help: someone has spammed through smartlist on my debian box
/* Please excuse the cross-posting to debian-user and smartlist. I
think both are likely to have useful input on this and it feels fairly
urgent to me! */
I run a few not particularly large Email lists using smartlist under
Hamm. I have subscription confirmation on and have been very
happy with the setup. I've had problems as the medical school site
which hosts my box has been abused by spammers (45k
messages in 24hrs) and had big hassle with the blacklists etc. as
a result.
Now a spam has gone out on one of my lists last night. The name
from which it comes is not on the list nor have I had copies of any
attempts by this person to join (which I receive as default
normally). The header shows s/he has definitely used the list:
Status: U
Return-Path: <sign-speak-request@psyctc.sghms.ac.uk>
Received: from psyctcsghms.ac.uk (psyctc [194.80.201.68])
by ribosome.sghms.ac.uk (8.8.8+Sun/8.8.8) with ESMTP
id GAA15491;
Fri, 20 Nov 1998 06:11:39 GMT
Received: (from list@localhost)
by psyctcsghms.ac.uk (8.8.8/8.8.8/Debian/GNU) id
GAA21614;
Fri, 20 Nov 1998 06:07:50 GMT
Resent-Date: Fri, 20 Nov 1998 06:07:50 GMT
From: rickh@coldmail.com
Message-Id: <m0zgOw1-000zUGC@nexus.chilenet.cl>
Date: Fri, 20 Nov 98 03:00 ADT
To: Friend@Public.com
Subject: Over 20 Joined In The Last 5 Days - Join Now & Get In
near The Top!
Resent-Message-ID: <"VxzYWD.A.nRF.2cQV2"@psyctc>
Resent-From: sign-speak@psyctc.sghms.ac.uk
Resent-Reply-To: sign-speak@psyctc.sghms.ac.uk
X-Mailing-List: <sign-speak@psyctc.sghms.ac.uk> archive/latest/9
X-Loop: sign-speak@psyctc.sghms.ac.uk
Precedence: list
Resent-Sender: sign-speak-request@psyctc.sghms.ac.uk
X-list: sign-speak@psyctc.sghms.ac.uk
X-Unsub: To leave, send text 'unsubscribe' to sign-speak-
request@psyctc.sghms.ac.uk
X-List-Unsubscribe: <mailto:sign-speak-
request@psyctc.sghms.ac.uk@body=unsubscribe>
X-List-Administrator: lists@psyctc.sghms.ac.uk (Chris Evans)
X-PMFLAGS: 33554560 0 1 P50480.CNM
The stuff at the top shows something odd with the missing stop in
psyctcsghms.ac.uk but the psyctc and the IP address are correct.
The X-List: and other stuff at the bottom is very definitely the stuff
I've put into the list that it should add to all outgoing post so s/he's
definitely hacked into the list somehow.
I found one other with the same body to the message but a very
different header:
Received: from nexus.chilenet.cl (root@nexus.netalta.cl
[200.2.98.4])
by psyctcsghms.ac.uk (8.8.8/8.8.8/Debian/GNU) with
SMTP id GAA21596
for <lists@psyctc.sghms.ac.uk>; Fri, 20 Nov 1998
06:01:49 GMT
From: rickh@coldmail.com
Received: by nexus.chilenet.cl (/\oo/\ Smail3.1.29.1 #29.17)
id <m0zgOVv-000zMkC@nexus.chilenet.cl>; Thu, 19 Nov
98 04:28 ADT
Message-Id: <m0zgOVv-000zMkC@nexus.chilenet.cl>
Date: Fri, 20 Nov 98 02:56 ADT
To: Friend@Public.com
Subject: Over 20 Joined In The Last 5 Days - Join Now & Get In
near The Top!
X-PMFLAGS: 33554560 0 1 P3D710.CNM
I'm a bit out of my depth here but willing to do anything reasonable
to minimise the risks of this happening again. Does anyone
recognise the probable exploit that was used or have advice about
how to do more to track down the route used and to block off this
or other likely exploits?
TIA,
Chris
Reply to: