[support] Hi-Jacked Email Identity (possibly OT?)
dc
lister at pikkle.com
Fri Dec 9 21:39:46 UTC 2005
I assume you have taken all the XML-RPC stuff out? there were some
vulnerabilities in that recently; one of my servers was also hacked, and i
believe temporarily used for sending emails out also.
/dc
> -----Original Message-----
> From: support-bounces at drupal.org
> [mailto:support-bounces at drupal.org] On Behalf Of Earl Miles
> Sent: Thursday, December 08, 2005 2:41 AM
> To: support at drupal.org; Gunther Herzog
> Subject: Re: [support] Hi-Jacked Email Identity (possibly OT?)
>
> The first thing you need to do is examine the mail headers
> and possibly your mail logs, and see if the messages are
> coming internally or externally. If you're running older
> software or have not secured your software properly, you
> might simply have left an open relay and then just about any
> joker could do it.
>
> From your message it may also be possible that people are
> just using your domain and not using your server at all. If
> that's actually happening there is little you can do about
> it. It's very easy to forge a domain. But generally that
> doesn't get domains black-listed.
>
> The next possibility is that hack has been installed on your
> machine through some vulnerability or other, and that you
> could disable Drupal entirely and still have this problem.
> Those can be difficult to find; I recommend google searching
> on the topic for tools and ideas on how to track that sort of
> thing down.
>
> Gunther Herzog wrote:
> > Hello,
> >
> > I wonder if anyone else has experienced the
> > following phenomenon, and whether or not it is
> > Drupal-related, and might possibly have an idea
> > as to the next course of action to take...
> >
> > The following did not occur until AFTER I
> > started using Drupal (a few months ago), though
> > I have had my site and domain name for several
> > years.
> >
> > Essentially, what I keep getting on a
> > more-than-daily basis is emails with
> >
> > SUBJ: Delivery Status (failure)
> > FROM: postmaster@
> >
> > Following the @ would be the domain of NUMEROUS
> > domains that were hit, with attempted delivery
> > to hundreds of email addressees. And that's just
> > the bogus ones--who knows what actually got
> > through.
> >
> > My domain is now being filtered by MSN's
> > anti-spam and who knows how many others. I am
> > angry enough to offer any interested lawyer 100%
> > of the awarded fines in return for assistance in
> > tracking these people down and filing a
> > lawsuit.
> >
> > As to Drupal... at first I thought it might be
> > that one of the add-on modules I'd installed was
> > insecure. Before diving into the code, I simply
> > disabled Email-This-Page module and Subscribe
> > module. And the problem still persists. My next
> > idea would be to pull down the entire site and
> > put up a simple "Down for Maintenance" page and
> > see if the problem persists.
> >
> > Any ideas, folks?
> >
> > PS if you feel this is too off-topic and not
> > Drupal related, go ahead and email me privately
> > instead.
> >
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
More information about the support
mailing list