PHP "nobody" Spammers

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.

Watching your exim_mainlog doesn't exactly help, you see th email going out but you can't track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

If you check out your PHP.ini file you'll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP - so everything will go through /usr/sbin/sendmail

Requirements:
We assume you're using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we're only tested it on a Cpanel/WHM Red Hat Enterprise system.

Time:
10 Minutes, Root access required.

Step 1)
Login to your server and su - to root.

Step 2)
Turn off exim while we do this so it doesn't freak out.
/etc/init.d/exim stop

Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:


#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
}
else {

print INFO "$date - $PWD - @infon";

}
my $mailprog = '/usr/sbin/sendmail.hidden';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);


Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log

chmod 0777 /var/log/spam_log

Step 7)
Start Exim up again.
/etc/init.d/exim start

Step Cool
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
tail - f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory - nobody x 99 99 Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn't set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

FIND:
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

ADD BELOW:

# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}

Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn't get overwritten. Enjoy knowing you can see nobody is actually somebody

Prevent Spam For CPanel Servers (Using Antivirus.exim)

Preventing Spam with Antivirus.exim

Cpanel servers have a nice little file called antivirus.exim. Most of you probably have never of this magic little gem. It's a central filter for the exim mail server that lets you setup all kinds of wonderful filters to help stop spam from coming in and going out of your server.

I'm going to share my /etc/antivirus.exim config file with you guys because I hate spam and you do as well. This will help protect you and therefore protect me as well because your server might be spamming mine one day.

First off the default /etc/antivirus.exim has a couple different rule sets in it. The main ones are attachment filters to help stop email viruses from your users. They stop things like .src and .com and .exe attachments.

This shows you some custom rules to stop spammers from sending out of your server, you can also use it to stop spam from coming in. I don?t really go into a lot of detail for filtering incoming mail since other applications like Spam Assassin handle that better IMO.

You need root access to your Cpanel server as usual.

First off we need to create a special log file for these filters do this:

touch /var/log/filter.log
chmod 0644 /var/log/filter.log

Now open up the configuration file
vi /etc/antivirus.exim

It should have a whole whack of comments at the top.

Here?s the webhostgear.com antivirus.exim configuration. Simple add this to your existing file, save the changes and they take effect instantly. ########################################################

# START
# Filters all incoming an outgoing mail

logfile /var/log/filter.log 0644
## Common Spam
if

# Header Spam
$header_subject: contains "Pharmaceutical" or $header_subject: contains "Viagra"
or $header_subject: contains "Cialis"
or $header_subject: is "The Ultimate Online Pharmaceutical" or $header_subject: contains "***SPAM***" or $header_subject: contains "[SPAM]"

# Body Spam
or $message_body: contains "Cialis"
or $message_body: contains "Viagra"
or $message_body: contains "Leavitra"
or $message_body: contains "St0ck"
or $message_body: contains "Viaagrra"
or $message_body: contains "Cia1iis"
or $message_body: contains "URGENT BUSINESS PROPOSAL" or $message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?" or $message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen( i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok"

then
# Log Message - SENDS RESPONSE BACK TO SENDER # SUGGESTED TO LEAVE OFF to prevent fail loops # and more work for the mail system
#fail text "Message has been rejected because it hasn # triggered our central filter." logwrite "$tod_log $message_id from $sender_address contained spam keywords"

seen finish
endif

# END
# Filters all incoming an outgoing mail

# START
# All outgoing mail on the server only - what is sent out

#Check forwarders so it doesn't get blocked #Forwarders still work =)

## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules logfile /var/log/filter.log 0644

if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
$header_from contains "@citibank.com" or
$header_from contains "@bankofamerica.com" or
$header_from contains "@wamu.com" or
$header_from contains "@ebay.com" or
$header_from contains "@chase.com" or
$header_from contains "@paypal.com" or
$header_from contains "@wellsfargo.com" or
$header_from contains "@bankunited.com" or
$header_from contains "@bankerstrust.com" or
$header_from contains "@bankfirst.com" or
$header_from contains "@capitalone.com" or
$header_from contains "@citizensbank.com" or
$header_from contains "@jpmorgan.com" or
$header_from contains "@wachovia.com" or
$header_from contains "@bankone.com" or
$header_from contains "@suntrust.com" or
$header_from contains "@amazon.com" or
$header_from contains "@banksecurity.com" or
$header_from contains "@visa.com" or
$header_from contains "@mastercard.com" or
$header_from contains "@mbna.com"

)
then

logwrite "$tod_log $message_id from $sender_address is fraud"
seen finish

endif

## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses ## Not recommended since users do use from addresses not on the server ## Log all outgoing mail from server that matches rules logfile /var/log/filter.log 0644

#if (
# $received_protocol is "local" or
# $received_protocol is "esmtpa"
# ) and (
# $header_from contains "@hotmail.com" or
# $header_from contains "@yahoo.com" or
# $header_from contains "@aol.com"

#)
# then

# logwrite "$tod_log $message_id from $sender_address is forged fake"
# seen finish

# endif

## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules logfile /var/log/filter.log 0644

if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
#Paypal
$message_body: contains "Dear valued PayPal member" or
$message_body: contains "Dear valued PayPal customer" or
$message_body: contains "Dear Paypal" or
$message_body: contains "The PayPal Team" or
$message_body: contains "Dear Paypal Customer" or
$message_body: contains "Paypal Account Review Department" or

#Ebay

$message_body: contains "Dear eBay member" or
$message_body: contains "Dear eBay User" or
$message_body: contains "The eBay team" or
$message_body: contains "Dear eBay Community Member" or

#Banks

$message_body: contains "Dear Charter One Customer" or
$message_body: contains "Dear wamu.com customer" or
$message_body: contains "Dear valued Citizens Bank member" or
$message_body: contains "Dear Visa" or
$message_body: contains "Dear Citibank" or
$message_body: contains "Citibank Email" or
$message_body: contains "Dear customer of Chase Bank" or
$message_body: contains "Dear Bank of America customer" or

#ISPs

$message_body: contains "Dear AOL Member" or
$message_body: contains "Dear AOL Customer"

)
then
logwrite "$tod_log $message_id from $sender_address is phishing"
seen finish

endif

# END
# All outgoing mail on the server only - what is sent out

The log file will have the logging format like this: /var/log/filter.log

2006-05-10 12:05:13 1Fds7S-0002Sa-MV from smooth595@gmail.com contained spam keywords 2006-05-10 14:18:47 1FduCn-0006GV-1r from dayton.nowellu7xn@gmail.com contained spam keywords 2006-04-27 15:44:35 1FZDLn-0005Mo-5z from nobody@ocean.wavepointmedia.com is fraud 2006-04-27 16:37:40 1FZEB9-0002KQ-VP from nobody@ocean.wavepointmedia.com is phishing

Date and time, the Exim message ID, the sender and the section of the filter, like phishing, fraud or spam. You can check the mail message by grepping the exim_mainlog for it like this

grep 1FZEB9-0002KQ-VP /var/log/exim_mainlog