Well I received an email from my webhost saying that they've received complaints about my dedicated server sending spammails. Its weird as I'd never do such thing myself, it also would not benefit me at all. As I've investigated further, I was able to track down the spammer's info from this:
So apparently this 'Ann Curtis' from payspree.com(actually techville,net) was able to send spammails by impersonating my server through Vbulletin's showthread.php page. I've heard that in the earliest days of VB3 there was a XSS security flaw within VB3.0.7, but this is VB3.8.7(patch lv.3) already and I doubt if such XSS vulnerability still exists. It could also be session hijacking, I have no idea what it is.Quote:
X-Mailer: vBulletin Mail via PHP
Date: Tue, 3 Sep 2013 13:02:12 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - srv1.******.com
X-AntiAbuse: Original Domain - lycos.com
X-AntiAbuse: Originator/Caller UID/GID - [500 32007] / [47 12]
X-AntiAbuse: Sender Address Domain - srv1.******.com
X-Get-Message-Sender-Via: srv1.******.com: authenticated_id: ******/from_h
X-Source-Args: /usr/bin/php /home/******/forum/showthread.php
This is a message from Ann Curtis ( mailto: ) from the ****** Forum ( http://www.******.com/forum/ ).
The message is as follows:
Dearest Energy User,
A POWERFUL invention from 1927 that secretly powered the famous Col. Charle=
s Lindbergh's aircraft on his voyage to be the first to cross the atlantic =
by airplane without stopping.
The same invention has already helped thousands of energy users by SLASHING=
their Electric Bill up to almost 100 percent.
See this page to see the video: http://payspree.com/12855/ann
Have a good one.
This problem caught my attention since I had a similar experience back in July, and I was able to persuade my webhost to continue to run my forum as the spammer left after the webhost suspended my account for about 2-3 days. So its technically the second time that my vbulletin forum's showthread page vulnerability is being abused, I wonder if anyone else is experiencing an issue similar to this? If so, how do you fix it? Please lemme know if you know anything about it. Thx.