP library to create .ico? Or just to convert a PNG to ICO?

Posted by yangyang2036, 09-21-2008, 09:17 PMSearched google with nothing relevant. Posted by...

WHM to point site to home server

Posted by kiwami, 05-04-2007, 12:19 PMwhats up fellers, i'm attempting to point my design site...

Remount back up hard drive

Posted by Peter_Net, 09-15-2007, 07:41 PMHello, I have a second hard disk for cpanel back up...

Invoking classes via Nested includes (php)

Posted by lifewater, 03-15-2007, 04:00 PMHello, I apologize if this is a repeated question,...