Is this normal?

[kornmonkie]

I'm pretty sure this isn't.

I've been developing a new website, but each page is around 2k, if that.
Starting on the 13th of January, my hits per day went from 500 at the most, to almost 46000. Everyday after that my hits per day have been floating between 10000 and 30000. I checked my webalizer, and I noticed this under the Top 30 URLs. All of the urls are formatted like this...

Top 30 of 57782 Total URLs
# Hits KBytes URL
1 3340 1.46% 11824 1.40% /
2 2110 0.92% 7552 0.89% 64.18.5.10:25
3 1857 0.81% 6646 0.79% 65.54.252.99:25
4 1820 0.80% 6514 0.77% 64.18.4.10:25
5 1809 0.79% 6475 0.77% 64.4.50.50:25
6 1785 0.78% 6389 0.76% 64.4.50.99:25
7 1757 0.77% 6288 0.74% 65.54.166.99:25
8 1727 0.76% 6181 0.73% 65.54.252.230:25
9 1723 0.76% 6167 0.73% 65.54.166.230:25
10 1702 0.75% 6092 0.72% 65.54.190.7:25
11 1578 0.69% 5648 0.67% 65.54.190.50:25
12 1435 0.63% 5136 0.61% 64.4.50.239:25
13 1413 0.62% 5057 0.60% 65.54.253.99:25
14 1408 0.62% 5039 0.60% 65.54.167.5:25
15 1345 0.59% 4814 0.57% 64.4.50.179:25
16 1324 0.58% 4739 0.56% 65.54.167.230:25
17 1276 0.56% 4567 0.54% 65.54.190.230:25
18 1233 0.54% 2352 0.28% /farscapeover.gif
19 1232 0.54% 4409 0.52% 65.54.253.230:25
20 1207 0.53% 4320 0.51% 65.54.190.179:25
21 1053 0.46% 3769 0.45% 64.18.7.10:25
22 774 0.34% 2770 0.33% 64.18.6.10:25
23 620 0.27% 2219 0.26% 216.168.230.137:25
24 596 0.26% 2133 0.25% 207.44.208.4:25
25 588 0.26% 2105 0.25% 209.124.203.76:25
26 557 0.24% 1994 0.24% 216.219.254.203:25
27 553 0.24% 1979 0.23% 209.124.203.79:25
28 544 0.24% 1947 0.23% 208.45.133.107:25
29 543 0.24% 1943 0.23% 209.124.203.47:25
30 524 0.23% 1875 0.22% 209.124.203.46:25

Notice all the port 25s? Is my mail server being used for bad things? I'm going to report this too.

[kornmonkie]

Here's an example of my latest visitors log....

Host: 82.80.252.152

209.217.36.7:25
Http Code: 200 Date: Jan 21 21:57:46 Http Version: HTTP/1.0 Size in Bytes: 3665
Referer: -
Agent: -
|
|
|

208.49.24.14:25
Http Code: 200 Date: Jan 21 21:58:08 Http Version: HTTP/1.0 Size in Bytes: 3665
Referer: -
Agent: -
|
|
|

193.110.232.68:25
Http Code: 200 Date: Jan 21 21:59:49 Http Version: HTTP/1.0 Size in Bytes: 3665
Referer: -
Agent: -
|
|
|

62.134.61.33:25
Http Code: 200 Date: Jan 21 21:59:53 Http Version: HTTP/1.0 Size in Bytes: 3665
Referer: -
Agent: -

[kornmonkie]

I changed my email passwords...will have to see if that helps.

[kornmonkie]

So I messaged support.

They said that someone was probably spamming from my domain. Eek. I had one PHP page that uses a mail function, so that might've been it. I copied the folders to my local computer, and deleted the folders. I'll have to see if that works.

[kornmonkie]

After I took down the pages I got this....

Host: 64.235.248.242

200
Http Code: "-" Date: Jan 22 00:54:24 Http Version: 3665 Size in Bytes: "-"
Referer:
Agent:

The one thing I noticed is that the http version number is the same size as the size in bytes on the successful examples above.

[kornmonkie]

I know I'm talking to myself here, but I wanted to describe it in detail, just in case anyone else has this stuff going on.

So after I deleted my folders, this kept on going. The only thing that resides on the server now are pictures. So I let support know again, and hopefully they'll have an answer for me soon.

[Connie]

Sorry for what happened and that you have had to talk to yourself about this. That doesn't normally happen in these forums.

If you have a form mail script that is insecure hackers can use your sever to send spam through your server. I'm not sure if deleting the script will solve the currant problem or not.

The bad thing is if someone reports the spam e-mail they have received in the right place it could affect a lot of people on the server and their abilty to send e-mail through the server. This may not happen but it could.

[kornmonkie]

The only script I had was a .php page with the mail() function in it, you can actually see a sample of the code on the PHP - SQL forum. I had a question regarding it.

It'll be a huge bummer if peoples stuff gets blocked because of this...

