Spammer problems!

2025-04-21

About a week ago I was getting some strange looking spam in my email box. The spam was being sent through a simple php web form on my website. I noticed that the BCC: field was being manipulated and there were multi mime type messages being added somehow.

So I immediately moved to secure and tighten the validation on my webmail php script. I had actually been recieving allot of blank messages due to the poor jscript validation I was using, for weeks. I finally had it reprogrammed to actually check the mx record of any email address given, and also to validate, not with jscript, but using php instead. More specifically using a pear package called Validate. I noticed that the next day I was not getting any blank emails, or spam emails from my web form anymore.

the next day a spammer signed up for a hosting account using my automatic package setup script(whmautopilot). At that time I had disabled the security setting that dissalows the user nobody from sending out emails(generally this means that php scripts are not allowed to send email) in tweak settings under web host manager. the reason I disabled this feature was because I had a client that needed a custom Mailing list php script written, and it would not work without disabling this security feature.

The spammer signed up for the hosting account, and immediately uploaded a php script called Mail Merge which he used to send out 1870 mails between 10:00 AM and 11:00 AM (according to mail statistics within Web Host Manager). Don't know why he stopped there, but about 8 hours later I came home and saw that dsdsd.com had signed up for a hosting account and immediately became suspicous. I Checked it out and he put dsadsad.com for all contact information as well. He had also used an odd name with his paypal account Vincent Gallegor. I Checked that he had uploaded the mail scripts and checked mail statistics and deleted his account.

I immediately tested to see if I could send out emails to an external address. I tried sending an email to hotmail.com and saw that the email was not going through. I sent a message to a yahoo account and it worked. And also sent one to a belgium isp and that also went through ok.

At this point I checked abuse.org, and found a link to http://www.mxtools.com. I checked my server ip to see if it had been blacklisted. I noticed that blars.org had me blacklisted but this was only one blacklist out of 127 checked. I emailed abuse@blars.org and noticed that every email was being rejected. So I tried emailing him from another email address other than the one on the server which was blacklisted. Still rejected. I am under the impression that he has everyone blacklisted, so then I became satisfied that being on this blacklist didnt mean much. I left it an open issue to figure out why I could not send an email to a hotmail address.

I re-enabled the security feature located in tweak settings to dissallow sending of email from the user nobody, to prevent spammers from sending out mail with php scripts like this in the future.

Today I noticed that the spammer had filed a complaint with paypal to get his money back, and signed up for a new account on my server using a different paypal account, and different name. This time he used Ryan Watson as his name. He tried the same thing again, but this time his script obviously could not send out any emails. I immediately deleted his new account, and filed questions with paypal explaining what had happend for each transaction number.

I verified that email messages were being sent at normal levels, aproximately 15-30 per hour. Suddenly I got a call from a customer explaining that she had just uploaded a php mail script to send emails out, and that the script was not working. She told me that the script worked fine on 3 other servers.

I then checked to see if I could send out any emails to external addresses again. Now I am getting a new error when sending an email to anyone using squirrelmail(to test local sending):

Code:

This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
  gbb_123@hotmail.com
    unrouteable mail domain "hotmail.com"

I am stuck now and cant figure out what to do to get email to be sent out anymore.

Obviously I highly suspect that this spammer has tried to implement some sort of hack out of spite, from not being able to spam anymore. However I dont want to jump to that conclusion until I have fully tested other possibilities.
Any help in this matter would be greatly apreciated.