[support] Hi-Jacked Email Identity (possibly OT?)

dc lister at pikkle.com
Fri Dec 9 21:39:46 UTC 2005 

I assume you have taken all the XML-RPC stuff out? there were some
vulnerabilities in that recently; one of my servers was also hacked, and i
believe temporarily used for sending emails out also.

/dc

> -----Original Message-----
> From: support-bounces at drupal.org 
> [mailto:support-bounces at drupal.org] On Behalf Of Earl Miles
> Sent: Thursday, December 08, 2005 2:41 AM
> To: support at drupal.org; Gunther Herzog
> Subject: Re: [support] Hi-Jacked Email Identity (possibly OT?)
> 
> The first thing you need to do is examine the mail headers 
> and possibly your mail logs, and see if the messages are 
> coming internally or externally. If you're running older 
> software or have not secured your software properly, you 
> might simply have left an open relay and then just about any 
> joker could do it.
> 
>  From your message it may also be possible that people are 
> just using your domain and not using your server at all. If 
> that's actually happening there is little you can do about 
> it. It's very easy to forge a domain. But generally that 
> doesn't get domains black-listed.
> 
> The next possibility is that hack has been installed on your 
> machine through some vulnerability or other, and that you 
> could disable Drupal entirely and still have this problem. 
> Those can be difficult to find; I recommend google searching 
> on the topic for tools and ideas on how to track that sort of 
> thing down.
> 
> Gunther Herzog wrote:
> > Hello,
> > 
> >   I wonder if anyone else has experienced the
> >   following phenomenon, and whether or not it is
> >   Drupal-related, and might possibly have an idea
> >   as to the next course of action to take...
> > 
> >   The following did not occur until AFTER I
> >   started using Drupal (a few months ago), though
> >   I have had my site and domain name for several
> >   years.
> > 
> >   Essentially, what I keep getting on a
> >   more-than-daily basis is emails with
> > 
> >   SUBJ: Delivery Status (failure)
> >   FROM: postmaster@
> > 
> >   Following the @ would be the domain of NUMEROUS
> >   domains that were hit, with attempted delivery
> >   to hundreds of email addressees. And that's just
> >   the bogus ones--who knows what actually got
> >   through.
> > 
> >   My domain is now being filtered by MSN's
> >   anti-spam and who knows how many others. I am
> >   angry enough to offer any interested lawyer 100%
> >   of the awarded fines in return for assistance in
> >   tracking these people down and filing a
> >   lawsuit.
> > 
> >   As to Drupal... at first I thought it might be
> >   that one of the add-on modules I'd installed was
> >   insecure. Before diving into the code, I simply
> >   disabled Email-This-Page module and Subscribe
> >   module. And the problem still persists. My next
> >   idea would be to pull down the entire site and
> >   put up a simple "Down for Maintenance" page and
> >   see if the problem persists.
> > 
> >   Any ideas, folks?
> > 
> >   PS if you feel this is too off-topic and not
> >   Drupal related, go ahead and email me privately
> >   instead.
> > 
> 
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>

More information about the support mailing list