spam attack

[smyhte]

i am getting loads of spam mails coming through but it is not even the same contact form that is on the site. obviously, this spammer is trying to inject through sendmail but cannot se how. he is using proxy ip's so cannot block with ip deny manager, so where to start looking? here is an example mail:

Code:

site X-Mailer:
Name: Anqukh Anqukhwqw
Email: anqukh@anqukhwqw.com
IP: 216.195.54.94



marketed as <a href="http://xxx.blogs.cn/"> order xanax</a> the hydrochloride salt (tramadol <a href="http://xxx.blogpoland.pl/"> purchase xanax</a> hydrochloride) and is available <a href="http://blogs.xxx.ca/xanaxprescriptionrx/">xanax prescription online</a> in both injectable (intravenous <a href="http://xxx.velocityblog.com/"> buy xanax</a> and/or intramuscular) and oral <a href="http://xxx.beeplog.com/"> xanax overnight</a> preparations (e.g.

on my contact form is have hidden field to collect ip and this is not the spammers ip. he is injecting it somwhere. checked the domlogs and it is being sent from the site but using proxy ip's. i also have approval needed for all link submissions. any thoughts guys? many thanks

[Bruceper]

I removed the URL's in your post, no need for google to index them.

Anyways, who are the emails being sent to?

If they're using sendmail how does that relate to IndexU? If it's not an IndexU issue I'll move the post to the webhosting forum and still give you whatever help I can.

What is the URL of your contact form?
Do you use captcha?
Is it the contact form from IndexU or a third party script?
If it's third party what is the URL of the script or the name of it?

[smyhte]

bruce. sorry about url's, should have realised. hmmm this is very weird. there are over 200 domain log files in apache domlogs, somehow, they are using sendmail.php to inject these domains and sending spam. the server is not open relay and all security is up to date via whm. will keep digging and report back. reason for my post, was i wanted to check if someone els had this problem using indexu or sendmail.php. cheers

[Bruceper]

So it's with the IndexU sendmail that they're sending mail.

Make sure you enable captcha for the form, that'll slow them down for sure.

[smyhte]

bruce. captcha is enabled and working. what i am confused about is how domains are being added to the site domlogs? that as you know, should just be for domains that are on the server.

i have checked that there are no directories setup for these domains and bearing in mind that the server employs all the security for sendmail & exim that a closed server should take and all security patches & software is up to date. it is like they are using a different sendmail.php to the one that is on the site because the fields that are posted are different to the one on the site?

i shall get to the bottom of this :-) perhaps the web hosting forum would be more applicable? many thanks bruce and merry xmas.

[Bruceper]

Now I'm a little confused again, you're talking about exim but the sendmail.php function of IndexU uses the PHP sendmail function, not exim.

If you'd like, I can take a look around for you. I'd need cpanel access at a minimum.