Mail Server (EXIM) Someone is sending SPAM and i cannot trac

[albertg]

Hello All,

I have a very very serious problem here. Would really appreciate any assistance or suggestion. You may contact me at
myxoxo@netspace.net.au.

Someone is sending out alot emails from my server(exim) About 40,000 of them and most of them to .ru and .ua

I have tried but i do not have a clue who is he. Whether it is an internal (clients) or external spammer.
I have included a the mail he is trying to send below. It is obtain at the mail que (incl all header and etc)
17lvXN-0002Yo-00-H
nobody 99 99

1030989777 0
-ident nobody
-received_protocol local
-body_linecount 30
-auth_id nobody
-auth_sender nobody@ez1.ezhostings.net
-local
XX
1
alexsander@ic.dcn-asu.ru

154P Received: from nobody by ez1.ezhostings.net with local (Exim 3.35 #1)
id 17lvXN-0002Yo-00
for alexsander@ic.dcn-asu.ru; Mon, 02 Sep 2002 13:02:57 -0500
029T To: alexsander@ic.dcn-asu.ru
010 Subject:
024F From: konkurs-na@nm.ru
076 Subject: =?koi8-r?B?9/Ll7fEg9+zh8/T39eX0IO7h5CD38+XtLCDr8u/t5SDt+fPs6Q==?=
038 Date: Mon, 2 Sep 2002 11:42:05 +0400
019 MIME-Version: 1.0
093 Content-Type: multipart/alternative;
boundary=&----=_NextPart_000_0010_01C25275.C4587D20&
015 X-Priority: 3
027 X-MSMail-Priority: Normal
013 X-Unsent: 1
058 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
051I Message-Id:


17lvXN-0002Yo-00-D

This is a multi-part message in MIME format.

------=_NextPart_000_0010_01C25275.C4587D20
Content-Type: text/plain;
charset=&koi8-r&
Content-Transfer-Encoding: quoted-printable

www.newacropol.ru=20

------=_NextPart_000_0010_01C25275.C4587D20
Content-Type: text/html;
charset=&koi8-r&
Content-Transfer-Encoding: quoted-printable








www.newacropol.ru=20


------=_NextPart_000_0010_01C25275.C4587D20--


If you have any idea....or suggestion on...which area i should look at, please let me know. Any wild suggestion or idea will be very very much appreciated. It has been 3 days and I am still working on it. Thank you once again.

I have also contact my distributor and he is confidence that it is not a Formmail.pl exploit.
Anyway i have deleted all previous version of formmail except the latest on.

ANother thing is that when he starts to SPAM, i notice that this process /usr/local/apache/bin/httpd-DSSL will become very high (own by nobody) at about 60% cpu usage and it hog down the whole server.

2. Even i stop exim and the mails will still be queing.

If you want me to provide further information so you can analyse the situation further, please contact me at myxoxo@netspace.net.au

I will try to get them for u asap.

Any help, assistance, suggestion is much appreciated.
Thank You

Albert.

[albertg]

I have check and my server is NOT an open relay.
Did some test from abuse.net and it said my server is not an open relay.
So, would i be right if i say that the SPAM is deriving from one of my customers?

Thank You..and please suggest any idea or ways to track him down.
Thank You so much.

[kwimberl]

Yes, it is likely a perl script running from one of your customers. Take a look at the scripts running on your server and at the sendmail / exim processes. Also check your logs. It is most likely sent by sendmail.

[albertg]

I have kinda stop the SPAM but i even stop (i not sure what i did)

mails cannot be send out from httpd process. ie: mail cannot be send out via FormMail.pl or any other script that send mail via the server.

Any assistance?
Can someone...pls pls pls....post their default /etc/exim.conf file here so i can check what i have change.
Please....

Many thanks!

[albertg]

That problem has been fixed!
thanks all!

[furquan]

hi albertg

I was also affected by the same problem with on one of my servers, a user signed up and immediately started sending thousands of mails, although i terminated his account within 4 hours of activation, but the damage had already been done.

Could you tell me as to what method did you apply or follow or what changes did u do to exim so that it does not happen again.

Expecting to hear from you soon.

Regards/-

[albertg]

please check exim.org and add additional command that will improve the 'checks' exim does before a mail is being sent out.

[hostbet]

[quote:b828c6db21][i:b828c6db21]Originally posted by albertg[/i:b828c6db21]

please check exim.org and add additional command that will improve the 'checks' exim does before a mail is being sent out.

[/quote:b828c6db21]

Tha is not helping us who have the same problem.
can you tell us what steps to take now that you know?

thanks

[LinuxFreaky]

I'm interested in this as well. Does anyone know what the extra check commands are that I can configure into Exim?

[tonyxp]

Originally posted by albertg
please check exim.org and add additional command that will improve the 'checks' exim does before a mail is being sent out.

Would you share what you have found?