[nSLUG] apache used to generate spam

D G Teed donald.teed at gmail.com
Thu Apr 16 15:40:26 ADT 2009


On Thu, Apr 16, 2009 at 2:58 PM, Rich <budman85 at eastlink.ca> wrote:

>
> Only when postfix is running...
>
> Have you tried taking snapshots of the processes.
>

The behaviour of the spammer is that he sets up the
spam method, whatever it is, and fires off test emails
to his addresses.  Only if they deliver does he continue.
Otherwise he cleans up.  The only way to capture via
process snapshots would be to allow him to deliver spam.


> Check home dirs to see if there are any postfix configs or .forward files.
> Trying to find the text may be hard, especially if its compiled into bin
> format.
>
> Any unusually listeners under netstat
> Any cronjobs under user ids.
>

Already checked listeners via lsof.  Very few local accounts
on the system so we don't have crons and .forwards
to worry about.  I've checked anyway.

If you know it occurs after hours,
> maybe setup the postfix to die at a certain time for maybe an hour.
> Watch ps and netstat to see if anything pops up when the service goes
> online.
>
> setup a loop to capture the ps list and save it using a timestamp.
> compress it to if you might see a space issue.
> Does it occur during certain hours or all night long.
>

This might work, although I suspect he is quick to remove
whatever is being used.   I've never seen a spam process
immediately die at the source the second I kill their
messages in the smtp queue on the mail relay.

I don't want to allow him to send spam just to be able to
catch him.  However, knowing the test addresses he uses,
perhaps I should jury-rig postfix to only deliver there
and discard everything else outside our domain.

Look for any at jobs as well.
> Sounds like it might be a job that keeps calling itself.
>
>
> The 4 emails that you noticed, do they contain a payload of any kind.
> Check the full header of the email, there may be something embedded in
> the headings.
> Postfix may see this as a broken X Mail path, but the script may think
> otherwise.
> Were these mails routed to any trash or garbage collection?
>

One more test message arrived today.  The first one to
arrive during business hours.  Here is the postcat, the same
as the others, targeting a Brazilian population:

*** ENVELOPE RECORDS 3BDBB6EED5 ***
message_arrival_time: Thu Apr 16 13:46:34 2009
named_attribute: rewrite_context=local
sender_fullname: Apache
sender: apache
*** MESSAGE CONTENTS 3BDBB6EED5 ***
To: mageller at terra.com.br
Subject: Aviso URGENTE.
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: Departamento da Consultoria. <departamento at juridico.com.br>


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Documento sem título</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<p><font color="#000000" size="3" face="Verdana, Arial, Helvetica,
sans-serif"><a href="
http://www.eggisa.com/photos/vignettes/cheque.php?devolvido">Fatura do
  Cheque
  (52kb)</a></font>
</p>
<p align="justify"><font color="#000099" face="Georgia, Times New Roman,
Times, serif"><em><font color="#000000">Comunicamos
        que consta em nosso banco de dados uma pendência
financeira em seu CPF / CNPJ, das quais não foram
quitadas.</font></em></font></p>
<p><font face="Georgia, Times New Roman, Times, serif"><em>Pedimos a vossa
atenção a este comunicado, pois, medidas legais
  serão adotadas, tais como a inclusão no Sistema de
Proteção
  ao Crédito (SPC) e Serasa.<br>
  Para sua segurança e praticidade e necessário baixar o
arquivo
do relatório de pendências.</em></font></p>
<p><em><font face="Georgia, Times New Roman, Times, serif">Agradecemos a sua
      atenção.</font></em><font face="Georgia, Times New
Roman, Times, serif"><em><br>
</em></font></p>
<p></p>
</body>
</html>

*** HEADER EXTRACTED 3BDBB6EED5 ***
recipient: mageller at terra.com.br
*** MESSAGE FILE END 3BDBB6EED5 ***

I'm searching for a term in that email on our webroot area.

--Donald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20090416/896af453/attachment.html>


More information about the nSLUG mailing list