AOL Redcacted@ Hunting

[KrazyBob]

We are white listed at AOL but a couple of years ago they began redacting the sending and recipient info. Yhey give us very little to go on that we know of.

Given what they give to us how can we possibly track down the violaator? I already have the Sendmail PHP script mod in place.



Return-Path: <anonymous@clss04.controlservers.net>
Received: from mtain-mk05.r1000.mx.aol.com (mtain-mk05.r1000.mx.aol.com [172.29.97.137]) by air-ma09.mail.aol.com (v129.10) with ESMTP id MAILINMA093-b5364dc91b0e35d; Tue, 10 May 2011 07:01:34 -0400
Received: from clss04.controlservers.net (clss04.controlservers.net [65.44.220.61])
by mtain-mk05.r1000.mx.aol.com (Internet Inbound) with ESMTP id C6E0138000094
for <redacted@aol.com>; Tue, 10 May 2011 07:01:32 -0400 (EDT)
Received: (qmail 32637 invoked by uid 48); 10 May 2011 03:41:32 -0700
Date: 10 May 2011 03:41:32 -0700
Message-ID: <20110510104132.32635.qmail@clss04.controlservers.net>
To: redacted@aol.com
Subject: Property Rental
From: Alexis Booch <stvlaine@gmail.com>
Reply-To: stvlaine@gmail.com
MIME-Version: 1.0
Content-Type: text/plain
x-aol-global-disposition: G
x-aol-sid: 3039ac1d61894dc91b0c299b
X-AOL-IP: 65.44.220.61
X-AOL-SPF: domain : clss04.controlservers.net SPF : none
Content-Transfer-Encoding: quoted-printable
X-Mailer: Unknown (No Version)

[scott]

Our PHP 5.2 and above packages support the ini settngs:

mail.add_x_header = On
mail.log =

These will log the application to either a file you specify, or embed the following header in the email:


X-PHP-Originaiting-Script:

[mikeshinn]

Received: (qmail 32637 invoked by uid 48); 10 May 2011 03:41:32 -0700

So uid 48 is usually apache, and if thats the case on your system that tells me the message was sent from a web application (which could be anything really, horde, joomla, WP, some custom script, etc.) And if you use our PHP rpms you should have a header called:

X-PHP-Originaiting-Script:

If the webapp uses PHP that will tell you what the script was. If they used something other than PHP then you wont get that header. So if you do have our PHP rpm installed, then you can eliminate PHP apps from that list. I'd look for any domains with anything else like CGIs, etc. and check their access logs at the same time to see what app was used.

If you arent using our PHP rpms, I recommend you do.

[KrazyBob]

As I stated we have a the sendmail script modification in place so that if it is PHP script it logs the sender. But we don't have PHP 5.2 yet -- it's part of our current upgrade and migrations.

So what you're saying is that with the little infor provided by AOL there really isn't a way to track down the sender?

[scott]

I think you just answered your own question there

[mikeshinn]

Code: Select all

So what you're saying is that with the little infor provided by AOL there really isn't a way to track down the sender?

Well, you know it was a web app and you know about the time it was sent, so I'd check your qmail logs to confirm the time, then check your domains access_logs to see what web apps were accessed at the same time. I know our PHP 5.2 and 5.3 rpms will add the script as a header, and if I understand you correctly you are not using them? Or do you mean your PHP has the mail.add_x_header feature? If it does then either a PHP script was not used, or AOL removed that header (unlikely, buty anything is possible).

If you know you have the mail.add_x_header feature ask AOL to confirm if they removed that header. If they do not, then you can rule out PHP scripts (although I'd double check to make sure your PHP is in fact adding that header, PHP by default doesnt not do that). If you don't know if that function exists in your PHP, enable it and send a mail message to yourself and see if the header is added.

If it is, and you had it enabled, then its not a PHP script. If you dont get that header, it could be anything. So if your system doesnt log the PHP script, or it was not a PHP script you'll have to check your qmail logs, confirm the time (or worst case look at the headers sent by AOL) then do a for loop on all the access_logs on your box and grep for that time.

If you dont know how to write a script to do that, let me know I'll tinker up something.

If the system does log the PHP script header, in the future you wont have to any work at all for a PHP script, just look at the header.

[KrazyBob]

Sendmail has a replacement script that creates formmail.log:

Code: Select all

Wed May 11 04:09:08 PDT 2011 - /var/www/vhosts/thedomain.org/httpdocs/yabbfiles/Smilies - apache x 48 48   Apache /var/www /sbin/nologin
Wed May 11 04:09:08 PDT 2011 - /var/www/vhosts/thedomain.org/httpdocs/yabbfiles/Smilies - apache x 48 48   Apache /var/www /sbin/nologin
Wed May 11 04:09:08 PDT 2011 - /var/www/vhosts/thedomain.org/httpdocs/yabbfiles/Smilies - apache x 48 48   Apache /var/www /sbin/nologin
Wed May 11 04:09:09 PDT 2011 - /var/www/vhosts/thedomain.org/httpdocs/yabbfiles/Smilies - apache x 48 48   Apache /var/www /sbin/nologin
Wed May 11 04:09:09 PDT 2011 - /var/www/vhosts/thedomain.org/httpdocs/yabbfiles/Smilies - apache x 48 48   Apache /var/www /sbin/nologin
Wed May 11 04:09:09 PDT 2011 - /var/www/vhosts/thedomain.org/httpdocs/yabbfiles/Smilies - apache x 48 48   Apache /var/www /sbin/nologin
Wed May 11 04:09:09 PDT 2011 - /var/www/vhosts/thedomain.org/httpdocs/yabbfiles/Smilies - apache x 48 48   Apache /var/www /sbin/nologin

But it seems that there has got to be an easier way to track down a redeacted sender. AOL gives so little help and we are not yet on PHP 5.2 A couple servers are but most aren't yet. We've been battling Plsk 90 and 10 not wanting to import servers with old Ensim accounts and encrypted passwords.

[KrazyBob]

Actually, that script snippet I just posted may have been the spammer. I noted PHP scripts in the Smilers folder and said, "nope... no scripts go in there." I found two encrypted scripts uploaded on January 19, 2011 owned by apache.

But I maintain that AOL needs to be more helpful

[mikeshinn]

Could send us the scripts? Might be something that can be done to try and detect when stuff like that runs and just stop it.

[KrazyBob]

I hesitate sharing scripts that may be hacks but you do work on mod_sec. The scripts are cat.php, encrypted, and var.php, encrypted. They have no business in the smilies folder. Where should I send them?

[KrazyBob]

It was copy.php and var.php. I also just located /Smilies/hsbcplc and spoofing scripts on the same site, so obviously something is getting by mod_sec. The hunt is on!

[mikeshinn]

Where should I send them?

Send them to support@atomicorp.com.