Weird E-Mail spam to members of my forum

[cgallery]

LOL, could be right.  It just seems unlikely.

No more unlikely than anything else.

And I can tell you this:  (1) People that have remote control of a server, with the types of privs (su) where they can see my data, don't send onesy-twosy bits of unintelligible spam to admins of accounts on that server ("hey, you're infected" notices).

Um, are you on a shared server or a VPS or better? On a shared server, by definition any user can typically see all files depending on their permissions, especially those hosts who run Apache as a nobody user, when all the files have to be readable to all users just to make it work.

Since all the code can be accessed in that fashion, it's certainly far from impossible.

I'm not saying this is a SMF hole.  And even if it IS, it is quite possible that it is worthless, as the mail we've seen so far was completely unintelligible.

Yes, you are.

There are only two explanations options here.:

1. SMF has a hole, sending email
2. Something on the server is mimicking the SMF emails

You're saying in your opinion the latter is less likely, even though I demonstrated that the email does not have SMF's characteristics, which means by definition you're saying it DOES have a hole. You can't deny one without implying the other.

As far as I'm concerned it is not a flaw in SMF and that it is instead something else on the server that is abusing resources and masquerading as SMF because based on the provided evidence that's all it can be, but if you have any evidence to disprove that assertion, please provide it.

You said in a message above that the format for SMF's "MessageID" header is a 32-character hex string blah blah blah.  Said that because the E-Mail in question didn't include that 32-character string, it wasn't sent by SMF.

Well, here is an example of a legitimate SMF system E-Mail (below).  It was sent to a new user, but was bounced back to me by their spam filter (and I kept it).  The Message-ID looks nearly identical to the one included in the spam I posted above.  It does not follow your 32-character hex string rule.

So it seems SMF can send an E-Mail that doesn't follow your 32-character hex string rule?  Maybe that rule only applies to PM's?



***
The message you sent requires that you verify that you
are a real live human being and not a spam source.

To complete this verification, simply reply to this message and leave
the subject line intact.

The headers of the message sent from your address are shown below

> From [email protected] Mon Jan 09 13:48:48 2012
Received: from mail.timchapmanministries.com ([66.230.220.200]:54406 helo=ns56.webmasters.com)
    by gator1374.hostgator.com with smtp (Exim 4.69)
    (envelope-from<[email protected]>)
    id 1RkLD6-0005Tk-Ic
    for [email protected]; Mon, 09 Jan 2012 13:48:48 -0600
Received: (qmail 498 invoked by uid 2526); 9 Jan 2012 19:49:05 -0000
Message-ID:<[email protected]>
To: [email protected]
Subject: Welcome to J. Phil Thien's Projects
From: "J. Phil Thien's Projects"<[email protected]>
Date: Mon, 09 Jan 2012 19:49:04 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-608ed5d5db014527178dfa6e73608482"
Content-Transfer-Encoding: 7bit

[Arantor]

Fantastic, your host is mangling the outbound headers. I put my case forward based on the evidence I had, and based on that, I was absolutely correct.

The MessageID header is normally only sent when there is a message id. SMF only issues that under certain circumstances, not all the time. Your host is inserting its own headers into the mix as well, which really helps diagnosis.

This email, if you'll notice, also includes the Content-Type and Content-Transfer-Encoding header that I also mentioned. On the basis of the evidence provided, I still find no reason to change what I'm seeing.

[cgallery]

This email, if you'll notice, also includes the Content-Type and Content-Transfer-Encoding header that I also mentioned. On the basis of the evidence provided, I still find no reason to change what I'm seeing.

Unfortunately, the headers I first posted were forwarded to me by the recipient, and he may not have cut/pasted everything in its entirety.

Here is the message source for the one I received (below).  As you can see, the headers you refer to are present.

I don't think my hosting outfit is mangling headers  I think what is happening is, where SMF doesn't include a message-ID, the mail server inserts its own.  If there is no message-ID when an E-Mail arrives, many receiving servers will actually create one and add it.  Isn't that the way it should be working?


***
From - Wed Aug 01 18:49:01 2012
X-Account-Key: account1
X-UIDL: 1343864712.8821.ns56.webmasters.com
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 8814 invoked by uid 2526); 1 Aug 2012 23:45:12 -0000
Message-ID: <[email protected]>
To: [email protected]
Subject: Deovfqwozk
From: "[email protected]" <[email protected]>
Reply-To: <[email protected]>
Date: Wed, 01 Aug 2012 23:45:12 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-67f6b75e34b21d60de10564b91e3a224"
Content-Transfer-Encoding: 7bit


R5LK8o  <a href="http://dmcmawffbngt.com/">dmcmawffbngt</a>, xgftalbttpdq, [link=http://rctmyqdnzhyt.com/]rctmyqdnzhyt[/link], http://rmqgzgngepdj.com/
--SMF-67f6b75e34b21d60de10564b91e3a224
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

R5LK8o  <a href="http://dmcmawffbngt.com/">dmcmawffbngt</a>, xgftalbttpdq, [link=http://rctmyqdnzhyt.com/]rctmyqdnzhyt[/link], http://rmqgzgngepdj.com/
--SMF-67f6b75e34b21d60de10564b91e3a224--

[Arantor]

Isn't that the way it should be working?

Oh, I forgot we were dealing with email, the one thing where no server actually ever implements the specification but they all agree to fudge the matter for interoperability. The standard says no message id is required, so why the mail server is forwarding it on is anyone's guess.

I've been through the 50-odd instances where sendmail are actually called, and in the vast majority of them, they're done with loadEmailTemplate ahead of them, which means the email templates themselves should appear. Now, there's only a few places where an email will be used without a template, and that's:

* in event of DB error (which has no user editable components in it anyway only goes to admin)
* sending newsletters (though I'd wonder why more users aren't complaining of spam if that were the case)

In every other case it's either directly using the template or having some other content inserted into the message - and that's not happening. So unless you have things misconfigured, and random people can send newsletters, it still isn't in the main code of SMF that the call to sendmail is being triggered.

[butchs]

I was writing forum software back in the 80's (contract programmer, Exec-PC BBS was a client, 300 phone lines, tens of thousands of users).  These days I still do a lot of C work, and a lot of network security.  So I'm pretty familiar with the concepts.

Having a BBS in 1983 was like having a town in the Wild West...  From what I hear, everything before 92 was vulnerable. 

So unless you have things misconfigured, and random people can send newsletters, it still isn't in the main code of SMF that the call to sendmail is being triggered.

American translation you been hacked senseless!

[cgallery]

I've been through the 50-odd instances where sendmail are actually called, and in the vast majority of them, they're done with loadEmailTemplate ahead of them, which means the email templates themselves should appear. Now, there's only a few places where an email will be used without a template, and that's:

* in event of DB error (which has no user editable components in it anyway only goes to admin)
* sending newsletters (though I'd wonder why more users aren't complaining of spam if that were the case)

In every other case it's either directly using the template or having some other content inserted into the message - and that's not happening. So unless you have things misconfigured, and random people can send newsletters, it still isn't in the main code of SMF that the call to sendmail is being triggered.

Okay, thanks for going through those.

The odd thing (to me) is that the E-Mail is senseless garbage.  The links don't go anywhere.  As spam goes, it is a miserable failure.  And there have only been a couple that I know of.

I'm going to put it in the back of my head for a couple of days.  Maybe I can use the times to check logs on the server for other things that were happening at approx. the same time.