HELO |http://mail.********.com:8888/cgi-bin/put

nhouse

nhouse

Verified User
Joined
Nov 26, 2003
Messages
152
Location
Tennessee
HELO |http://mail.oldartero.com:8888/cgi-bin/put

Hey Everyone... I have seen this constantly in my Exim logs for days now. I have Googled it and have seen some references to it possibly being some type of attack. The entries are showing up under "Bad Hosts." I can start including the IP's in my KISS block list but they are all over the board. Mostly from outside the US (I am inside). Have any of you seen this pattern and if so, can you give me some advice on what it is and the best way to stop it?

Here is a log segment... notice the pattern of IP's coming in twos:
2006-11-09 00:00:29 : IP:85.250.195.116 (EHLO |http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-09 00:00:29 : IP:85.250.195.116 (HELO |http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-09 00:01:03 : IP:59.182.30.64 (EHLO |http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-09 00:01:04 : IP:59.182.30.64 (HELO |http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-09 00:01:49 : IP:221.229.91.44 (EHLO |http://mail.oldartero.com:8889/cgi-bin/put)
2006-11-09 00:01:49 : IP:221.229.91.44 (HELO |http://mail.oldartero.com:8889/cgi-bin/put)
2006-11-09 00:03:18 : IP:203.198.132.135 (EHLO http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-09 00:03:18 : IP:203.198.132.135 (HELO http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-09 00:05:18 : IP:61.12.9.67 (EHLO |http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-09 00:05:18 : IP:61.12.9.67 (HELO |http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-09 00:06:16 : IP:62.231.178.171 (EHLO |http://mail.oldartero.com:8889/cgi-bin/put)
2006-11-09 00:06:16 : IP:62.231.178.171 (HELO |http://mail.oldartero.com:8889/cgi-bin/put)


I appreciate your wisdom.
 
This is a spammer and we see this spammer trying to send spam on every box we have. This includes servers we have in Europer and Australia. Sombody should contant their isp and have them shutdown.

The other one is the user [email protected]. They are sending out stock spam by the millions. The first part of the from is always debora.
 
It would be nice if they could be shut down... but is there a way to use a rule in Exim or Spamassassin or something that could block them useing the "mail.oldartero.com" to identify them???
 
first add odartero.com ip to iptables denied ip

so no mail will goes through their proxy/hacked system
you will just have some log notice with |

Hundreds of hacked ip use it to spam through.
You can mail the FBI.
 
Thanks again... I already added their main IP to my firewall to deny... I suppose the others are either hacked machines or willing participants. I guess I was hoping for some magic fix... ;)
 
pucky said:
This is a spammer and we see this spammer trying to send spam on every box we have. This includes servers we have in Europer and Australia. Sombody should contant their isp and have them shutdown.

The other one is the user [email protected]. They are sending out stock spam by the millions. The first part of the from is always debora.
Click to expand...
So far I have been able to block that spammer by adding this rule in the check_message ACL
Code: 
    deny message = spam hocking crap
     regex = We called it yesterday and now it
Of course you could use any part of the email message for the regex.
 
toml said:
So far I have been able to block that spammer by adding this rule in the check_message ACL
Code: 
    deny message = spam hocking crap
     regex = We called it yesterday and now it
Of course you could use any part of the email message for the regex.
Click to expand...

this is useless since if you have correct email settings with exim it's blocked by the | syntax and even by firewall lor iptables rule

so no mail goes through...
just a log line or 2
 
xemaps said:
this is useless since if you have correct email settings with exim it's blocked by the | syntax and even by firewall lor iptables rule

so no mail goes through...
just a log line or 2
Click to expand...

Perhaps you are talking about the specific spammer in nhouse's post, this was specific to the spam in pucky's post, they were two different spams.

The one pucky was speaking about, used a grid of hacked computers, so iptables was useless, and it did not contain the | charater.
 
i speak about the topic

notice that you answered with quoting and used 'that spammer' not second spammer

sorry for any mistake
 
nhouse said:
Thanks again... I already added their main IP to my firewall to deny... I suppose the others are either hacked machines or willing participants. I guess I was hoping for some magic fix... ;)
Click to expand...

