Server used In Spam Sending

[viisage]

Since the 7th of December, my server has been the subject of massive spam sending everyday. They have been sending about 1000 emails out at a time.

The bad thing is that they are showing up as me. They are sending advertisments for my web hosting services.

I have checked and made sure all 1.6 versions of formmail are deleted.

I have added rbl_domains =
to exim.conf and restarted exim, numerous times.

This morning the bounced back emails were almost 700. I cannot live like this anymore!

Cpanel support has been of no help really since it started, nor has my NOC.

Can someone help me get this fixed please as soon as possible?

I just dont know what else to do.//viisage

[techark]

Have you greped exim_mainlog to find the sending IP number?
Once you get that null route them from your server.

[viisage]

How do I do that? I would like to barr these ip's from the server completly.//

[techark]

/sbin/route add -host xxx.xxx.xxx.xxx reject

where xxx is the IP to ban

This will kill all incoming and outgoing connections from that IP until you reboot the server.

However, if you reboot the server, the null route is gone.

If you would like to save the null route after rebooting to protect you in the future, add the command to /etc/rc.d/rc.local and it will re-execute them when the server comes back online.

[viisage]

If I look at exim_mainlog, how can I tell which ip to add?

[viisage]

Here is the first instance of the issue from exim_mainlog:

600 2002-12-07 15:41:38 18Kndi-0005rI-00 &= hi@elite-domains.com H=(ttoqmil) [64.35.163.110] P=smtp S=1247 id=qhohpmjopoljlbkrdhsolmahggdlbn@Jim
601 2002-12-07 15:41:38 18Kndi-0005rI-00 =& mail &25@elite-domains.com& D=virtual_user T=virtual_userdelivery

[viisage]

Actually, here is a better example. Can you add a ip address range?

623 2002-12-07 15:41:46 18Kndp-0005rR-00 &= hi@elite-domains.com H=(fkaicgo) [64.35.163.110] P=smtp S=1250 id=atdjcrhneobriolhdhlnknsklchrmq@Mike
624 2002-12-07 15:41:46 18Kndp-0005rP-00 =& elitedomains@hotmail.com &21@elite-domains.com& R=lookuphost T=remote_smtp H=mx1.hotmail.com [65.54.166.99]
625 2002-12-07 15:41:46 18Kndp-0005rR-00 =& mail &18@elite-domains.com& D=virtual_user T=virtual_userdelivery
626 2002-12-07 15:41:46 18Kndp-0005rR-00 =& elitedomains@hotmail.com &18@elite-domains.com& R=lookuphost T=remote_smtp H=mx1.hotmail.com [65.54.254.129]
627 2002-12-07 15:41:47 18Kndr-0005rU-00 &= hi@elite-domains.com H=(kgtihsb) [64.35.163.110] P=smtp S=1250 id=ailghslclhqiasqrboaephcrgnnejk@Bill
628 2002-12-07 15:41:47 18Kndr-0005rU-00 =& mail &75@elite-domains.com& D=virtual_user T=virtual_userdelivery
629 2002-12-07 15:41:48 18Kndr-0005rU-00 =& elitedomains@hotmail.com &75@elite-domains.com& R=lookuphost T=remote_smtp H=mx4.hotmail.com [65.54.254.151]
630 2002-12-07 15:41:48 18Knds-0005rV-00 &= hi@elite-domains.com H=(gfrhchg) [64.35.163.110] P=smtp S=1252 id=qbsoqrlcbrpjsoehhcnhhrkebjpkek@James
631 2002-12-07 15:41:48 18Knds-0005rV-00 =& mail &65@elite-domains.com& D=virtual_user T=virtual_userdelivery
632 2002-12-07 15:41:49 18Knds-0005rV-00 =& elitedomains@hotmail.com &65@elite-domains.com& R=lookuphost T=remote_smtp H=mx4.hotmail.com [65.54.253.230]
633 2002-12-07 15:41:51 18Kndv-0005rS-00 &= hi@elite-domains.com H=(osgecke) [64.35.163.110] P=smtp S=1250 id=mqrbhentkekahnqeiojqiqsskqgsfq@Alex
634 2002-12-07 15:41:51 18Kndv-0005rS-00 =& mail &56@elite-domains.com& D=virtual_user T=virtual_userdelivery
635 2002-12-07 15:41:52 18Kndv-0005rS-00 =& elitedomains@hotmail.com &56@elite-domains.com& R=lookuphost T=remote_smtp H=mx4.hotmail.com [65.54.254.151]
636 2002-12-07 15:41:52 18Kndw-0005rT-00 &= hi@elite-domains.com H=(tpencol) [64.35.163.110] P=smtp S=1248 id=hdjlhrspsmkmbkebliaddiajjcbsih@Jim
637 2002-12-07 15:41:52 18Kndw-0005rT-00 =& mail &71@elite-domains.com& D=virtual_user T=virtual_userdelivery
638 2002-12-07 15:41:53 18Kndw-0005rT-00 =& elitedomains@hotmail.com &71@elite-domains.com& R=lookuphost T=remote_smtp H=mx4.hotmail.com [65.54.254.151]
639 2002-12-07 15:41:53 18Kndx-0005rW-00 &= hi@elite-domains.com H=(rbqhfgl) [64.35.163.110] P=smtp S=1250 id=fkearckcnqmpeaceadgkitrpmcdfds@Adam
640 2002-12-07 15:41:53 18Kndx-0005rW-00 =& mail &70@elite-domains.com& D=virtual_user T=virtual_userdelivery
641 2002-12-07 15:41:54 18Kndx-0005rQ-00 &= hi@elite-domains.com H=host-64-110-87-26.interpacket.net (qjktcfk) [64.110.87.26] P=smtp S=1283 id=gimgmmhjqcsccsgnedbhphnkhletle@Joan
642 2002-12-07 15:41:54 18Kndx-0005rW-00 =& elitedomains@hotmail.com &70@elite-domains.com& R=lookuphost T=remote_smtp H=mx1.hotmail.com [65.54.166.99]
643 2002-12-07 15:41:54 18Kndx-0005rQ-00 =& mail &27@elite-domains.com& D=virtual_user T=virtual_userdelivery

[techark]

You can add a server name or domain address instead of IP number.

627 2002-12-07 15:41:47 18Kndr-0005rU-00 &= hi@elite-domains.com H=(kgtihsb) [64.35.163.110] P=smtp S=1250 id=ailghslclhqiasqrboaephcrgnnejk@Bill

64.35.163.110 that is your IP address also I think you can null the &ailghslclhqiasqrboaephcrgnnejk@Bill& although I have not tried it.

[viisage]

Just to be clear ( I really appreciate your help!) when you say &64.35.163.110 that is your IP address&

Do you mean that is the ip address I would want to barr? //viisage

[techark]

&= hi@elite-domains.com that part tells you it is sending mail [64.35.163.110] that part tells you that is the IP that is connecting to your server.

So yeah if you are sure that is an offending mail that is an IP you would want to ban.

But be aware that means anyone coming from that IP is blocked so if it is like and AOL IP you could end up blocking half the internet.