Ticket #709 (closed maintenance: fixed)
Reconomy sites appears to be sending out spam
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | minor | Milestone: | Maintenance |
| Component: | Parrot server | Keywords: | |
| Cc: | ed, laura, sam | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 0.5 |
Description
This failed email has just been returned:
From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net>
Date: Fri, 28 Mar 2014 18:14:32 +0000
To: recon@parrot.webarch.net
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
fionaward@transitionnetwork.org
SMTP error from remote mail server after end of data:
host mx1.spamfiltering.com [72.249.150.158]: 550 An address in this message (at sleepingteensex . com) is listed on
+sbl-multi.rbl.spamrl.com. Please organise removal and retry.
------ This is a copy of the message, including all the headers. ------
Return-path: <recon@parrot.webarch.net>
Received: from recon (uid=1006)
by parrot.webarch.net with local (Exim 4.80)
(envelope-from <recon@parrot.webarch.net>)
id 1WTbIM-0001Sz-6R
for fionaward@transitionnetwork.org; Fri, 28 Mar 2014 18:14:22 +0000
To: fionaward@transitionnetwork.org
Subject: roulette89
X-PHP-Originating-Script: 1006:class-phpmailer.php
Date: Fri, 28 Mar 2014 18:14:22 +0000
From: casino10 <fmzsb@www.reconomy.org>
Message-ID: <28cbb75557094e41d2f5e7e070dcd660@www.reconomy.org>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: casino10 <fmzsb@www.reconomy.org>
Subject: roulette89
Message Body:
интернет казино игровые автоматы рулетка зарубежный <a href= http://pobedim11.sleepingteensex.com/item280.html >можно ли играть в
+игровые автоматы в интернете на деньги</a> игровые автоматы через интернет 3g еще <a href= http://pobedim11.sleepingteensex.com >Новый
+Игровой Автомат</a> казино интернет казань.
--
This mail is sent via contact form on REconomy http://www.reconomyproject.org
Change History
comment:1 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.15
- Total Hours changed from 0.0 to 0.15
comment:3 follow-up: ↓ 4 Changed 3 years ago by laura
Not sure if this is the same issue that Fi contacted me about this weekend, (contact form spam - Fi receiving some odd messages in russian) - so as a temp fix until back at the desk next week, have added some askimet checks to the name/email field for the contact form (It's really basic and may not make any difference) and the simple quiz. There is a more secure contact form plugin which I may set up and config this week which works well to thwart spammers (eg - works better with askimet as contact form 7 isn't that great when spammers start using the form, it also has a hidden but accessible for screenreaders field for trapping bots and other elements too https://wordpress.org/plugins/si-contact-form/), and if needed can add Perishable Press's 5G blacklist to htaccess too. Laura On 29/03/2014 20:17, Transiton Technology Trac wrote: > #709: Reconomy sites appears to be sending out spam > -------------------------------------+------------------------------------- > Reporter: chris | Owner: chris > Type: maintenance | Status: new > Priority: critical | Milestone: > Component: Parrot server | Maintenance > Keywords: | Resolution: > Add Hours to Ticket: 0 | Estimated Number of Hours: 0.0 > Total Hours: 0.15 | Billable?: 1 > -------------------------------------+------------------------------------- > Changes (by ed): > > * cc: sam (added) > >
comment:4 in reply to: ↑ 3 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.15 to 0.4
Replying to laura:
Not sure if this is the same issue that Fi contacted me about this
weekend, (contact form spam - Fi receiving some odd messages in russian)
Yes I expect it will be, the messages she will have got will be the ones that got through the filters at the transitionnetwork.org mailserver - mx1.spamfiltering.com.
- so as a temp fix until back at the desk next week, have added some
askimet checks to the name/email field for the contact form (It's really
basic and may not make any difference) and the simple quiz.
I got three returned emails yesterday, see the end of this message.
There is a more secure contact form plugin which I may set up and config
this week which works well to thwart spammers (eg - works better with
askimet as contact form 7 isn't that great when spammers start using the
form, it also has a hidden but accessible for screenreaders field for
trapping bots and other elements too
https://wordpress.org/plugins/si-contact-form/), and if needed can add
Perishable Press's 5G blacklist to htaccess too.
Thanks, looking at the emails below it does look like a spam bot has signed up for an account and then used the contact form to send a email to fionaward@… and then the transitionnetwork.org mailserver at mx1.spamfiltering.com has bounced it back to the web servers root email address as the messages contain "An address in this message (at sleepingteensex . com) is listed on sbl-multi.rbl.spamrl.com".
These are the three returned emails from yesterday:
From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net>
Date: Sun, 30 Mar 2014 00:51:49 +0000
To: recon@parrot.webarch.net
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
fionaward@transitionnetwork.org
SMTP error from remote mail server after end of data:
host mx1.spamfiltering.com [212.113.130.124]:
550 An address in this message (at sleepingteensex . com) is listed on sbl-multi.rbl.spamrl.com. Please organise removal and retry.
