Results 1 to 15 of 15

Thread: nobody@server - bounced emails

  1. #1
    Registered Member
    Join Date
    Mar 2005
    Posts
    17

    Default nobody@server - bounced emails

    Someone was sending email from my server using the 'nobody' account. I stopped the user 'nobody' from being able to send emails in WHM. He is still sending the emails but now they are being bounced back to me.

    I know the directory that he is sending from (I think). I have no idea which file it might be. It would be a PHP file. The website is a game website. I have compared my local drive to the server drive and no new files are there and no new dates. How can I find the file he might be using? Thanks for any help.

  2. #2
    Registered Member NixTree's Avatar
    Join Date
    Aug 2010
    Location
    /proc
    Posts
    358
    cPanel/WHM Access Level

    Root Administrator

    Default Re: nobody@server - bounced emails

    Hello,

    Most probably, it should be sent vis a script. Check the logs thoroughly and see if you can find anything. Do you have "Mailheader" enabled with PHP ( you can do this from EA3 ); if so, you can find the exact script which sent the emails if you check the header of any of the spam emails sent from your server ( exim -Mvh <email id> and check X-script field ).

    Thank you,
    Nibin,
    NixTree || Server Management & Outsourced support
    24X7 Server Administration & Monitoring | Helpdesk support | Premium Spam Filtering
    Free CloudLinux, KernelCare with PerServer Management Plan
    Contact : info[at]nixtree[dot]com

  3. #3
    Registered Member
    Join Date
    Mar 2005
    Posts
    17

    Default Re: nobody@server - bounced emails

    Thanks for the reply, Nibin. What is EA3?

    Using putty.exe, if I enter this short script

    "awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq
    -c | sed "s|^ *||g" | sort -nr"

    I'm told it's being sent from /home/myserver/public_html. But as stated in my original post I have no idea which file may be doing the sending.

    Below is one of the headers from one of the bounced emails but I don't see any information that would be helpful. Funny thing about this, the emails, if sent, are being sent to one of my Yahoo email addresses.

    Return-path: <nobody@server.myserver.com>
    Received: from nobody by server.myserver.com with local (Exim 4.69)
    (envelope-from <nobody@server.myserver.com>)
    id 1RrvHD-0001jj-P6
    for chbvcx@ymail.com; Mon, 30 Jan 2012 11:44:23 -0600
    To: chbvcx@ymail.com
    Subject: Patent Pointed-Toe Pump - $134.99 : Christian Louboutin, Discount Christian Louboutin,Cheap Christian Louboutin Shoes,Christian Louboutin Pumps Sale,Discounted Louboutins Store Online
    Content-Type: text/plain
    From: <Patent Pointed-Toe Pump - $134.99 : Christian Louboutin, Discount Christian Louboutin,Cheap Christian Louboutin Shoes,Christian Louboutin Pumps Sale,Discounted Louboutins Store Online>
    Reply-To: Patent Pointed-Toe Pump - $134.99 : Christian Louboutin, Discount Christian Louboutin,Cheap Christian Louboutin Shoes,Christian Louboutin Pumps Sale,Discounted Louboutins Store Online
    Message-Id: <E1RrvHD-0001jj-P6@server.myserver.com>
    Date: Mon, 30 Jan 2012 11:44:23 -0600
    Last edited by chasmcg; 01-31-2012 at 07:23 AM. Reason: Left out some information

  4. #4
    Registered Member NixTree's Avatar
    Join Date
    Aug 2010
    Location
    /proc
    Posts
    358
    cPanel/WHM Access Level

    Root Administrator

    Default Re: nobody@server - bounced emails

    Hello,

    EA3 = EasyApche 3 ; you can enable the PHP module I mentioned with EasyApche. In fact, it is good to have this enabled on a shared + DSO ( PHP as Apche module ) server to track such email abuses.

    More about this module - http://choon.net/php-mail-header.php

    Since you could find the account which is abusing server, review the conetnts of the account; check whether any files modified / uploaded recently to this account and scan those files carefully.

    Good Luck

    Thank you,
    Nibin.
    Last edited by NixTree; 01-31-2012 at 08:10 AM.
    NixTree || Server Management & Outsourced support
    24X7 Server Administration & Monitoring | Helpdesk support | Premium Spam Filtering
    Free CloudLinux, KernelCare with PerServer Management Plan
    Contact : info[at]nixtree[dot]com

  5. #5
    Registered Member NixTree's Avatar
    Join Date
    Aug 2010
    Location
    /proc
    Posts
    358
    cPanel/WHM Access Level

    Root Administrator

    Default Re: nobody@server - bounced emails

    Hello,

    Also make sure "Track email origin via X-Source email headers " is enabled in tweak settings!

