Find spammer sending out of our server

[steele]

Hi all,

We have been having problem with some user sending spam out of our server. He is sending out Paypal phishing site spam. Also the mail queue gets into thousands every few days because fo this. We are unable to determine which user this is. This is becoming a serious problem, because the server gets listed with Spamcop way too often now.

I was wondering if there is a way to find out which user is responsible for this.

Thanks!


Below are headers of a sample email (I changed the domain names):
-----------------------------------------------------

1EoTZ1-0001Xj-39-H
nobody 99 99
<nobody@host2.mydomain.com>
1135031583 0
-ident nobody
-received_protocol local
-body_linecount 88
-auth_id nobody
-auth_sender nobody@host2.mydomain.com
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
XX
1
someone_123@yahoo.com

152P Received: from nobody by host2.mydomain.com with local (Exim 4.52)
id 1EoTZ1-0001Xj-39
for someone_123@yahoo.com; Mon, 19 Dec 2005 17:33:03 -0500
024T To: someone_123@yahoo.com
048 Subject: Notification of Limited Account Access
060F From: PayPal Account Review Department <service@paypal.com>
011R Reply-To:
018 MIME-Version: 1.0
024 Content-Type: text/html
032 Content-Transfer-Encoding: 8bit
057I Message-Id: <E1EoTZ1-0001Xj-39@host2.mydomain.com>
038 Date: Mon, 19 Dec 2005 17:33:03 -0500

[fikse]

are you sure it's one of your actual users? there are many vulnerable scripts that users install that end up being exploited remotely and used to send out spam....

[simplestar]

WHG has a script

Stop Nobody Spammers

As stated in their tutorial:

Requirements:
We assume you're using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we're only tested it on a Cpanel/WHM Red Hat Enterprise system.

[chirpy]

I'd suggest that you read the multitude of threads about nobody spam which have already discussed at great length what you can do about such spam.

[steele]

are you sure it's one of your actual users? there are many vulnerable scripts that users install that end up being exploited remotely and used to send out spam....

It actually is probably someone from outside. What I'd like to know if there is a way to find out the source script from the email headers...

Thanks.

[RickG]

What I'd like to know if there is a way to find out the source script from the email headers...

You can add the following to the first box of the Exim Configuration Editor (WHM >> Service Configuration >> Switch to Advanced Mode):

log_selector = +all

FYI - here are the additional items that are logged to /var/log/exim_mainlog when you use "+all" -- any of them can be used in combination to get just what you need:

+address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

You may want to run this way for awhile and you'll probably end up finding which script has been compromised.

Hope this helps -

[parasane]

Steele,

Check out the Received: and DomainKey-Signature: headers in the emails.

If all else fails, do a full manual check on the server. I have to do it for people all the time. It usually comes down to a poorly-written Perl or PHP script and accessed through the web using a simple multithreader.

~ Dan

[neonix]

057I Message-Id: <E1EoTZ1-0001Xj-39@host2.mydomain.com>


Try this command:

grep 'E1EoTZ1-0001Xj-39' /var/log/exim_mainlog