Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Purdy (2383)

Purdy
  jasonNO@SPAMpurdy.info
http://purdy.info/
AOL IM: EmeraldWarp (Add Buddy, Send Message)
Yahoo! ID: jpurdy2 (Add User, Send Message)

Bleh - not feeling creative right now. You can check me out on PerlMonks [perlmonks.org].

Journal of Purdy (2383)

Thursday May 15, 2003
07:44 AM

ARG - more spamming!

[ #12214 ]

Ok, I came in this morning and same thing as last time, though I was getting bouncebacks from 3am to 6:21am and at this point, it looks like the damage has already been done. No formail.pl script running. I dove through the httpd access log and no formail.pl mention and no POST'ing from 2:45am to 3:20am (the first bounceback I got was from 3:01), so I'm not sure the vulnerability is coming through the web server.

So now I ask for help - what is going on? Here's one of the bouncebacks I receive in my inbox:


The original message was received at Thu, 15 May 2003 03:01:31 -0400
from localhost [127.0.0.1]

      ----- The following addresses had permanent fatal errors -----

      ----- Transcript of session follows -----
553 nomail.dnsix.com. config error: mail loops back to me (MX problem?)
554 ... Local configuration error

Reporting-MTA: dns; www.journalistic.com
Arrival-Date: Thu, 15 May 2003 03:01:31 -0400

Final-Recipient: RFC822; sales@pricewater.com
Action: failed
Status: 5.5.0
Remote-MTA: DNS; nomail.dnsix.com
Last-Attempt-Date: Thu, 15 May 2003 03:01:39 -0400

And then here are the associated lines in the maillog:


May 15 03:01:31 www sendmail[12549]: DAA12549: from=, size=3125, class=0, pri=33125, nrcpts=1, msgid=, proto=ESMTP, relay=localhost [127.0.0.1]
May 15 03:01:31 www sendmail[12549]: DAA12549: to=, delay=00:00:00, mailer=esmtp, stat=queued
May 15 03:01:39 www sendmail[12732]: DAA12549: SYSERR(root): nomail.dnsix.com. config error: mail loops back to me (MX problem?)
May 15 03:01:39 www sendmail[12732]: DAA12549: to=, delay=00:00:08, xdelay=00:00:00, mailer=esmtp, relay=nomail.dnsix.com. [127.0.0.1], stat=Local configuration error
May 15 03:01:39 www sendmail[12749]: NOQUEUE: Null connection from localhost [127.0.0.1]
May 15 03:01:39 www sendmail[12732]: DAA12549: DAA12732: DSN: Local configuration error

And then lastly, here's the header from the spam:


Return-Path:
Received: from localhost (localhost [127.0.0.1])
        by www.journalistic.com (8.9.3p2/8.9.3) with ESMTP id DAA12549
        for ; Thu, 15 May 2003 03:01:31 -0400
Received: from mail.com ([192.123.43.234])
        by localhost (8.11.6/8.11.6) with ESMTP id PgcHp79o76239Y
        for ; Thu May 15 03:01:31 EDT 2003
Message-ID:
From: "WebSalesJet"
To: sales@pricewater.com
Subject: Flash animation and logo design
Date: Thu May 15 03:01:31 EDT 2003
MIME-Version: 1.0
Content-Type: multipart/alternative;
                boundary="----=_NextPart_000_0008_01C30A94.7949E7B0"
X-MailScanner: Found to be clean

Thanks in advance!

Purdy

Update: Looks like I may be looking at a rogue CGI program ... lovely.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.