Ticket #709 (closed maintenance: fixed)

Opened 22 months ago

Last modified 20 months ago

Reconomy sites appears to be sending out spam

Reported by: chris Owned by: chris
Priority: minor Milestone: Maintenance
Component: Parrot server Keywords:
Cc: ed, laura, sam Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.5

Description

This failed email has just been returned:

From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net> Date: Fri, 28 Mar 2014 18:14:32 +0000 To: recon@parrot.webarch.net Subject: Mail delivery failed: returning message to sender  This message was created automatically by mail delivery software.  A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:    fionaward@transitionnetwork.org     SMTP error from remote mail server after end of data:     host mx1.spamfiltering.com [72.249.150.158]: 550 An address in this message (at sleepingteensex . com) is listed on +sbl-multi.rbl.spamrl.com. Please organise removal and retry.  ------ This is a copy of the message, including all the headers. ------  Return-path: <recon@parrot.webarch.net> Received: from recon (uid=1006)         by parrot.webarch.net with local (Exim 4.80)         (envelope-from <recon@parrot.webarch.net>)         id 1WTbIM-0001Sz-6R         for fionaward@transitionnetwork.org; Fri, 28 Mar 2014 18:14:22 +0000 To: fionaward@transitionnetwork.org Subject: roulette89 X-PHP-Originating-Script: 1006:class-phpmailer.php Date: Fri, 28 Mar 2014 18:14:22 +0000 From: casino10 <fmzsb@www.reconomy.org> Message-ID: <28cbb75557094e41d2f5e7e070dcd660@www.reconomy.org> X-Priority: 3 X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8  From: casino10 <fmzsb@www.reconomy.org> Subject: roulette89  Message Body: интернет казино игровые автоматы рулетка зарубежный <a href= http://pobedim11.sleepingteensex.com/item280.html >можно ли играть в +игровые автоматы в интернете на деньги</a> игровые автоматы через интернет 3g еще <a href= http://pobedim11.sleepingteensex.com >Новый +Игровой Автомат</a> казино интернет казань.  -- This mail is sent via contact form on REconomy http://www.reconomyproject.org 

Change History

comment:1 Changed 22 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.15
  • Total Hours changed from 0.0 to 0.15

The Transition Culture site also appears to be sending out spam, see ticket:656, Sam installed wordfence to block it there.

I have glanced through the logs and haven't found the POST/GET's related to this spam, my guess would be that the site has been compromised, but more time is needed to track the cause of this down.

comment:2 Changed 22 months ago by ed

  • Cc sam added

comment:3 follow-up: ↓ 4 Changed 22 months ago by laura

Not sure if this is the same issue that Fi contacted me about this  weekend, (contact form spam - Fi receiving some odd messages in russian)  - so as a temp fix until back at the desk next week, have added some  askimet checks to the name/email field for the contact form (It's really  basic and may not make any difference) and the simple quiz.  There is a more secure contact form plugin which I may set up and config  this week which works well to thwart spammers (eg - works better with  askimet as contact form 7 isn't that great when spammers start using the  form, it also has a hidden but accessible for screenreaders field for  trapping bots and other elements too  https://wordpress.org/plugins/si-contact-form/), and if needed can add  Perishable Press's 5G blacklist to htaccess too.  Laura  On 29/03/2014 20:17, Transiton Technology Trac wrote: > #709: Reconomy sites appears to be sending out spam > -------------------------------------+------------------------------------- >             Reporter:  chris          |                      Owner:  chris >                 Type:  maintenance    |                     Status:  new >             Priority:  critical       |                  Milestone: >            Component:  Parrot server  |  Maintenance >             Keywords:                 |                 Resolution: > Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0 >          Total Hours:  0.15           |                  Billable?:  1 > -------------------------------------+------------------------------------- > Changes (by ed): > >   * cc: sam (added) > >   

comment:4 in reply to: ↑ 3 Changed 22 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.15 to 0.4

Replying to laura:

Not sure if this is the same issue that Fi contacted me about this
weekend, (contact form spam - Fi receiving some odd messages in russian)

Yes I expect it will be, the messages she will have got will be the ones that got through the filters at the transitionnetwork.org mailserver - mx1.spamfiltering.com.

  • so as a temp fix until back at the desk next week, have added some

askimet checks to the name/email field for the contact form (It's really
basic and may not make any difference) and the simple quiz.

I got three returned emails yesterday, see the end of this message.

There is a more secure contact form plugin which I may set up and config
this week which works well to thwart spammers (eg - works better with
askimet as contact form 7 isn't that great when spammers start using the
form, it also has a hidden but accessible for screenreaders field for
trapping bots and other elements too
https://wordpress.org/plugins/si-contact-form/), and if needed can add
Perishable Press's 5G blacklist to htaccess too.

Thanks, looking at the emails below it does look like a spam bot has signed up for an account and then used the contact form to send a email to fionaward@… and then the transitionnetwork.org mailserver at mx1.spamfiltering.com has bounced it back to the web servers root email address as the messages contain "An address in this message (at sleepingteensex . com) is listed on sbl-multi.rbl.spamrl.com".

