Additional Places To Find Spammer?

[webgazelle]

I discovered that I my server was running spam scripts after I got blacklisted. I used this forums extensively and discovered two sets of scripts running in the /tmp and /var/tmp directories. The scripts all seemed to originate from Brazil as the vast majority of email addresses in the spam library had .br extensions.

Here is what I did:

1. I removed the scripts (xXx.txt, enviar.txt, ... directory, and supporting scripts that seem to be perl based)

2. I recompiled php with the phpsuexec option turned on

3. I added this spamlog script to fish for which account was sending the spam. Nothing has shown up when monitoring this log. (http://www.webhostgear.com/232_print.html)

4. I converted the /tmp directory so that it won't execute scripts anymore (http://www.webhostgear.com/34.html)

And yet, it seems that I'm still sending out spam because of the bounce backs that I'm seeing.

So my questions are:

1. Where can I see outgoing email messages? I'm not sure which log to look at.

2. Using Cpanel, I notice that mailnull and nobody are the big offenders when looking at View Mail Statistics. What else can I look at to get more detail info instead of just totals?

Any help here would be great. I'm just looking to catch this script in the act and get rid of this. My system doesn't have PHPbb running and I'm not exactly sure which script was used to access and take advantage of my /tmp directories.

[jackie46]

Did you turn on;

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

From tweaks?

With phpsuexec on, you should be able to tell whos sending spam but somebody may be abusing the scripts in /usr/local/cpanel/cgi-sys/. Did you check your /usr/local/apache/logs/error_log for cgi-sys abusers?

[sawbuck]

Also try adding this: log_selector = +all to the Exim Configuration Editor > Advanced Mode in the first text box - Save - and then
tail -f /var/log/exim_mainlog

[webgazelle]

I did turn on the prevent nobody from sending out mail in Cpanel.

I've gone through the error_logs and they are unexceptional. The typical 404 errors were about the only thing there.

I did turn on the log_selector last night in the Exim Config Editor. Within my exim_mainlog there was a flurry of emails sent from nobody during those days I was "occupied", but there isn't anything like that right now.

[brianoz]

One of the main reasons behind phpsuexec is that it gives you a clear idea of who sent the email, and knowing that is one of the keys to solving the problem. The exim logging tip above may help you see who is sending the spam. Also if you go into tweaks you can limit the number of emails per hour per user, which may help.

You should try commands like "top" and look in the cron log to see if stuff is running regularly, that may also tip you off. It might be as simple as having a still running process from when you killed off the files in /tmp etc.

The next question is whether the spam is even going through exim on your machine. You should be able to set up firewall rules (from memory there may even be something in tweaks to do it) to prevent processes connecting to off-machine SMTP servers as that's one way spam is sent.