    Tweak Settings

    Thank you,
    Nibin.
    NixTree || Server Management & Outsourced support
    24X7 Server Administration & Monitoring | Helpdesk support | Premium Spam Filtering
    Free CloudLinux, KernelCare with PerServer Management Plan
    Contact : info[at]nixtree[dot]com

  6. #6
    Registered Member
    Join Date
    Mar 2005
    Posts
    17

    Default Re: nobody@server - bounced emails

    Nibit, thanks a lot for your help. I am going to follow your instructions in a bit but first, another question.

    I disabled EXIM. I am the only person that uses my server. How will this affect things? I don't use the mail at all on my server. But will I still get messages from the server such as warnings and such? Thanks.

  7. #7
    Registered Member NixTree's Avatar
    Join Date
    Aug 2010
    Location
    /proc
    Posts
    358
    cPanel/WHM Access Level

    Root Administrator

    Default Re: nobody@server - bounced emails

    Hello,

    No, why do you pay the resource for a service that you do don't use! It is better to have all the services which we don't use on a server, for better performance and security.

    What kind of warning messages are getting from your server? Have you diabled "monitor" for exim service as well ( remove it from chkservd conf )?

    Thank you,
    Nibin.
    NixTree || Server Management & Outsourced support
    24X7 Server Administration & Monitoring | Helpdesk support | Premium Spam Filtering
    Free CloudLinux, KernelCare with PerServer Management Plan
    Contact : info[at]nixtree[dot]com

  8. #8
    Registered Member NixTree's Avatar
    Join Date
    Aug 2010
    Location
    /proc
    Posts
    358
    cPanel/WHM Access Level

    Root Administrator

    Default Re: nobody@server - bounced emails

    Hello,

    Also, from PHP 5.3 there is a function called mail.log, which will log all emails sent using PHP mail(). If you use PHP 5.3 on a shared server ever, configure it out and it will be a great stuffs to track emails send via PHP script

    Details - PHP: Runtime Configuration - Manual

    Thank you,
    Nibin.
    NixTree || Server Management & Outsourced support
    24X7 Server Administration & Monitoring | Helpdesk support | Premium Spam Filtering
    Free CloudLinux, KernelCare with PerServer Management Plan
    Contact : info[at]nixtree[dot]com

  9. #9
    Registered Member arunsv84's Avatar
    Join Date
    Oct 2008
    Location
    127.0.0.1
    Posts
    375
    cPanel/WHM Access Level

    Root Administrator

    Default Re: nobody@server - bounced emails

    Well there is an easy and quick way to detect a spammer by dropping a few lines into your shell.

    just type the following in your command prompt

    grep cwd=/home /var/log/exim_mainlog
    that will retrieve all emails sent via php or cgi

  10. #10
    Registered Member
    Join Date
    Mar 2005
    Posts
    17

    Default Re: nobody@server - bounced emails

    Below is what I came up with using the command "grep cwd=/home /var/log/exim_mainlog"

    If so how are they sending this email and how are they able to do this? If they have a script on my site, how did it get there? And how do I proceed from here? Thanks a lot.

    2012-02-01 05:59:42 [29421] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:43 [29428] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:45 [29435] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:45 [29442] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:46 [29450] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:47 [29457] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:47 [29464] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:48 [29471] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:49 [29479] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:49 [29482] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:53 [29494] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:55 [29501] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i

  11. #11
    Registered Member
    Join Date
    Nov 2011
    Posts
    423
    cPanel/WHM Access Level

    Root Administrator

    Default Re: nobody@server - bounced emails

    Find out with the egrep command which script is using sendmail to send all these emails.
    Type the commands

    cd /home/myserver/public_html
    egrep "/usr/sbin/sendmail" * -R
    Disable it's permission once you are able to find offended script from egrep output. Moreover you can also disable emails from nobody user from WHM Tweak Settings
    Lifetime Linux Hosting | Linux Dedicated Servers

    ISPA Award Winner-2013 & 2014

  12. #12
    Registered Member
    Join Date
    Mar 2005
    Posts
    17

    Default Re: nobody@server - bounced emails

    storminternet, thanks for the reply.

    I did as you said and got this...

    Binary file public_html/cgi-bin/cgiemail matches
    Binary file public_html/cgi-bin/cgiecho matches

    Then changed the permissions to 700 on each file. Hope that works. Thanks a lot.

  13. #13
    Registered Member
    Join Date
    Mar 2005
    Posts
    17

    Default Re: nobody@server - bounced emails

    Update: Below is the latest header that is being bounced to me. Can anyone decipher this for me?

    Also, I'm concerned about this line - "X-Source-Args: /usr/local/apache/bin/httpd -k start -DSSL". What does this mean? I've looked it up but haven't found anything relating to email headers, only server logs. Thanks a lot.


