spam sent from my server, but not in exim logs and without my headers...

[mpierre]

My server is getting reported to Spamcop for spam every 3 to 4 days for the past 2 weeks, which means I am almost always listed.

The last one lists me like this :

Received: from [MY IP] by web40122.mail.yahoo.com via HTTP;









Spamcop reports :

host web40122.mail.yahoo.com (checking ip) ip not found ; web40122.mail.yahoo.com discarded as fake.
cannot find an mx for web40122.mail.yahoo.com
cannot find an mx for mail.yahoo.com
Chain test failed



But in the other cases it was different, it was thru hotmail.com.

Does anyone have an idea on how the spammer is able to send ?

I have PHPSuxec installed.

I checked my exim logs and nothing is in there.

Is it possible the spammer is making an external connection via SMTP ? Is there a firewall I can install to block him ?

Is it possible the spammer is forging my IP ?




More details :

( replaced my IP and my hostname )
--------------------------------------------------------

From klpvsbmdmy@yahoo.com Thu Feb 5 16:40:18 2004
Return-Path: <klpvsbmdmy@yahoo.com>
Delivered-To: spamcop-net-x
Received: (qmail 14084 invoked from network); 5 Feb 2004 13:54:03 -0000
Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)
by blade1.cesmail.net with SMTP; 5 Feb 2004 13:54:03 -0000
Received: (qmail 354 invoked from network); 5 Feb 2004 13:54:03 -0000
Received: from MYHOSTNAME (HELO web40195.mail.yahoo.com)
(MY IP)
by mailgate.cesmail.net with SMTP; 5 Feb 2004 13:54:03 -0000
From: klpvsbmdmy yahoocom <klpvsbmdmy@yahoo.com>
Return-Path: <klpvsbmdmy@yahoo.com>
Message-ID: <2004__________________mail@web40122.mail.yahoo.com>
Received: from [MY IP] by web40122.mail.yahoo.com via HTTP;
Thu, 05 Feb 2004 08:54:02 EST
Date: Thu, 5 Feb 2004 08:54:02 EST
Reply-To: klpvsbmdmy yahoocom <klpvsbmdmy@yahoo.com>
Subject: Unusual family pleasures
To: x spamcopnet <x>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----------07814923CB91A4"
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1
X-Spam-Level: *
X-Spam-Status: hits=1.6
tests=HTML_50_60,HTML_IMAGE_ONLY_08,HTML_MESSAGE,
HTML_TITLE_EMPTY version=2.63
X-SpamCop-Checked: 192.168.1.101 MY IP MY IP

[richy]

Somethings probably making a direct connection to the remote server via port 25 (bypassing exim). Try the "SMTP Tweak" under "Tweak Security" and see if that helps.

[mpierre]

Gee thanks !!!

I didn't know about this one....

I hope it will work !

[mpierre]

Is there anyway to see a log of SMTP connections that were in the past allowed, but are now prevented by this tweak ?

I wanna know if I stopped him !

[mpierre]

Somethings probably making a direct connection to the remote server via port 25 (bypassing exim). Try the "SMTP Tweak" under "Tweak Security" and see if that helps

Doesn't help at all.... all mail() from PHP is blocked. Any other options ???

I want to block the spammer from bypassing the log, not from bypassing mail()

[peope]

AFAIK it is not possible to block easily.

One could theoretically use iptables and mark packages depending on UID and then disallow all outbound traffic to port 25 except for those UID:s you like (mailservers UID).

[PeteC]

If you've gotten to the bottom of this, please let me know. I have the same situation on one server, and can't figure it out.

[jonmar]

I'm interested to know too. I'm having the same problem, and don't know how to stop it.

[PeteC]

I finally figured it out on my server.

It was an account we were hosting. They had uploaded a proxy server named httpd.cgi into their /cgi-bin which was being used to send out spam whose headers said it came from our server but which was not recorded in the exim mail logs.

Anybody still having this problem should look through your accounts for proxy servers. I went to SpamCop to check the date of the first spam report, and then started by looking at accounts opened shortly before that. This narrowed down the search and let me find him quickly.

[jonmar]

Thanks Pete,

I was just coming over to post this very thing. While I will not put the users personal details here, I will make them available to anyone who makes a request by emailing me. Anything that can be done to stop these clowns, I'm willing to do. I just got it figured out a couple of hours ago, and the spammer has long since been deleted.

[PeteC]

Great news! Hopefully this thread will help the next host who runs into this.

By the way, SpamCop showed me the headers on the spam. There were a few distinctive things, like a server name of localhost.localhost and the same return address at yahoo.it. Turns out he had a template e-mail in the same directory with this information in it. So another quick way to locate the offending account would have been:

grep -r localhost.localhost /home/*

or

grep -r xyz@yahoo.it /home/*

Just thought I'd add this in case it helps the next guy.

[adjkhost]

I am having this same problem too... :S