Spamming problem...

[gordypordy]

Hi,

I've been getting problems with my server mail over the last few days, and am at a loss to see where the problem is coming from. Nothing appears in my exim_mainlog file. It's blank!

In the maillog file it gives me troubling info, like the following:

Apr 5 07:39:01 server cpanelpop[3415]: Login host=xx.xx.xx.xx. ip= user=xxx@xxx.net realuser=xxx@xxx.net
Apr 5 07:54:40 server cpanelpop[3415]: Session Closed host=xx.xx.xx.xx ip= user=xxx@xxx.net realuser=xxx@xxx.net totalxfer=10833183

I don't know if it's me reading incorrectly or what, but the above appears to indicate transfer of over 10 MILLION mail messages!! Is this correct ?

This has been happening for days now. My mail queue has been jammed full, and at the last clear, there was over 49,000 messages cloggin up the mail queue. The mail messages are all mail delivery failures. It has caused 2 crashes of the server in 3 days.
I have AFP installed, brute force, roothunter kits and more, and am currently installing (or trying to install !!) mod_security rules .

But I have no idea where these problems are originating. The usernames identified in the maillog and the Ip address include many email addresses that are actually MY OWN ! Including the one which I posted above.

I can download and upload megabytes of data to and from my server in minutes, such is my connection, so certainly it could cater for the suggested volume. But these events are happening AFTER whenever I LOG OFF from my server, and close my pc down for the night, and I always disconnect it from the mains supply.

Does anybody have any idea what might be going on here, and how I might find a solution to it?

Thanx

[webignition]

I don't know if it's me reading incorrectly or what, but the above appears to indicate transfer of over 10 MILLION mail messages!! Is this correct ?

No, that's more likely the number of bytes transferred in the given session.

[AndyReed]

But I have no idea where these problems are originating. The usernames identified in the maillog and the Ip address include many email addresses that are actually MY OWN ! Including the one which I posted above.

This issue has been covered many times and searing these forums will yield many results. It is possible that the SPAM is delieverd by a client or through an insecure/bad script. Activate crond and syslogd to monitor exim log files. You also need to convert entries from :blackhole: to :fail:

[gordypordy]

Hi andy,

tahnx for the points. I did search, but it throws up some weired and divergent results from what I had spent ages trawling through.

My server company is going to have a look at it for me just now (not saying they shall fix it, but at least they offered to look at it!! which is pretty good for them, lol), if they provide any further insight that might help direct me better.

I know it's a script or something, finding it has been my problem. The various logs are appended with many of my OWN Ip's, and the others are legitimate users with no unusual activity. In fact the unusual activity appears to be identifying me as the perpetrator!

Incidentally, my mail is set for fail instead of blackhole by default. I read stuff on that longer ago, and I believe one of the mods has stuff about this on his site that was helful, explaining the difference between blackhole and fail, so that is a good point, but fortunately I have it set that way.

The server is pretty well locked down ( or at least it was !! ), the only thing I didn't have up and on was a non cpanle mod_security ruleset, and Im toying over various options for this, from posts and advice on here and others.

Regards