Article 15761 at 09/06/30 09:43:34 From: jdory (at mark) nomealaska.org Subject: [coba-e:15761] Re: spam problem w/ email

Index: [Article Count Order] [Thread]
Date:  Mon, 29 Jun 2009 16:44:43 -0800
From:  Jim Dory <jdory (at mark) nomealaska.org>
Subject:  [coba-e:15761] Re: spam problem w/ email - hope not serious
To:  coba-e (at mark) bluequartz.org
Message-Id:  <4A495FFB.4020503 (at mark) nomealaska.org>
In-Reply-To:  <786495.50859.qm (at mark) web65601.mail.ac4.yahoo.com>
References:  <786495.50859.qm (at mark) web65601.mail.ac4.yahoo.com>
X-Mail-Count: 15761

Dan Kriwitsky wrote:
>   
>> Here's a line from maillog:
>> Jun 29 14:46:49 srv1 sendmail[8065]: n5TMkm4e008065:
>> Authentication-Warning: srv1.nomecity.org: jenns set sender
>> to <jdory (at mark) nomealaska.org>
>> using -f
>>
>>
>>     
>
> grep 14:46:49 /var/log/httpd/access_log
> If that doesn't show a bad CGI or PHP just knock off the 9 in 49 and scan through that for a script.
>
> Bad news: 66.58.160.105 is already listed in a few DNSBL.
>
>   
I don't have SPF enabled due to not having control over my DNS - using 
our domain register's. Hence we are getting spammers spoofing our email 
to some degree - I would love to solve that problem.

I got nothing on the grep command. If I dropped the whole 49 I only get 
this:

[root@srv1 jenns]# grep 14:46: /var/log/httpd/access_log
www.nomealaska.org 74.6.17.180 - - [29/Jun/2009:14:46:05 -0800] "GET 
/port/History/?C=N;O=D HTTP/1.0" 200 1751 "-" "Mozilla/5.0 (compatible; 
Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)";
www.nomealaska.org 69.234.67.71 - - [29/Jun/2009:14:46:06 -0800] "GET 
/vc/image/nome4-leslie.jpg HTTP/1.1" 200 33801 
"http://www.nomealaska.org/vc/gallerynome.htm"; "Mozilla/4.0 (compatible; 
MSIE 8.0; Windows NT 5.1; Trident/4.0; FunWebProducts; GTB6; .NET CLR 
1.1.4322; SpamBlockerUtility 10.2.203.0)"
www.nomealaska.org 69.234.67.71 - - [29/Jun/2009:14:46:50 -0800] "GET 
/vc/image/nome2.jpg HTTP/1.1" 200 22636 
"http://www.nomealaska.org/vc/gallerynome.htm"; "Mozilla/4.0 (compatible; 
MSIE 8.0; Windows NT 5.1; Trident/4.0; FunWebProducts; GTB6; .NET CLR 
1.1.4322; SpamBlockerUtility 10.2.203.0)"

Which look like regular website get requests.

I just looked in the error_log file and someone is poking around trying 
to find that user jenns (whom I had changed the username to help a 
little on the security:

[Mon Jun 29 16:42:01 2009] [error] [client 208.223.75.171] File does not 
exist: /home/.sites/106/site3/users/jenns
[Mon Jun 29 16:42:21 2009] [error] [client 208.223.75.171] File does not 
exist: /home/.sites/106/site3/web/jenns


-- 
Jim Dory
Engineering
City of Nome
PO Box 281
102 Division St.
Nome, AK 99762
907.443.6604

http://www.nomealaska.org


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.