PDA

View Full Version : Spam Email


DRJ
08-03-2013, 06:06 PM
Hi

I am getting a lot of spam sent through my server and I am trying to find the source. If I disable email from the admin CP they stop, so I am assuming it is going through the vbulletin email script somehow.

I have fresh vbulletin 4.2 files uploaded and they continue.

Is there a way to add something to the php file that sends the mail to get the referring page so I can see how it is getting through?

I have also tried to log emails and can't get it to work. I created a folder in forum/Test and make it 777 and even added a file emails_file.log and made it 777.

In the admin CP I put:

/home/vbaexpress/forum/Test/email_file.log

For error handling and logging but nothing is actually logged.

I have tried different paths but can't seem to get it to work. Nothing is ever logged.

Any help would be appreciated.

kh99
08-03-2013, 06:09 PM
Someone recently posted about a similar problem and it turned out to be a problem with an add-on. I can't remember which one exactly - something with Gallery in the name, I think?

DRJ
08-03-2013, 06:11 PM
I don't see any products or plugins with gallery in the name.

kh99
08-03-2013, 06:18 PM
I found the thread I was thinking of, it was vbgallery, but it sounds like you don't have that. Have you tried disabling "Allow Users to Email Other Members" under email options in the admincp (is the spam going out to members or to arbitrary addresses)?

To answer one of your questions, in the file includes/functions.php there's the vbmail() function. You could probably edit that file and put in code to log the referer to a file.

If you have access to your web server logs you may be able to look there and figure out what's happening.

DRJ
08-03-2013, 06:23 PM
I disabled the usergroup permission to email users and there were a couple more which didn't stop it. If I set the global setting to disable emails then they stop but that would also stop registration emails and such.

--------------- Added 1375558037 at 1375558037 ---------------

I tied disabling all plugins just to see and it didn't change anything.

kh99
08-03-2013, 06:35 PM
Do you have "use mailqueue system" set to "yes". If so, some of the options might not stop the mail right away because you might have a lot queued. When you go to the main admincp page with the stats, do you have anything listed for "Number of Queued E-Mails"?

DRJ
08-03-2013, 06:39 PM
It is set to yes and if I log in to my server there are queued emails. If I set this to no it wouldn't stop the emails though would it? Just stop them from queuing?

kh99
08-03-2013, 06:45 PM
I meant that if for example the "Allow Users to Email Other Members" was what was causing the spam, then setting it to no won't stop the queued mail from going out (maybe that's what you were saying).

If you have a large queue you may want to increase "Number of Emails to Send Per Batch" at least until it's gone. You could also delete the queue by truncating the mail queue database table, but of course you'd lose any legitimate emails as well.

kh99
08-03-2013, 06:47 PM
Do you have an example of one of the emails? You should be able to tell from the format if it's coming from users emailing each other, or if someone's managed to hack things to send out arbitrary emails.

DRJ
08-03-2013, 06:51 PM
here is the header:

Date:
Sat, 03 Aug 2013 14:50:28 -0500
From:
"Logistics Services" <no_reply@pubinposte.com>
To:
pircolator@aol.com
Subject:
Order Information
Content-Type:
multipart/alternative;boundary="----------137555942851FD5F0411218"
Message-Id:
<E1V5hqO-0007Bd-85@server.vbaexpress.com>
Mime-Version:
1.0
Received:
from vbaexpr1 by server.vbaexpress.com with local (Exim 4.80.1)
(envelope-from <vbaexpr1@server.vbaexpress.com>)
id 1V5hqO-0007Bd-85
for pircolator@aol.com; Sat, 03 Aug 2013 14:50:28 -0500
Return-Path:
vbaexpr1@server.vbaexpress.com
Sender:
vbaexpr1@server.vbaexpress.com
X-Mailer:
FastMailer/Webmail(versionSM/1.2.6)
X-PHP-Script:
vbaexpress.com/ for 127.0.0.1

And here is the body:

------------137555942851FD5F0411218
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit




If the links are not working, please move message to "Inbox" folder.





DHL






DHL Notification

Your parcel has arrived on July 29th. Courier was unable to deliver
the parcel to you.

To get additional info about this shipment use any of these options:


1) Click the following URL in your browser:

Get Shipment Info



2) Enter the shipment number on tracking page:

Tracking Page




For further assistance, please call DHL Customer Service.
For International Customer Service, please use official DHL site.


Disclaimer:
This message was created by DHL System.
No authentication of email address has been performed.




Deutsche Post DHL

2013 DHL International GmbH. All rights reserved.





------------137555942851FD5F0411218
Content-Type: text/html; charset="ISO-8859-1";
Content-Transfer-Encoding: 7bit

<html>
<body>
<font style="margin-left: 7px;">
If the links are not working, please move message to "Inbox" folder.
</font>
<br>
<div style="background-color:#FFCC00;width:410px;height:50px;">
<font style="background-color:#FFCC00;font-family: Arial Black, Gadget, sans-serif; font-weight:bold;">
<font style="color:#D60915; font-size: 35px; margin-left: 310px; font-style:italic">
DHL
</font>
</font>
</div>
<div style="background-color:#D60915;width:410px;height:25px;"></div>
<div style="position: relative;left: 20px; font-family:Arial,serif;font-size:13">
<br>
<b>DHL Notification</b><br>
<br>
Your parcel has arrived on July 29th. Courier was unable to deliver<br>
the parcel to you.<br>
<br>
To get additional info about this shipment use any of these options:<br>
<br>
<div style="position: relative;left: 20px;">
1) Click the following URL in your browser:<br><br>
<font style="margin-left:90px;font-weight:bold;">
<a href="http://theater.alexejw.net/modules/main.php?info=n4EhQbIc9RDRjREj+ZLuJA==">Get Shipment Info</a><br>
</font>
<br>
<br>
2) Enter the shipment number on tracking page:<br><br>
<font style="margin-left:90px;font-weight:bold;">
<a href="http://theater.alexejw.net/modules/main.php?info=n4EhQbIc9RDRjREj+ZLuJA==">Tracking Page</a><br>
</font>
<br>
<br>
</div>
For further assistance, please call DHL Customer Service.<br>
For International Customer Service, please use official DHL site.<br>
<br>
<br>
<b>Disclaimer:</b><br>
This message was created by DHL System.<br>
No authentication of email address has been performed.<br>
<br>
</div>
<div style="background-color:#FFCC00;width:410px;height:26px;">
<font face="Arial" style="font-weight:bold; margin-left: 5px;font-size: 15px;">
Deutsche Post DHL</font>
<font face="Arial" style="font-weight:bold; margin-left:10px; font-size: 10px;">
2013 DHL International GmbH. All rights reserved.
</font>
</div>
</body>
</html>

------------137555942851FD5F0411218--

--------------- Added 1375559568 at 1375559568 ---------------

It is being sent from my server but the From is some other email as seen above. I have changed the passwords to the email accounts and CPanel and they still happen so I was thinking it was somehow using the vbulletin mail routine.

kh99
08-03-2013, 06:58 PM
Yeah, I think that's something other than the "Allow Users to Email Other Members" feature. Do you have any way to look at your server's access logs? If you have a really busy forum it might be hard to find the requests that sent the email, but maybe you'd be able to notice lots of access to the same script in a short time.

DRJ
08-03-2013, 07:29 PM
I checked the access log and didn't see anything out of the ordinary, mostly showthread and standard pages like this.