Many e-mails return to nobody's e-mail.

[surachat]

I got many e-mails to nobody's e-mail in my server more than 5.5k mails. I thinks it's abnormal. I'm newbie of Linux and WHM. Could anybody help me?


Mail delivery failed: returning message to sender‏
From: Mail Delivery System (Mailer-Daemon@alpha.bornitexpert.net)
Sent: 16 July 2009 21:15:11
To: nobody@alpha.bornitexpert.net
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

qualitybuilt55@aol.com
Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
petgord34truew@tokyoshoes.com
Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
redheadcop@hotmail.com
Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
artiespecv@comcast.net
Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
paszzz@hotmail.com
Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
sxyblk45@yahoo.com
Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
alemurtinho@terra.com.br
Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings

------ This is a copy of the message, including all the headers. ------

Return-path: <nobody@alpha.bornitexpert.net>
Received: from nobody by alpha.bornitexpert.net with local (Exim 4.69)
(envelope-from <nobody@alpha.bornitexpert.net>)
id 1MRRfq-0000Pr-OP; Thu, 16 Jul 2009 21:11:02 +0700
To: qualitybuilt55@aol.com,petgord34true...o@terra.com.br
Subject: GET UNFAILING VIRILITY (Tablets against impotence 5)
From: sunshine37111@yahoo.com
Reply-To: sunshine37111@yahoo.com
Content-type: text/html; charset=iso-8859-5
Message-Id: <E1MRRfq-0000Pr-OP@alpha.bornitexpert.net>
Date: Thu, 16 Jul 2009 21:11:02 +0700


<div align="center">
<font size="5" color="#fa0210">
<STRONG>For more restoration pleasure was able to get from us.</STRONG>
<BR><BR>
<a href="http://b1g.gratishost.com/interesting91/what/isnt43.html">THE TABS YOU ARE HERE </a>
</font>
</div>

[chirpy]

Those are likely bounced emails being sent out from a PHP script on a users web site on the server. If they are spam, then a PHP script has likely been compromised. You can track such emails back to a user directory within /home if you enable extended exim logging and then track subsequent emails sent out by looking for a corresponding cwd= entry in /var/log/exim_mainlog. More information here:
ConfigServer Services - Searching for Spammers

If that's not the issue, i.e. they are legitimate emails being sent out by PHP script, then it may well be that you have enabled the option WHM > Tweak Settings > Prevent the user "nobody" from sending out mail to remote addresses. That will obviously prevent those emails being sent and they will bounce back.

[Legin76]

I'm getting this problem a too but am worried about changing "Prevent the user "nobody" from sending out mail to remote addresses" as its happening on multiple sites that have all been moved from ensim servers and I don't to stop them from sending emails and or have to deal with getting them to change their code.

They are using different php scripts but one specifically us using the latest version of phpbb.

Is there a way of making them go to the defaults account email address instead?

[Shyam Mohammed]

Hello,

You can enable suphp so that the mails will be sent as the user instead of nobody. Please note that enabling suphp may cause some compatibility issue with your sites, so consult your developer before switching the php handler. However it is encouraged to use suphp as it is a security module which will force the php scripts to run as users instead of the default apache user. You can give a try as you are free to switch back to DSO or CGI handler if your sites are having problem with suphp.

[Legin76]

Thats fantastic..

After changing it there have been a couple of small issues with sites.. The permissions of a folder and a form with a button with an onClick="submit()" that would not send.

Which have all been easy to sort.

Fingers crossed that will be it or if they are all as easy to fix as that it should be plain sailing.

An excellent suggestion. Thank you.