How do you tell who is sending mail when it's sent from nobody

[DWHS.net]

I have some spams sent from my server but the sender only says nobody. Anyone know how to track the email to the user who sent it?

[acenetgeorge]

Quote:

Originally Posted by DWHS.net

I have some spams sent from my server but the sender only says nobody. Anyone know how to track the email to the user who sent it?

Make sure you have WHM -> Server Config -> Tweak Settings -> Mail -> "Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)" enabled. That may help track down the source.

You may also want to add a line to your Exim Advanced Config. This goes in the first box :

log_selector = +arguments +subject

That will place the subject in the mail log (making it easier to search for the spam in your logs), and the arguments will let you know how it is being generated (sendmail, php script, etc,).

Hope this helps!

[Spiral]

Quote:

Originally Posted by DWHS.net

I have some spams sent from my server but the sender only says nobody. Anyone know how to track the email to the user who sent it?

It is not very easy to track and though you could add the items
acenetgeorge listed above, you are still limited as long as the
mail is being sent from script as the generic user "nobody".

You should already be running SuExec for Apache. If not, I would enable it!

This topic is also one one of the biggest reasons to convert your PHP from
norm Apache module (DSO) to SuPHP as all PHP scripts will then be
executed by the account owner instead of the generic user nobody and
if anyone tries to send any spam, it will show up in a heartbeat which
account sent the mail and what script and is much easier to track!

Using SuPHP for your PHP also gives you many other important advantages
in terms of added security that go beyond just email tracking so it is
definitely something you should strongly consider.

Meanwhile, if you set sending limits in "Tweak Settings" and either use
the "SMTP Tweak" or much better install Chirpy's CSF Firewall and setup
the SMTP_BLOCK portion in that script, that will also help control spam
from being sent from your server as well.

Right now, without the expanded logging trails or having SuExec or SuPHP
running or a good security solution, the only thing you can really do to
track the current mail already sent is to take a close look at the domain
logs in /usr/local/apache/domlogs, the main apache logs in /usr/local/apache/logs,
your maillog in /var/log, and the files in your /tmp folder to determine which site
is getting calls to execute a mail script around the same time the mails are
being injected into the mail server. Bulk sending a lot of messages often
shows up as repeated web calls to some script on an account on your server.

Now once you make the changes both acenetgeorge and I have suggested,
it will be much easier to track where the spam is coming from and if you do
all that I said, will also be much more difficult for anyone to send spam in
the first place but if they do, will definitely get caught.

[blargman]

If you don't have log_selector = all and you don't see a file path for these mails. You really should just do a clamscan of all your public_html's.


for i in /home/*/www ; do clamscan -ri -l /some/log "$i" ; done

Or search the forums here there are also malware grep search scripts etc.

[DWHS.net]

Quote:

Originally Posted by Spiral

It is not very easy to track and though you could add the items
acenetgeorge listed above, you are still limited as long as the
mail is being sent from script as the generic user "nobody".

You should already be running SuExec for Apache. If not, I would enable it!

This topic is also one one of the biggest reasons to convert your PHP from
norm Apache module (DSO) to SuPHP as all PHP scripts will then be
executed by the account owner instead of the generic user nobody and
if anyone tries to send any spam, it will show up in a heartbeat which
account sent the mail and what script and is much easier to track!

Using SuPHP for your PHP also gives you many other important advantages
in terms of added security that go beyond just email tracking so it is
definitely something you should strongly consider.

Meanwhile, if you set sending limits in "Tweak Settings" and either use
the "SMTP Tweak" or much better install Chirpy's CSF Firewall and setup
the SMTP_BLOCK portion in that script, that will also help control spam
from being sent from your server as well.

Right now, without the expanded logging trails or having SuExec or SuPHP
running or a good security solution, the only thing you can really do to
track the current mail already sent is to take a close look at the domain
logs in /usr/local/apache/domlogs, the main apache logs in /usr/local/apache/logs,
your maillog in /var/log, and the files in your /tmp folder to determine which site
is getting calls to execute a mail script around the same time the mails are
being injected into the mail server. Bulk sending a lot of messages often
shows up as repeated web calls to some script on an account on your server.

Now once you make the changes both acenetgeorge and I have suggested,
it will be much easier to track where the spam is coming from and if you do
all that I said, will also be much more difficult for anyone to send spam in
the first place but if they do, will definitely get caught.

Oh cool so if I use SuPHP it will show the user when email is sent through php through servers mail system. Rather then just "nobody".

[aneesh.p]

Edit /etc/exim.conf

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn \

If exim_mainlog shows the spams originating from /tmp of the server and check the file in /tmp of the server. wner of the file will be seen as nobody:nobody. Take down the time of creation of file. This time is what we need to find out who uploaded the script. You will need to convert this time into the time format of /usr/local/apache/logs/error_log & then in the format of the domlogs located at /usr/local/apache/domlogs/*



for file in /usr/local/apache/domlogs/*; do cat $file |grep “example”; done; ( you cannot do direct grep for the query here as it will give error that the arguement list is too long )

Supportpro.com