Subject: Continuing saga of outgoing spam

Posted on: 19/06/08 06:23pm
By: ronack

It happened again, this time I received over 1000 returned emails. I'm going to have to shut down my sites until I can figure out how they're using GL to send out all this spam thru one of my sites.


Re: Continuing saga of outgoing spam

Posted on: 20/06/08 08:01am
By: Dirk

So did you check that those emails really came from your server? It's easy to fake the return address, in which case you would get the bounces even though the emails were sent from somewhere else.

If emails are sent through Geeklog, they will go through COM_mail, where you could add a line to log the subject, recipient, etc. You could also borrow the small piece of code to add an X-Originating-IP header to your emails from 1.5.0 to track the original IP address.

Well, and there are lots of other ways to send spam due to uploaded scripts, exploits in add-ons or other 3rd party software installed on your server ...

bye, Dirk

Re: Continuing saga of outgoing spam

Posted on: 20/06/08 04:58pm
By: ronack

Ok I'd like to put in the code to log the emails. Tell me how to do that. I would love to rule out GL but frankly it's about all I run.

The email header on the returned emails doesn't reveal squat.
PHP Formatted Code

About all I know is that it's someone from Brazil.

None of the logs are revealing very much. I may go ahead and change the email address. That way if they are just putting in my address isdscsiteadmin@blah for reply's then I shouldn't get anymore. But I don't think that's what's going on.

Also this is on a brand new server thank God for backups.

Re: Continuing saga of outgoing spam

Posted on: 22/06/08 10:53pm
By: ronack

Had another 366 returned emails today but I think I may have tracked it down. I'll know in a week since they seem to only do it on Sundays. I changed the email on the site just to see what happens.. I know which site and I know where their from. And the problem may be in a Plugin vs the core GL.

Geeklog - Forum