------ This is a copy of the message, including all the headers. ------
Return-path: <recon@parrot.webarch.net>
Received: from recon (uid=1006)
by parrot.webarch.net with local (Exim 4.80)
(envelope-from <recon@parrot.webarch.net>)
id 1WU3yO-0003lS-52
for fionaward@transitionnetwork.org; Sun, 30 Mar 2014 00:51:40 +0000
To: fionaward@transitionnetwork.org
Subject: slots27
X-PHP-Originating-Script: 1006:class-phpmailer.php
Date: Sun, 30 Mar 2014 00:51:40 +0000
From: roulette40 <mtollui@www.reconomy.org>
Message-ID: <c2f84bd0a251e665b87ed4dade5f3ded@www.reconomy.org>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: roulette40 <mtollui@www.reconomy.org>
Subject: slots27
Message Body:
интернет казино gambling, игровые автоматы бесплатно регистрации <a href= http://pobedim15.sleepingteensex.com/item1393.html >играть в
+игровые автоматы вулкан онлайн на деньги</a> игровые автоматы играть бесплатно www <a href= http://pobedim15.sleepingteensex.com
+>Лягушки Игровые Автоматы</a>
--
This mail is sent via contact form on REconomy http://www.reconomyproject.org
From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net>
Date: Sun, 30 Mar 2014 09:03:29 +0100
To: recon@parrot.webarch.net
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
fionaward@transitionnetwork.org
SMTP error from remote mail server after end of data:
host mx1.spamfiltering.com [72.249.150.158]: 550 An address in this message (at sleepingteensex . com) is listed on
+sbl-multi.rbl.spamrl.com. Please organise removal and retry.
------ This is a copy of the message, including all the headers. ------
Return-path: <recon@parrot.webarch.net>
Received: from recon (uid=1006)
by parrot.webarch.net with local (Exim 4.80)
(envelope-from <recon@parrot.webarch.net>)
id 1WUAiD-0004qV-3r
for fionaward@transitionnetwork.org; Sun, 30 Mar 2014 09:03:25 +0100
To: fionaward@transitionnetwork.org
Subject: poker3
X-PHP-Originating-Script: 1006:class-phpmailer.php
Date: Sun, 30 Mar 2014 08:03:25 +0000
From: slot7 <lxabaf@www.reconomy.org>
Message-ID: <bd0b74beb416f4aec759cfbde93516d1@www.reconomy.org>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: slot7 <lxabaf@www.reconomy.org>
Subject: poker3
Message Body:
игровой автомат одноглазый джо <a href= http://pobedim16.sleepingteensex.com/entry1056.html >игровые автоматы на деньги для андроид</a>
+азартные игры игровые автоматы играть бесплатно онлайн <a href= http://pobedim16.sleepingteensex.com/entry1352.html >игры онлайн нарды
+длинные на деньги</a>
--
This mail is sent via contact form on REconomy http://www.reconomyproject.org
From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net>
Date: Sun, 30 Mar 2014 09:27:34 +0100
To: recon@parrot.webarch.net
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
fionaward@transitionnetwork.org
SMTP error from remote mail server after end of data:
host mx1.spamfiltering.com [212.113.130.124]:
550 An address in this message (at sleepingteensex . com) is listed on sbl-multi.rbl.spamrl.com. Please organise removal and retry.
------ This is a copy of the message, including all the headers. ------
Return-path: <recon@parrot.webarch.net>
Received: from recon (uid=1006)
by parrot.webarch.net with local (Exim 4.80)
(envelope-from <recon@parrot.webarch.net>)
id 1WUB5X-0005v2-Te
for fionaward@transitionnetwork.org; Sun, 30 Mar 2014 09:27:31 +0100
To: fionaward@transitionnetwork.org
Subject: roulette97
X-PHP-Originating-Script: 1006:class-phpmailer.php
Date: Sun, 30 Mar 2014 08:27:31 +0000
From: slot26 <jahpll@www.reconomy.org>
Message-ID: <ef6b87b1857fa47f7019f3155811835a@www.reconomy.org>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: slot26 <jahpll@www.reconomy.org>
Subject: roulette97
Message Body:
казино мелонати или онлайн казино с бездепозитным бонусом <a href= http://baraban12.sleepingteensex.com/info890.html >играть покер
+онлайн на реальные деньги отзывы форум</a> казино goldsmir <a href= http://baraban12.sleepingteensex.com >Слоты играть на деньги
+рубли</a>
--
This mail is sent via contact form on REconomy http://www.reconomyproject.org
Note: See
TracTickets for help on using
tickets.
The Transition Culture site also appears to be sending out spam, see ticket:656, Sam installed wordfence to block it there.
I have glanced through the logs and haven't found the POST/GET's related to this spam, my guess would be that the site has been compromised, but more time is needed to track the cause of this down.