Help me track down some spam!

**erinspice** · 10-31-2007 09:58 AM

I need some help from the masters! One of my server's is sending spam, and I really need to track it down and find out how to stop it. Here's one:

Subject: Make her worship you
From: "Michael Baxter" <xijabsentforaweekhub@absentforaweek.de>
Date: Wed, 31 Oct 2007 03:57:19 +0000
To: <Undisclosed Recipients>
Reply-To: xijabsentforaweekhub@absentforaweek.de
Message-ID: <864558525.84012090072797@absentforaweek.de>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----------7DABBBB4F211119"

UID 47 is mailnull. I have the extra spam tracking headers turned on (X-SOURCE-DIR, et al.), but they aren't showing up.

Will somebody please teach me how to track spam back to a username and an application so that I can secure my server?

**mtindor** · 10-31-2007 02:03 PM

Actually, it looks like your server is _forwarding_ spam.

Scenario: A user on your system has one of their accounts set up to forward to an AOL.COM account. Then, when it goes to their AOL.COM account they tag it as spam. Then AOL sends you a message telling you that they received a spam mesasge from your server.

Check for forwarders on all of the myclient.com accounts that are on your server - See who is forwarding to AOL.

grep 1In481-0005YM-Co /var/log/exim_mainlog
- see who this email was sent to on your server.

Mike

Originally Posted by erinspice

I need some help from the masters! One of my server's is sending spam, and I really need to track it down and find out how to stop it. Here's one:

UID 47 is mailnull. I have the extra spam tracking headers turned on (X-SOURCE-DIR, et al.), but they aren't showing up.

Will somebody please teach me how to track spam back to a username and an application so that I can secure my server?

**erinspice** · 10-31-2007 02:56 PM

How is this not a problem for every web host then? And why am I only experiencing this on one of my 5 servers? Is there someway I could configure my server to disallow mail forwarding serverwide, or only allow forwarding between local addresses? Also, what in there let you know it was being forwarded?

**mtindor** · 10-31-2007 03:04 PM

Originally Posted by erinspice

How is this not a problem for every web host then? And why am I only experiencing this on one of my 5 servers? Is there someway I could configure my server to disallow mail forwarding serverwide, or only allow forwarding between local addresses? Also, what in there let you know it was being forwarded?

I don't believe there is a way to turn off forwarding altogether, or only allow forwarding between local addresses. Some crafty people could come up with a result, but Cpanel itself does not have any configuration options such as those.

How did I know it was being forwarded? I looked at the Received headers. If they are to be believed (and oftentimes in spam, one or more Received lines are bogus), you would follow from the bottom to the top.

The topmost Received header shows the final destination was an AOL server (from an AOL server to another AOL server).

The second Received header shows where it was sent from your machine to the AOL server.

The third Received line shows where your server received it from 33.33.33.33.dynamic.dsl.as9105.com

So if you reverse that order you see:

the as9105.com IP address sent the spam to your server
your server then sent it to AOL
AOL sent it to another one of its servers for final delivery

There would be no reason for some remote IP to send it to your machine and then it get automatically sent to AOL unless:
1. It was sent to an account on your server and then forwarded to an AOL.COM account
OR
2. Somebody authenticated into your server via the as9105.com IP address and explicitly sent an email through your server to an AOL destination

Could have been either one, but the more likely scenario just based upon my eyes parsing the headers was that it was simply a piece of spam sent to an account on your server, which in turn was set up to forward to an AOL account.

I take it I was correct?

Mike

Subject: Make her worship you
From: "Michael Baxter" <xijabsentforaweekhub@absentforaweek.de>
Date: Wed, 31 Oct 2007 03:57:19 +0000
To: <Undisclosed Recipients>
Return-Path: <xijabsentforaweekhub@absentforaweek.de>
Received: from rly-yc06.mail.aol.com (rly-yc06.mail.aol.com [22.22.22.22]) by air-yc04.mail.aol.com (v120.9) with ESMTP id MAILINYC43-6e74727f47d371; Tue, 30 Oct 2007 23:20:54 -0400
Received: from hostname.mysite.com (hostname.mysite.com [11.11.11.11]) by rly-yc06.mail.aol.com (v120.9) with ESMTP id MAILRELAYINYC61-6e74727f47d371; Tue, 30 Oct 2007 23:20:30 -0400
Received: from 33.33.33.33.dynamic.dsl.as9105.com ([33.33.33.33]) by hostname.mysite.com with esmtp (Exim 4.68) (envelope-from <xijabsentforaweekhub@absentforaweek.de>) id 1In481-0005YM-Co; Tue, 30 Oct 2007 22:20:26 -0500
Received: from [33.33.33.33] by mail.absentforaweek.de; Wed, 31 Oct 2007 03:57:19 +0000

**erinspice** · 10-31-2007 03:07 PM

Originally Posted by mtindor

I take it I was correct?

Yep. Fixing that now. One more thing. Do you know where the configuration for forwarders is stored so I can manage this directly instead of having to log into every user's cPanel to check for forwarding issues?

**mtindor** · 10-31-2007 03:07 PM

Originally Posted by erinspice

How is this not a problem for every web host then?

It is a problem for every webhost - especially if they allow forwarding to domains such aol.com, hotmail.com, yahoo.com, comcast.net and many others. Many of those mail systems pay attention to forwarded spam and end up blacklisting the sending IP if it receives too many forwarded emails that then are tagged as spam by the recipient.

And, of course in the case of AOL users, well, I need not say anymore. It's very very typical of AOL users who have other accounts forwarding to their AOL mailboxes to then tag that legitimately forwarded email (spam or not) as spam in their AOL account, thus causing AOL to bark about it.

Forwarders are almost always a bad idea anymore for this very reason - especially if you are forwarding to the big elephants like AOL, Yahoo, Hotmail, Comcast, and their other associated domains.

MANY hosting providers have specific TOS rules prohibiting their customers from setting up forwards to domains such as the ones above.

Mike

**erinspice** · 10-31-2007 03:12 PM

Do you know where the configuration for forwarders is stored so I can manage this directly instead of having to log into every user's cPanel to check for forwarding issues?

ETA: I found them in /etc/valiases/ . Thanks for your help!

**mtindor** · 10-31-2007 03:42 PM

Originally Posted by erinspice

Do you know where the configuration for forwarders is stored so I can manage this directly instead of having to log into every user's cPanel to check for forwarding issues?

ETA: I found them in /etc/valiases/ . Thanks for your help!

You're welcome!

Mike

**isputra** · 10-31-2007 06:49 PM

Originally Posted by erinspice

Yep. Fixing that now. One more thing. Do you know where the configuration for forwarders is stored so I can manage this directly instead of having to log into every user's cPanel to check for forwarding issues?

Or you can install Chirpy's Mail Manage script on your server so you can manage your client's email account without having to login to each your client's cpanel.

LinkBack

Thread Tools

Help me track down some spam!

Horde Spam - difficult to track?

how can i install formmail.log to track spam?

How to track down spam script?

How do i track spam sent from my server?

spam mail being sent out of server, how to track?