These are the three returned emails from yesterday:

From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net> Date: Sun, 30 Mar 2014 00:51:49 +0000 To: recon@parrot.webarch.net Subject: Mail delivery failed: returning message to sender  This message was created automatically by mail delivery software.  A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:    fionaward@transitionnetwork.org     SMTP error from remote mail server after end of data:     host mx1.spamfiltering.com [212.113.130.124]:     550 An address in this message (at sleepingteensex . com) is listed on sbl-multi.rbl.spamrl.com. Please organise removal and retry.  ------ This is a copy of the message, including all the headers. ------  Return-path: <recon@parrot.webarch.net> Received: from recon (uid=1006)         by parrot.webarch.net with local (Exim 4.80)         (envelope-from <recon@parrot.webarch.net>)         id 1WU3yO-0003lS-52         for fionaward@transitionnetwork.org; Sun, 30 Mar 2014 00:51:40 +0000 To: fionaward@transitionnetwork.org Subject: slots27 X-PHP-Originating-Script: 1006:class-phpmailer.php Date: Sun, 30 Mar 2014 00:51:40 +0000 From: roulette40 <mtollui@www.reconomy.org> Message-ID: <c2f84bd0a251e665b87ed4dade5f3ded@www.reconomy.org> X-Priority: 3 X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8  From: roulette40 <mtollui@www.reconomy.org> Subject: slots27  Message Body: интернет казино gambling, игровые автоматы бесплатно регистрации <a href= http://pobedim15.sleepingteensex.com/item1393.html >играть в +игровые автоматы вулкан онлайн на деньги</a> игровые автоматы играть бесплатно www <a href= http://pobedim15.sleepingteensex.com +>Лягушки Игровые Автоматы</a>  -- This mail is sent via contact form on REconomy http://www.reconomyproject.org 
From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net> Date: Sun, 30 Mar 2014 09:03:29 +0100 To: recon@parrot.webarch.net Subject: Mail delivery failed: returning message to sender  This message was created automatically by mail delivery software.  A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:    fionaward@transitionnetwork.org     SMTP error from remote mail server after end of data:     host mx1.spamfiltering.com [72.249.150.158]: 550 An address in this message (at sleepingteensex . com) is listed on +sbl-multi.rbl.spamrl.com. Please organise removal and retry.  ------ This is a copy of the message, including all the headers. ------  Return-path: <recon@parrot.webarch.net> Received: from recon (uid=1006)         by parrot.webarch.net with local (Exim 4.80)         (envelope-from <recon@parrot.webarch.net>)         id 1WUAiD-0004qV-3r         for fionaward@transitionnetwork.org; Sun, 30 Mar 2014 09:03:25 +0100 To: fionaward@transitionnetwork.org Subject: poker3 X-PHP-Originating-Script: 1006:class-phpmailer.php Date: Sun, 30 Mar 2014 08:03:25 +0000 From: slot7 <lxabaf@www.reconomy.org> Message-ID: <bd0b74beb416f4aec759cfbde93516d1@www.reconomy.org> X-Priority: 3 X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8  From: slot7 <lxabaf@www.reconomy.org> Subject: poker3  Message Body: игровой автомат одноглазый джо <a href= http://pobedim16.sleepingteensex.com/entry1056.html >игровые автоматы на деньги для андроид</a> +азартные игры игровые автоматы играть бесплатно онлайн <a href= http://pobedim16.sleepingteensex.com/entry1352.html >игры онлайн нарды +длинные на деньги</a>  -- This mail is sent via contact form on REconomy http://www.reconomyproject.org 
From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net> Date: Sun, 30 Mar 2014 09:27:34 +0100 To: recon@parrot.webarch.net Subject: Mail delivery failed: returning message to sender  This message was created automatically by mail delivery software.  A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:    fionaward@transitionnetwork.org     SMTP error from remote mail server after end of data:     host mx1.spamfiltering.com [212.113.130.124]:     550 An address in this message (at sleepingteensex . com) is listed on sbl-multi.rbl.spamrl.com. Please organise removal and retry.  ------ This is a copy of the message, including all the headers. ------  Return-path: <recon@parrot.webarch.net> Received: from recon (uid=1006)         by parrot.webarch.net with local (Exim 4.80)         (envelope-from <recon@parrot.webarch.net>)         id 1WUB5X-0005v2-Te         for fionaward@transitionnetwork.org; Sun, 30 Mar 2014 09:27:31 +0100 To: fionaward@transitionnetwork.org Subject: roulette97 X-PHP-Originating-Script: 1006:class-phpmailer.php Date: Sun, 30 Mar 2014 08:27:31 +0000 From: slot26 <jahpll@www.reconomy.org> Message-ID: <ef6b87b1857fa47f7019f3155811835a@www.reconomy.org> X-Priority: 3 X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8  From: slot26 <jahpll@www.reconomy.org> Subject: roulette97  Message Body: казино мелонати или онлайн казино с бездепозитным бонусом <a href= http://baraban12.sleepingteensex.com/info890.html >играть покер +онлайн на реальные деньги отзывы форум</a> казино goldsmir <a href= http://baraban12.sleepingteensex.com >Слоты играть на деньги +рубли</a>  -- This mail is sent via contact form on REconomy http://www.reconomyproject.org 

comment:5 Changed 22 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Priority changed from critical to minor
  • Total Hours changed from 0.4 to 0.5

No new bounces, downgrading Priority to minor.

comment:6 Changed 20 months ago by chris

  • Status changed from new to closed
  • Resolution set to fixed

This is no longer an issue.

Note: See TracTickets for help on using tickets.