#1 (permalink)  
Old 01-28-2006, 10:46 PM
Registered User
 
Join Date: Jun 2003
Posts: 79
RedFutura
Spam problem with mailnull and mailer-daemon

Hello,

I've got someone sending out spam from my server and I suspect he is using address like mailnull@hostname to by-pass exim authentication. Is this possible?

I think addreses like postmaster@hostname, mailer-daemon@hostname, etc are used for this.

Is it possible to disallow users to use those addresses to send out email?

Also, I've seen spam coming out from a domain which does not exist in my server, how is this possible? It is always the same domain (AdminRobot@hyipreal.com). Is there any way to block email coming out of that address?

Thank you
__________________
RedFutura
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 01-29-2006, 05:30 PM
chirpy's Avatar
Moderator
 
Join Date: Jun 2002
Location: Go on, have a guess
Posts: 13,495
chirpy will become famous soon enough
No, it's not possible to bypass authentication. They're either being authenticated explicitly or implicitly, i.e. they're logging into a valid email account and sending spam or they're using a compromised web script on the server.

First step is to look at the email headers of one of the spam emails.
__________________
Jonathan Michaelson
cPanel Forum Moderator

Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 10-18-2009, 10:33 AM
Registered User
 
Join Date: Oct 2009
Posts: 1
viniwox is on a distinguished road
Having the same problem

Hello,

I am having the same problem. My IP is already blacklisted and I just can't find a script where this is being generated.

look at the emails that are being sent:

1MzT9E-0007XH-WD-H
mailnull 47 12
<gages70@web.de>
1255862280 0
-helo_name localhost
-host_address 127.0.0.1.34894
-host_name localhost
-interface_address 127.0.0.1.25
-received_protocol smtp
-body_linecount 10
-max_received_linelength 119
XX
3
assentg@excite.com
assent_h@excite.com
assenth@excite.com

173P Received: from localhost ([127.0.0.1])
by servidor.myserver.net with smtp (Exim 4.69)
(envelope-from <gages70@web.de>)
id 1MzT9E-0007XH-WD; Sun, 18 Oct 2009 05:38:01 -0500
027R Reply-To: <gages70@web.de>
038 Date: Sun, 18 Oct 2009 05:29:14 -0400
023F From: <gages70@web.de>
086T To: <assentg@excite.com>,
<assent_h@excite.com>,
<assenth@excite.com>
039I Message-ID: <01CA4FDD.43C22626@web.de>
021 X-Priority: 1 (High)
058 Subject: Certainly flowers have the easiest time on earth
018 MIME-Version: 1.0
044 Content-Type: text/html; charset=iso-8859-1
032 Content-Transfer-Encoding: 7bit
1MzT9E-0007XH-WD-D
<html>
<head>
<title> We sent him down at last out of the way. </title>
</head>

<body>
<a href="http://208.109.0.18/3.html">You manhood won't be flaccid after this supplement! Super discounts right now!</a>
</body>
</html>
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 10-19-2009, 01:10 PM
Registered User
 
Join Date: Aug 2008
Posts: 13
bhanuprasad1981 is on a distinguished road
Cool

same my side too

i get complaints stating spam is sent from server with a user name which doesn't exist
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 10-20-2009, 11:16 AM
cPanelDavidG's Avatar
cPanel Technical Sales
 
Join Date: Nov 2006
Location: Houston, TX
Posts: 7,995
cPanelDavidG is on a distinguished road
Friendly Moderator Note

I have moved this thread to the Mail forum.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 11-03-2009, 10:52 PM
DWHS.net's Avatar
Registered User
 
Join Date: Jul 2002
Location: LA
Posts: 1,201
DWHS.net is on a distinguished road
These issues need to be addresses, it's too easy to spam from a script as nobody with cpanel. There needs to be a easy way to track this and stop spammers.
__________________
DWHS Inc. - dwhs.net
Web Hosting | Business Favs | Web Hosting Times
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 11-04-2009, 01:07 AM
cPanelDon's Avatar
cPanel Staff (Administrator)
 
Join Date: Nov 2008
Location: Houston, Texas, U.S.A.
Posts: 489
cPanelDon is on a distinguished road
Lightbulb

Quote:
Originally Posted by DWHS.net View Post
These issues need to be addresses, it's too easy to spam from a script as nobody with cpanel. There needs to be a easy way to track this and stop spammers.
Securing and hardening servers and monitoring for abuse is the responsibility of the Systems Administration team managing the system. As a starting point, enabling both SuExec and SuPHP will make it easier to track outbound Spam assuming the abuse does not bypass the Exim MTA (Exim mail server). I would also check to ensure your system is configured to take full advantage of the available security and mail features within cPanel/WHM:
Tweak Settings - Mail
WhmSecurity < AllDocumentation/WHMDocs < TWiki
EximConfig < AllDocumentation/WHMDocs < TWiki
__________________
We are here to help where needed to ensure a successful resolution. Feel free to submit a ticket for hands-on assistance; our support team will be able to investigate, diagnose and troubleshoot the issue: https://tickets.cpanel.net/submit/
--
cPanel Don, Technical Analyst
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 11-08-2009, 12:24 PM
Registered User
 
Join Date: Aug 2008
Posts: 13
bhanuprasad1981 is on a distinguished road
Cool

my server management installed suphp and mod security, disabled "nobody" from sending mails but still spammers made a way out , my DC and server admin were unable to find a single trace of spam , and i was forced to reinstall OS , i would like to ask community help , how is this possible ? mails sent from server and not even one trace ?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 11-10-2009, 05:05 PM
cPanelDon's Avatar
cPanel Staff (Administrator)
 
Join Date: Nov 2008
Location: Houston, Texas, U.S.A.
Posts: 489
cPanelDon is on a distinguished road
Lightbulb

Quote:
Originally Posted by bhanuprasad1981 View Post
my server management installed suphp and mod security, disabled "nobody" from sending mails but still spammers made a way out , my DC and server admin were unable to find a single trace of spam , and i was forced to reinstall OS , i would like to ask community help , how is this possible ? mails sent from server and not even one trace ?
Please check with your system administration (server management) team; if you need please create a new thread to ask specific questions regarding the circumstances regarding your situation. There must have been a trace of the Spam or it would not be known there was a Spam issue; I recommend to thoroughly check the symptoms, indications and other evidence of the Spam to determine where the issue might be at, including checking e-mail headers and mail server logs.
__________________
We are here to help where needed to ensure a successful resolution. Feel free to submit a ticket for hands-on assistance; our support team will be able to investigate, diagnose and troubleshoot the issue: https://tickets.cpanel.net/submit/
--
cPanel Don, Technical Analyst
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 11-10-2009, 05:19 PM
Registered User
 
Join Date: Aug 2002
Posts: 1,068
sparek-3 is on a distinguished road
From the mail headers posted, it looks like the owner of that server does not have the SMTP Tweak enabled, either in the Security Center in the WHM or with CSF.

Note, that if you are using CSF you will have to use it's SMTP Tweak (which is essentially the same thing). Not sure about other iptables based firewalls. If you are using a software firewall (CSF or APF, may be others) then you will need to use their included SMTP Tweak, because it will override the WHM's tweak.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 03:53 PM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
© cPanel Inc