Sombody is emailing from my server as NOBODY!

[ozzi4648]

Ok, well just another major bug to add to the literally 30 or 40.

Somebody was sending out email from my server as nobody@srv08.primenet.cc with the option checked under tweeks. How come?

2003-03-14 21:51:59 18u4aM-0004tA-00 <= nobody@srv08.primenet.cc U=nobody P=local S=2171
2003-03-14 21:52:00 18u4aM-0004tA-00 => wyatt@t2.net R=lookuphost T=remote_smtp H=helix.t2.net [216.174.158.107]
2003-03-14 21:52:00 18u4aM-0004tA-00 Completed
2003-03-14 21:52:04 18u4aS-0004tF-00 <= nobody@srv08.primenet.cc U=nobody P=local S=2189
2003-03-14 21:52:05 18u4aS-0004tF-00 => Dyew@prodigy.net R=lookuphost T=remote_smtp H=mx1.prodigy.net [207.115.63.20]
2003-03-14 21:52:05 18u4aS-0004tF-00 Completed
2003-03-14 21:52:09 18u4aX-0004tH-00 <= nobody@srv08.primenet.cc U=nobody P=local S=2234
2003-03-14 21:52:09 18u4aX-0004tH-00 => empireofnothing@hotmail.com R=lookuphost T=remote_smtp H=mx1.hotmail.com [65.54.252.99]
2003-03-14 21:52:09 18u4aX-0004tH-00 Completed
2003-03-14 21:52:14 18u4ac-0004tJ-00 <= nobody@srv08.primenet.cc U=nobody P=local S=2202
2003-03-14 21:52:14 18u4ac-0004tJ-00 => mattman917@yahoo.com R=lookuphost T=remote_smtp H=mx2.mail.yahoo.com [64.156.215.5]
2003-03-14 21:52:14 18u4ac-0004tJ-00 Completed
2003-03-14 21:52:19 18u4ah-0004tL-00 <= nobody@srv08.primenet.cc U=nobody P=local S=2187
2003-03-14 21:52:19 18u4ah-0004tL-00 => rob1150@infi.net R=lookuphost T=remote_smtp H=mx04.mindspring.com [207.69.200.198]
2003-03-14 21:52:19 18u4ah-0004tL-00 Completed
2003-03-14 21:52:24 18u4am-0004tN-00 <= nobody@srv08.primenet.cc U=nobody P=local S=2209
2003-03-14 21:52:27 18u4am-0004tN-00 => YellaFella215@aol.com R=lookuphost T=remote_smtp H=mailin-03.mx.aol.com [64.12.136.249]
2003-03-14 21:52:27 18u4am-0004tN-00 Completed
2003-03-14 21:52:29 18u4ar-0004tP-00 <= nobody@srv08.primenet.cc U=nobody P=local S=2208
2003-03-14 21:52:31 18u4at-0004tE-00 <= price@escriptions.friends.snappi.net H=(smtp61.gooberfoob.com) [66.101.183.61] P=smtp S=6815 id=1047708163.8306@smtp61.gooberfoob.com
2003-03-14 21:52:32 18u4at-0004tE-00 => fairy <fairy@poetsmind.com> D=virtual_sa_user T=virtual_sa_userdelivery
2003-03-14 21:52:32 18u4at-0004tE-00 Completed
2003-03-14 21:52:34 18u4aw-0004tX-00 <= nobody@srv08.primenet.cc U=nobody P=local S=2205
2003-03-14 21:52:34 18u4aw-0004tX-00 ohio.mgw.rr.com [65.32.1.49]: Connection refused
2003-03-14 21:52:37 18u4aw-0004tX-00 => mtellep@cinci.rr.com R=lookuphost T=remote_smtp H=ohio.mgw.rr.com [24.29.99.40]
2003-03-14 21:52:37 18u4aw-0004tX-00 Completed
2003-03-14 21:52:39 18u4b1-0004ta-00 <= nobody@srv08.primenet.cc U=nobody P=local S=2198
2003-03-14 21:52:39 18u4b1-0004ta-00 => Joseph10786@aol.com R=lookuphost T=remote_smtp H=mailin-03.mx.aol.com [64.12.136.249

See for yourself!

[zex]

All scripts and webform for sending e-mail are actualy sending mail as user nobody. If someone is using your server as relay for spaming then some of your custumers have bad configured formmail.pl script wich allows spamers to send binch of mails.
Check for existance formmail.pl script on your server:
find /home -name formmail.pl -print

[ozzi4648]

Originally posted by zex
All scripts and webform for sending e-mail are actualy sending mail as user nobody. If someone is using your server as relay for spaming then some of your custumers have bad configured formmail.pl script wich allows spamers to send binch of mails.
Check for existance formmail.pl script on your server:
find /home -name formmail.pl -print

I have identified the user, who is supposedly running a legit business however what i dont like seeing is email going out as nobody@myhost.com and powerful@myhost.com. There are no such users on the board. This user does not have an email account called powerful@hisdomin.com. He has sent out 1700 email between 9 and 10pm. Some of his mail got stuck in the queue so i was able to find out who it is.

Anyone know how i can ban the user from sending out email using exim? Removing his MX record is good enough i suppose.

And on a server with 260 sites excuting that command would just bog down the server.

[FWC]

Originally posted by ozzi4648
Some of his mail got stuck in the queue so i was able to find out who it is.

Stuck mail can be your best friend at times. It's how I've caught a few people trying to spam. Nothing like one of them getting your main server IP on spam lists. Great fun...