Brand new spam attacks - Seems like an emergency
Posted by ub3r, 03-18-2007, 04:12 PM This afternoon I noticed a pattern of spam on several different shared hosting servers, spanning several different shared hosting providers. The spam first takes the client's domain name, for example, plastic.com. Then adds the word "nac" to the beginning, and "gaf" to the end, making the from email address nacplasticgaf@plastic.com . If the domain were rockin.com, the email would be nacrockingaf@rockin.com . Byob.com, nacbyobgaf@byob.com, etc. It then grabs the ip address of the website, and creates a fake header which makes the email appear to have been sent from that server. Could some of you run this command on your servers, and let me know if anything turns up? Thanks. grep nac /var/log/exim_mainlog | grep gaf You could help us out by running this command: grep nac /var/log/exim_mainlog | grep gaf > /usr/local/apache/htdocs/nacgaf.txt then send us a link to http://your.server.com/nacgaf.txt . These commands only work on cpanel machines. You'll have to manipulate the path in the commands to the logs that your MTA keeps.
Posted by Yapluka, 03-18-2007, 04:46 PM Check your MP I've found a bunch on my servers but the sender domain is usually not a client's domain. Hope this helps, anyway...
Posted by bear, 03-18-2007, 05:01 PM Substantially more results were found by using the common origin in all the ones your grep returned: "thhebat.net" cat /var/log/exim_mainlog |grep thhebat.net None of the accounts in the sample I checked were accounts on that server. Here's a sample: As you can see, another pattern is heb*dab I'm sure there's more.
Posted by rdx, 03-18-2007, 05:05 PM upped one for you with the nac gaf pattern: http://www.yourfilelink.com/get.php?fid=301031
Posted by ub3r, 03-18-2007, 06:29 PM The bat is actually a bulk emailing program. I believe this might be a default setting it uses for for some kind of function. I'll try and dig the program up, and look at it. [edit] Also, root@grok [~]# grep -i heb /var/log/exim_mainlog | grep -i dab | wc -l 2377
Posted by bear, 03-18-2007, 06:56 PM Yes, the bat is a mailing program, but it inserts "TheBat!", not "thhebat.net". Note the thhebat.net? Different, and this line is actually a mail ID number: "id=809701117.14625301181706@thhebat.net", not a program tag line.
Posted by zacharooni, 03-19-2007, 02:39 AM http://www.sharpnet.net/nacgaf.txt
Posted by grandad, 04-05-2007, 06:05 PM Just got bombarded by a similar spamming issue this time using 'max' &'dax' in the format maxdomaindax@domain.com
Posted by ekusteve, 05-06-2007, 12:37 PM Same here except they are using "miq" and "few". Is there anything that can/should be done? I do have an spf record set on the account, but don't know what else to do. Steve
Posted by ub3r, 05-06-2007, 05:12 PM Disable catchall email accounts too. It's probably just the same spammer, using some kind of randomizer for each spam he sends out.
Posted by himan45, 05-06-2007, 10:46 PM WOW. I actually noticed same but didn't pay much attention.