Spam problem with mailnull and mailer-daemon

[RedFutura]

Hello,

I've got someone sending out spam from my server and I suspect he is using address like mailnull@hostname to by-pass exim authentication. Is this possible?

I think addreses like postmaster@hostname, mailer-daemon@hostname, etc are used for this.

Is it possible to disallow users to use those addresses to send out email?

Also, I've seen spam coming out from a domain which does not exist in my server, how is this possible? It is always the same domain (AdminRobot@hyipreal.com). Is there any way to block email coming out of that address?

Thank you

[chirpy]

No, it's not possible to bypass authentication. They're either being authenticated explicitly or implicitly, i.e. they're logging into a valid email account and sending spam or they're using a compromised web script on the server.

First step is to look at the email headers of one of the spam emails.

[viniwox]

Hello,

I am having the same problem. My IP is already blacklisted and I just can't find a script where this is being generated.

look at the emails that are being sent:

1MzT9E-0007XH-WD-H
mailnull 47 12
<gages70@web.de>
1255862280 0
-helo_name localhost
-host_address 127.0.0.1.34894
-host_name localhost
-interface_address 127.0.0.1.25
-received_protocol smtp
-body_linecount 10
-max_received_linelength 119
XX
3
assentg@excite.com
assent_h@excite.com
assenth@excite.com

173P Received: from localhost ([127.0.0.1])
by servidor.myserver.net with smtp (Exim 4.69)
(envelope-from <gages70@web.de>)
id 1MzT9E-0007XH-WD; Sun, 18 Oct 2009 05:38:01 -0500
027R Reply-To: <gages70@web.de>
038 Date: Sun, 18 Oct 2009 05:29:14 -0400
023F From: <gages70@web.de>
086T To: <assentg@excite.com>,
<assent_h@excite.com>,
<assenth@excite.com>
039I Message-ID: <01CA4FDD.43C22626@web.de>
021 X-Priority: 1 (High)
058 Subject: Certainly flowers have the easiest time on earth
018 MIME-Version: 1.0
044 Content-Type: text/html; charset=iso-8859-1
032 Content-Transfer-Encoding: 7bit
1MzT9E-0007XH-WD-D
<html>
<head>
<title> We sent him down at last out of the way. </title>
</head>

<body>
<a href="http://208.109.0.18/3.html">You manhood won't be flaccid after this supplement! Super discounts right now!</a>
</body>
</html>

[bhanuprasad1981]

same my side too

i get complaints stating spam is sent from server with a user name which doesn't exist

[cPanelDavidG]

I have moved this thread to the Mail forum.

[DWHS.net]

These issues need to be addresses, it's too easy to spam from a script as nobody with cpanel. There needs to be a easy way to track this and stop spammers.

[cPanelDon]

Quote:

Originally Posted by DWHS.net

These issues need to be addresses, it's too easy to spam from a script as nobody with cpanel. There needs to be a easy way to track this and stop spammers.

Securing and hardening servers and monitoring for abuse is the responsibility of the Systems Administration team managing the system. As a starting point, enabling both SuExec and SuPHP will make it easier to track outbound Spam assuming the abuse does not bypass the Exim MTA (Exim mail server). I would also check to ensure your system is configured to take full advantage of the available security and mail features within cPanel/WHM:
Tweak Settings - Mail
WhmSecurity < AllDocumentation/WHMDocs < TWiki
EximConfig < AllDocumentation/WHMDocs < TWiki

[bhanuprasad1981]

my server management installed suphp and mod security, disabled "nobody" from sending mails but still spammers made a way out , my DC and server admin were unable to find a single trace of spam , and i was forced to reinstall OS , i would like to ask community help , how is this possible ? mails sent from server and not even one trace ?

[cPanelDon]

Quote:

Originally Posted by bhanuprasad1981

my server management installed suphp and mod security, disabled "nobody" from sending mails but still spammers made a way out , my DC and server admin were unable to find a single trace of spam , and i was forced to reinstall OS , i would like to ask community help , how is this possible ? mails sent from server and not even one trace ?

Please check with your system administration (server management) team; if you need please create a new thread to ask specific questions regarding the circumstances regarding your situation. There must have been a trace of the Spam or it would not be known there was a Spam issue; I recommend to thoroughly check the symptoms, indications and other evidence of the Spam to determine where the issue might be at, including checking e-mail headers and mail server logs.

[sparek-3]

From the mail headers posted, it looks like the owner of that server does not have the SMTP Tweak enabled, either in the Security Center in the WHM or with CSF.

Note, that if you are using CSF you will have to use it's SMTP Tweak (which is essentially the same thing). Not sure about other iptables based firewalls. If you are using a software firewall (CSF or APF, may be others) then you will need to use their included SMTP Tweak, because it will override the WHM's tweak.