[kornmonkie]

I created a topic on Antionline about this. Here is the link...

http://www.antionline.com/showthread...hreadid=265484

[Connie]

From your other thread:

Other then that, all the requests are made through http, and I have nothing in my logs concerning sent emails. There have been no bounce back messages either.

Based on your statement then something else seems to be going on but I'm don't know what.

[kornmonkie]

So I got a response back from support, and their solution was to block the IP addresses of the hosts making the requests. That's going to be tough, because they change everytime, but it's the best I got right now, so I'll give it a whirl.

[Spathiphyllum]

Since support said to try blocking IP addys to rid yourself of the pest and you have rightfully acknowledged that this is a bit cumbersome, might I suggest something a bit more radical?

Try Apache mod_rewrite and deny all accesses that meet the following criteria:

1. Port = '25'
2. Agent = '-' or ''
3. Referer = '-' or ''

'' means quoted, non-extrapolated null.

Not sure offhand the best way to write the rewrite rules other than to say it would be a series "anded" together using the HTTP headers in the request. See REQUEST_URI, SERVER_PORT, HTTP_USER_AGENT, HTTP_REFERER for their options. See Server-Variables.
Something along these lines:

Code:

Options FollowSymLinks

RewriteEngine On
# Enabled to block SMTP abuse
RewriteCond %{SERVER_PORT}  ^25$
RewriteCond %{HTTP_USER_AGENT}  ^$
RewriteCond %{HTTP_REFERER}  ^$
#need RewriteRule ...special stuff for any of these GET/POSTs...  [G,L]
RewriteRule ^.*$  http://www.yourdomain.com  [G,L]

This particular approach would process the request to respond by your own custom redirect to anything where port 25 (SMTP) is involved, where the user agent is not identified, and where there is no referer. You'd have to tweak this a bit to handle different strings for "user agent" and "referer" but that would just be according to what your Apache log records. I tested by sending empty user agent and referer requests exactly as written above and it worked like a charm; i.e. the server answered with a "File does not exist" so please quit referencing and change your links since the file won't be back etc. Again, change the strings as necessary to test.

Also remember that sequence of rewrite rules matter. I used this as the first rule block in my .htaccess test and it did not influence my other rules at all, as expected. Your mileage may vary, however, if you place it later in your rulesets.

I don't know what all of the repercussions of this would be, but I don't believe it creates any undue havoc for legitimate use of your site. Just thought I'd nudge you into a new direction though.

Keep us posted if it works for you so that others may benefit too.

[kornmonkie]

Thank you Spathiphyllum for your answer and time given to your example. It's the first straight answer I've gotten thus far and it's appreciated.

That's seems to be the answer I've been looking for, and I will give it a try. It is a better alternative to a massive domain ban, which is what I have in place now. The majority of the requests were made from two domains, one in Israel and one in Asia. This seems to be a good answer, so I don't have to IP ban the legit users of the two domains.

Thanks again..I'll keep you update on what happens.

[kornmonkie]

If I might ask a question,

To block the "-" in the rewrite, would I need a slash before the "-"?

For example....

RewriteCond %{HTTP_USER_AGENT} ^/-$ <--I bolded the area in question.

or would it be...

RewriteCond %{HTTP_USER_AGENT} ^-$

Sorry I've had to edjucate myself very quickly on mod_rewrite. Thanks again for any help.

[Spathiphyllum]

What you are asking is "does the string (in this case, a single character) need escaping (using a backslash) since a regex operation by the server will process everything in between the string start "^" marker and the string end "$" marker?

I don't believe there to be anything special about that character so a simple inclusion without escaping should be fine:

^-$

This means that a user agent of "-" only will match and be successfully "anded" to your ruleset. It will NOT match "--" or "- -" or "secret-agent" or anything else. Nevertheless, you could probably escape it if you wanted to though, again, I don't believe the "-" character to indicate any special meaning.

^\-$ is probably acceptable, too.

You could change your ruleset to include both:

Code:

Options FollowSymLinks

RewriteEngine On
# Enabled to block SMTP abuse
RewriteCond %{SERVER_PORT}  ^25$
RewriteCond %{HTTP_USER_AGENT}  ^-$  [OR]
RewriteCond %{HTTP_USER_AGENT}  ^\-$
RewriteCond %{HTTP_REFERER}  ^$
RewriteRule ^.*$  http://www.yourdomain.com  [G,L]

I think the double-agent to be redundant but at least you'll have all bases covered. You could even split the block in two and repeat the lines using "-" in one series and "\-" in the other to play things very conservatively though that would seem to be a waste of typing.

Just try it out and then review your logs. If you get a 4xx error (I forgot which exactly (410?)) rather than a 200 (OK response), then your ruleset will be working properly. The request will still get logged but at least the rogue spammer won't be getting the response s/he wants. 304's may also appear if it is a repeat request from the same source. Good luck.

UPDATE: I'm trying test these rules but my series of proxy servers are playing havoc with the headers as I enable/disable/redefine them. The rules I defined should work but I could be missing something obvious. If I discover something new, I'll pass it along here.