Spam detection program

[mbodamer]

Thomas,
This is mostly directed to you since you seem to be the script kiddie when it comes to writing anti-spam programs, however anyone of course can chime in.

I recently had a string of spammer that send out spam from my server. It is of course hundreds/thousands of copies of the exact same message.

So since it is something that all of the messages has in common, my thought is to have a script that checks the outgoing mail and if it finds XYZ messages that are identicle then it suspends that account.

I have no users that have mailing lists that send mass emails like a newsletter. So this would catch all outgoing spammer that are sending mass emails through a compromised account.

I would like a way to turn it on and off per account if a user did want to have a legit newsletter, also to configure the XYZ that matches....

Me NOT being a programmer, I look at this and say "genius" why hasn't anyone thought of this and it seems very easy to make but in reality I have no clue if something like this exists or if it is easy or not to implement.

So I am throw it out there, is these feasible, how difficult is it, is a good idea, would you be interested to create it?

[Arf]

It's a good idea and I've thought about something similar but I can't think of a method for reading the subject lines of the outgoing emails. Maybe I'm brain dead but I can't think of any logs for such things. There might be a way to tell SendMail to log this info but that's beyond my understanding of SendMail.

[Arf]

wait, what server type? I was speaking of Alabanza.

[mbodamer]

cpanel

[Arf]

I don't know about your servers, but my servers have at least 300 to 500 email users. The result is the /var/log/exim_mainlog where that would be logged is quite active. Writing a cron or daemon to read the log constantly would put a pretty heavy strain on the server.

I guess it could start with learning the behavior of spammers. For example, what did your spammers use for mailing? Were they new clients?

If they used webmail or a PHP/CGI/OTHER application and were new clients, that's easy, I already have a program for breaking all scripting on an account. I'm not sure if I distributed by cpanel break scripts program or not. Since this is a public forum I can discuss how it works.

[mbodamer]

In my case, I have no idea how they use my server... thats my issue.

Messages are being sent out as the account user, which is not setup as a valid email account. So the accounts already exist, it is new accounts.

Clearly it is someone compromising existing accounts in some way...

[Arf]

Are you using any kind of script preventing methods on new accounts? If you could, would it help? Or are these old accounts that have been compromised? Maybe you don't know but I thought I'd ask.

[mbodamer]

I do not allow auto signups. I personally manage all accounts on my server. So these must be previous exploits being used over and over.

a good majority of my sites are joomla, the installs are latest version (for the 1.5.23 install, not interested in migrating to 1.7 just yet).

I think some of the stuff is remnant from previous installs that had holes, or modules for joomla. I have been trying to systematically go through and get rid of any module not needed.

So to answer your question, a new account script breaker, wouldn't help in this instance. I honestly think that CSF is saving my life with what they did. previous to this I got NO notice of anything and was sitting blindly allowing spammers to take over my machine until LW found it dead and had to reboot it.

I am learning alot, just not fast enough.