How did you do that? Their ip changes evertime they send spam so thats impossible. They are not sending spam from their hosted site but rather from spoofed ips and trojan boxes. This means you will never be able to stop them via an ip deny since its all faked.
 
Yes... you are right about that. I wasn't thinking when I said that. I did blacklist the main domain IP just to make myself feel better :D even though the spoofed ones and infected machines keep changing. I wish it was that easy.
 
Are you using Spamblocker for the domain(s) receiving the spam?

if so, then have you tried putting |http://mail.oldartero.com:8888/cgi-bin/put into bad_sender_hosts? If that doesn't work let me know and I'll come up with something that does.

Jeff
 
Hey Jeff!
I should simply place that line in this file... right?

/etc/virtual/bad_sender_hosts

I'll let you know what the log looks like after 24 hours. I really appreciate the input.
 
Yes. I'm not sure if bad_sender_hosts cares about the "helo" or not; so you're our tester :) .

Be sure the domains you want to block this for are listed in /etc/virtual/use_rbl_lists.

Jeff
 
Jeff... it appears that something may not be set right (probably me) because it still shows in the logs under "Bad Hosts. Rejected HELO/EHLO: syntactically invalid argument(s):" Now at the risk of showing my lack of understanding (and then seeking it), if SpamBlocker stops it, should it still show up here in the log? I mean, it does say rejected. Just to be clear, here is a more detailed explanation:

1. Logwatch sends me a report showing these types of entries under the Exim log section labeled Bad Hosts and a note immediately under that heading is a statement saying
Rejected HELO/EHLO: syntactically invalid argument(s): and then lots of entries like:
2006-11-13 09:23:14 : IP:87.240.15.29 (EHLO |http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-13 09:23:14 : IP:87.240.15.29 (HELO |http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-13 09:23:32 : IP:80.88.134.180 (EHLO |http://mail.oldartero.com:8889/cgi-bin/put)
2006-11-13 09:23:33 : IP:80.88.134.180 (HELO |http://mail.oldartero.com:8889/cgi-bin/put)
2006-11-13 09:24:58 : IP:61.144.76.148 (EHLO |http://mail.oldartero.com:8889/cgi-bin/put)
2006-11-13 09:25:00 : IP:61.144.76.148 (HELO |http://mail.oldartero.com:8889/cgi-bin/put)
2006-11-13 09:26:15 : IP:59.39.148.31 (EHLO |http://mail.oldartero.com:8889/cgi-bin/put)
2006-11-13 09:26:18 : IP:59.39.148.31 (HELO |http://mail.oldartero.com:8889/cgi-bin/put)
2006-11-13 09:28:28 : IP:82.81.122.31 (EHLO |http://mail.oldartero.com:8888/cgi-bin/put)
2006-11-13 09:28:29 : IP:82.81.122.31 (HELO |http://mail.oldartero.com:8888/cgi-bin/put)

I must say that last night's log looks to have less of these entries.

2. I placed a line in the /etc/virtual/bad_sender_hosts file as suggested which reads |http://mail.oldartero.com:8888/cgi-bin/put

3. I placed all of my domain names, one domain per line, into the /etc/virtual/use_rbl_domains file.

Ok... now I hope this isn't a DUH! moment... but should these entries still be in the log, as in the fact that they are simply being reported as such. OR... should Spamblocker stop them before they even hit the gate, so to speak?

I really am trying to learn folks ;)
 
you don't have to do any other thing that block odartero and false helo

making any special rule would be stupid as it will take ressources

at this time it take nothing other that a line in log, and email doesn't goes through.
 
Did you get that Rejected line before you added the line to the blocklist?

I'm not sure the blocklist will work this way, but if the bad stuff is being rejected, that's a good thing :) .

Jeff
 
pucky said:
This is a spammer and we see this spammer trying to send spam on every box we have. This includes servers we have in Europer and Australia. Sombody should contant their isp and have them shutdown.

The other one is the user [email protected]. They are sending out stock spam by the millions. The first part of the from is always debora.
Click to expand...

How to block this debora* spam? I don't know how to write reg rule. :confused:
 
You must log in or register to reply here.
Back
Top