    Delivered-To: me#1@gmail.com - "Note: this email was delivered to me from my server"
    Received: by 10.112.75.231 with SMTP id f7cs21483lbw;
    Sat, 4 Feb 2012 23:48:18 -0800 (PST)
    Received: by 10.101.2.32 with SMTP id e32mr5681702ani.13.1328428097089;
    Sat, 04 Feb 2012 23:48:17 -0800 (PST)
    Return-Path: <>
    Received: from server.myserver.com ([xx.xx.xx.xx])
    by mx.google.com with ESMTPS id d9si12050327yhn.109.2012.02.04.23.48.16
    (version=TLSv1/SSLv3 cipher=OTHER);
    Sat, 04 Feb 2012 23:48:16 -0800 (PST)
    Received-SPF: neutral (google.com: xx.xx.xx.xx is neither permitted nor denied by best guess record for domain of server.myserver.com) client-ip=xx.xx.xx.xx;
    Authentication-Results: mx.google.com; spf=neutral (google.com: xx.xx.xx.xx is neither permitted nor denied by best guess record for domain of server.myserver.com) smtp.mail=
    Received: from mailnull by server.myserver.com with local (Exim 4.69)
    id 1RtwpR-0005ic-L6
    for nobody@server.myserver.com; Sun, 05 Feb 2012 01:48:05 -0600
    X-Failed-Recipients: me#2@yahoo.com - "Note: email address spam is being sent to - one of my email addresses"
    Auto-Submitted: auto-replied
    From: Mail Delivery System <Mailer-Daemon@server.myserver.com>
    To: nobody@server.myserver.com
    Subject: Mail delivery failed: returning message to sender
    Message-Id: <E1RtwpR-0005ic-L6@server.myserver.com>
    Date: Sun, 05 Feb 2012 01:48:05 -0600
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server.myserver.com
    X-AntiAbuse: Original Domain - server.myserver.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain -
    X-Source:
    X-Source-Args: /usr/local/apache/bin/httpd -k start -DSSL
    X-Source-Dir: my-domain-on-my-server.com:/public_html - "Note: I've known directory from day 1 but don't know which file"

    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its recipients.
    This is a permanent error. The following address(es) failed:


    me#2@yahoo.com - "Note: email address spam is being sent to - one of my email addresses"
    Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <nobody@server.myserver.com>
    Received: from nobody by server.myserver.com with local (Exim 4.69)
    (envelope-from <nobody@server.myserver.com>)
    id 1RtwpR-0005iX-Je
    for me#2@yahoo.com; Sun, 05 Feb 2012 01:48:05 -0600
    To: me#2@yahoo.com
    Subject: DOUqlPNSvKbX
    Content-Type: text/plain
    From: jvdhqolofp <fvtznp@hriczt.com>
    Reply-To: fvtznp@hriczt.com
    Message-Id: <E1RtwpR-0005iX-Je@server.myserver.com>
    Sender: Nobody <nobody@server.myserver.com>
    Date: Sun, 05 Feb 2012 01:48:05 -0600


    wWFooc <a href="http://ewldkxtawrtp.com/">ewldkxtawrtp</a>,
    dsxkhijxzmpv,
    [link=http://plrnqcmsqhha.com/]plrnqcmsqhha
    [/link], http://rzwkriqhjpka.com/

  14. #14
    Registered Member
    Join Date
    Sep 2009
    Location
    Athens Greece
    Posts
    199

    Default Re: nobody@server - bounced emails


  15. #15
    Registered Member
    Join Date
    Mar 2005
    Posts
    17

    Default Re: nobody@server - bounced emails

    I am really stupid. It took me awhile to catch on. This is a game website. I have it just as a complimentary service for my customers on another website. It's a game script I purchased and really haven't paid that much attention to what it does. I have a "Contact" link on the website. This person is sending the spam from that. It sends an email to my admin email address and "nobody" on my server sends the email. I think that is the problem. 3 or 4 days wasted looking into this. Oh well, I learned a few things. Thanks to everyone.

Similar Threads

  1. Problem with server emails getting bounced
    By bmett in forum E-mail Discussions
    Replies: 5
    Last Post: 07-21-2013, 10:37 PM
  2. bounced emails going to nobody
    By ramorse in forum E-mail Discussions
    Replies: 25
    Last Post: 05-26-2010, 03:01 PM
  3. Emails being bounced
    By WGN in forum E-mail Discussions
    Replies: 1
    Last Post: 02-07-2006, 10:33 AM
  4. Bounced emails
    By sigep739 in forum E-mail Discussions
    Replies: 1
    Last Post: 05-26-2004, 06:06 PM
  5. Re-routing bounced emails
    By mickalo in forum E-mail Discussions
    Replies: 0
    Last Post: 03-21-2003, 11:05 AM

Tags for this Thread

bargain