Spam detection program

If you have a program or script that you'd like to give away or sell, this is the place to do it. All offers should include contact info.

Moderators: BBear, theunknownhost, flaguy

Post Reply
User avatar
mbodamer
Hard Drive Crasher
Posts: 949
Joined: Tue Oct 14, 2003 7:13 pm
Location: Abaco, Bahamas

Spam detection program

Post by mbodamer » Mon Sep 19, 2011 8:08 pm

Thomas,
This is mostly directed to you since you seem to be the script kiddie when it comes to writing anti-spam programs, however anyone of course can chime in.

I recently had a string of spammer that send out spam from my server. It is of course hundreds/thousands of copies of the exact same message.

So since it is something that all of the messages has in common, my thought is to have a script that checks the outgoing mail and if it finds XYZ messages that are identicle then it suspends that account.

I have no users that have mailing lists that send mass emails like a newsletter. So this would catch all outgoing spammer that are sending mass emails through a compromised account.

I would like a way to turn it on and off per account if a user did want to have a legit newsletter, also to configure the XYZ that matches....

Me NOT being a programmer, I look at this and say "genius" why hasn't anyone thought of this and it seems very easy to make but in reality I have no clue if something like this exists or if it is easy or not to implement.

So I am throw it out there, is these feasible, how difficult is it, is a good idea, would you be interested to create it?
Mike

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Mon Sep 19, 2011 11:49 pm

It's a good idea and I've thought about something similar but I can't think of a method for reading the subject lines of the outgoing emails. Maybe I'm brain dead but I can't think of any logs for such things. There might be a way to tell SendMail to log this info but that's beyond my understanding of SendMail.

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Mon Sep 19, 2011 11:50 pm

wait, what server type? I was speaking of Alabanza.

User avatar
mbodamer
Hard Drive Crasher
Posts: 949
Joined: Tue Oct 14, 2003 7:13 pm
Location: Abaco, Bahamas

Post by mbodamer » Mon Sep 19, 2011 11:51 pm

cpanel
Mike

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Tue Sep 20, 2011 4:54 am

I don't know about your servers, but my servers have at least 300 to 500 email users. The result is the /var/log/exim_mainlog where that would be logged is quite active. Writing a cron or daemon to read the log constantly would put a pretty heavy strain on the server.

I guess it could start with learning the behavior of spammers. For example, what did your spammers use for mailing? Were they new clients?

If they used webmail or a PHP/CGI/OTHER application and were new clients, that's easy, I already have a program for breaking all scripting on an account. I'm not sure if I distributed by cpanel break scripts program or not. Since this is a public forum I can discuss how it works.

User avatar
mbodamer
Hard Drive Crasher
Posts: 949
Joined: Tue Oct 14, 2003 7:13 pm
Location: Abaco, Bahamas

Post by mbodamer » Tue Sep 20, 2011 3:36 pm

In my case, I have no idea how they use my server... thats my issue.

Messages are being sent out as the account user, which is not setup as a valid email account. So the accounts already exist, it is new accounts.

Clearly it is someone compromising existing accounts in some way...
Mike

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Wed Sep 21, 2011 10:59 pm

Are you using any kind of script preventing methods on new accounts? If you could, would it help? Or are these old accounts that have been compromised? Maybe you don't know but I thought I'd ask.

User avatar
mbodamer
Hard Drive Crasher
Posts: 949
Joined: Tue Oct 14, 2003 7:13 pm
Location: Abaco, Bahamas

Post by mbodamer » Wed Sep 21, 2011 11:31 pm

I do not allow auto signups. I personally manage all accounts on my server. So these must be previous exploits being used over and over.

a good majority of my sites are joomla, the installs are latest version (for the 1.5.23 install, not interested in migrating to 1.7 just yet).

I think some of the stuff is remnant from previous installs that had holes, or modules for joomla. I have been trying to systematically go through and get rid of any module not needed.

So to answer your question, a new account script breaker, wouldn't help in this instance. I honestly think that CSF is saving my life with what they did. previous to this I got NO notice of anything and was sitting blindly allowing spammers to take over my machine until LW found it dead and had to reboot it.

I am learning alot, just not fast enough.
Mike

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest