View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions getting reports of SPAM from my vBulletin website
Log in to Ask a Question

getting reports of SPAM from my vBulletin website

general

I'll start off by assigning myself the biggest "blame token", since we're running version 3.7 (which is really old). We're in the process of converting, however….

Got a trouble ticket today that we've been reported as a spammer, here's a trace of the email:

> [ Offending message ]

Return-Path: www-data@mouseowners.com

Received: from pierre.telenet-ops.be (LHLO pierre.telenet-ops.be)

(195.130.132.34) by zcsnocm14.telenet-ops.be with LMTP; Thu, 2 Aug 2012

20:13:20 +0200 (CEST)

Received: from mouseowners.com ([173.255.231.65])

by pierre.telenet-ops.be with bizsmtp

id huDK1j02n1RK5Mp01uDLhq; Thu, 02 Aug 2012 20:13:20 +0200

Delivered-To: x

Received: by mouseowners.com (Postfix, from userid 33)

id 5467E1CCF6; Thu, 2 Aug 2012 13:13:19 -0500 (CDT)

To: x

Subject: Kn0w How T0 Build Y0ur 0wn Free-ELECTRIC.ITY

X-PHP-Originating-Script: 1000:class_mail.php

From: "The DVC Boards at MouseOwners.com - the place to talk DVC and Walt Disney World" <webmaster@mouseowners.com>

Auto-Submitted: auto-generated

Message-ID: <2012_a8ae@mouseowners.com>

MIME-Version: 1.0

Content-Type: text/plain; charset="ISO-8859-1"

Content-Transfer-Encoding: 8bit

X-Priority: 3

X-Mailer: vBulletin Mail via PHP

Date: Thu, 2 Aug 2012 13:13:19 -0500 (CDT)

That's clearly from my machine, and it's even in the postfix logs, so (thankfully, I guess) whatever is living on my machine isn't just going out to remote port 25s directly.

Has anyone ever seen this before, and know what script I might want to look for? I'm going off next to diff my public_html directory against a known-working snapshot I have to see if anything changed.

Failing that, is it just best to "nuke it from orbit", scrub the machine, and reload my database?

3 Replies

The trace you provided shows where it came from:

X-PHP-Originating-Script: 1000:class_mail.php

So I assume UID 1000 and sent through script classmail. I have a newer version of vBulletin, but mine is in publichtml/includes/class_mail.php

yup, that's what I found too.

Going to try to match up access.log and mail.log today and see if there's some correlation.

Found it.

My version of vBulletin (and indeed even 4.2) have a link for "send email to friend" where you can send them an interesting article or post.

If this feature is enabled, instead of just sending the link with boilerplate language, it allows the user to select their own subject and body.

In essence, an open relay.

You can disable the feature in vb's options, but I'm not 100% clear that doing so will disable the feature if a malicious user is just POSTing the right sequence. So I disabled it by hand by editing the files

blog.php

sendmessage.php

showthread.php

in the forums directory, and changing occurrences of "sendtofriend" to something totally random.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct