All the Perl that's Practical to Extract and Report

ARG - more spamming!

Purdy on 2003-05-15T12:44:27

Ok, I came in this morning and same thing as last time, though I was getting bouncebacks from 3am to 6:21am and at this point, it looks like the damage has already been done. No formail.pl script running. I dove through the httpd access log and no formail.pl mention and no POST'ing from 2:45am to 3:20am (the first bounceback I got was from 3:01), so I'm not sure the vulnerability is coming through the web server.

So now I ask for help - what is going on? Here's one of the bouncebacks I receive in my inbox:

The original message was received at Thu, 15 May 2003 03:01:31 -0400 from localhost [127.0.0.1]

----- The following addresses had permanent fatal errors -----

----- Transcript of session follows ----- 553 nomail.dnsix.com. config error: mail loops back to me (MX problem?) 554 ... Local configuration error



Reporting-MTA: dns; www.journalistic.com Arrival-Date: Thu, 15 May 2003 03:01:31 -0400

Final-Recipient: RFC822; sales@pricewater.com Action: failed Status: 5.5.0 Remote-MTA: DNS; nomail.dnsix.com Last-Attempt-Date: Thu, 15 May 2003 03:01:39 -0400
And then here are the associated lines in the maillog:
May 15 03:01:31 www sendmail[12549]: DAA12549: from=, size=3125, class=0, pri=33125, nrcpts=1, msgid=<367535629127.PgcHp79o76239Y@websalesjet.net>, proto=ESMTP, relay=localhost [127.0.0.1] May 15 03:01:31 www sendmail[12549]: DAA12549: to=, delay=00:00:00, mailer=esmtp, stat=queued May 15 03:01:39 www sendmail[12732]: DAA12549: SYSERR(root): nomail.dnsix.com. config error: mail loops back to me (MX problem?) May 15 03:01:39 www sendmail[12732]: DAA12549: to=, delay=00:00:08, xdelay=00:00:00, mailer=esmtp, relay=nomail.dnsix.com. [127.0.0.1], stat=Local configuration error May 15 03:01:39 www sendmail[12749]: NOQUEUE: Null connection from localhost [127.0.0.1] May 15 03:01:39 www sendmail[12732]: DAA12549: DAA12732: DSN: Local configuration error
And then lastly, here's the header from the spam:
Return-Path: Received: from localhost (localhost [127.0.0.1]) by www.journalistic.com (8.9.3p2/8.9.3) with ESMTP id DAA12549 for ; Thu, 15 May 2003 03:01:31 -0400 Received: from mail.com ([192.123.43.234]) by localhost (8.11.6/8.11.6) with ESMTP id PgcHp79o76239Y for ; Thu May 15 03:01:31 EDT 2003 Message-ID: <367535629127.PgcHp79o76239Y@websalesjet.net> From: "WebSalesJet" To: sales@pricewater.com Subject: Flash animation and logo design Date: Thu May 15 03:01:31 EDT 2003 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0008_01C30A94.7949E7B0" X-MailScanner: Found to be clean
Thanks in advance!

Purdy

Update: Looks like I may be looking at a rogue CGI program ... lovely.