Trying to find out a spammer

[thewebhosting]

I have received a spam complaint from spamcop and trying to find out an exact domain which is sending spam messages from my server.

From the logs I have found that the spammer is using remote SMTP authentication to send spam emails. I have tried to find out for exact domain name from exim mainlog located at /var/log/exim_mainlog. But I could not find any.

It seems that the messages where sent out through PHP script. Can anybody tell me where else I need check to find out logs?

I have also tried to find out from apache logs but did not find anything there also.

Thanks!

[chinmay]

Hi there,

The logs will be in the file "/var/log/exim_mainlog" itself.. If it is using SMTP authentication the emails will be sent with the from address specified. If it is not using remote SMTP authentication the emails will be sent with the ID cPanel_username@server_hostname.com (which is easier to check)

Not sure, but if the emails are been sent from the remote server the mail logs will be on the remote server itself which should not block your server's Ip at spamcop. Is it possible to provide with the logs spamcop has provided ?

Also you can limit the emails sent per domain at Main >> Server Configuration >> Tweak Settings. The maximum each domain can send out per hour (0 is unlimited). You can set the limit here.

Hope this helps you to investigate further.

[thewebhosting]

Thanks for the reply!

As I have mentioned earlier, emails were sent out using remote SMTP authentication. I have already set the limit of sending 60 emails per hour from a domain.

I have also disabled nobody user to send out emails from my server. My server requires SMTP authentication to send emails. Emails were sent out from a PHP script. It seems that one of the email account from a particular user account on my server has been hacked and used to send spam emails.

Can you tell me where else I can check the logs to find out an exact domain or user account on my server?

[chinmay]

If you are sure about the username on the server under which the email account is created, you can grep the username in the /etc/domainusers OR /etc/userdomains file

root@server [~]# grep cPanel-username /etc/domainusers
OR
root@server [~]# grep cPanel-username /etc/userdomains

Note :: Replace cPanel-username with actual cPanel username

Let me know if this is what you were looking for...

[thewebhosting]

If you are sure about the username on the server under which the email account is created,

Let me know if this is what you were looking for...

That is what exactly, I am trying to figure out. I am trying to find out the user name on server from which the spam messages were sent out.

[chinmay]

Well, you will need to look at the logs and grep them with the username, check the mail queue and check as to who is spamming from the server.

[thewebhosting]

Well, you will need to look at the logs and grep them with the username, check the mail queue and check as to who is spamming from the server.

You are not getting me. I have already checked in mail logs and could not find anything. The emails were sent out from script. Is there any other place where I should look to track for an exact domain or user doing this?

[crazyaboutlinux]

You are not getting me. I have already checked in mail logs and could not find anything. The emails were sent out from script. Is there any other place where I should look to track for an exact domain or user doing this?

find out these scripts using locate hnc.cgi & dm.cgi these are spamming scrips

[cPanelDavidG]

I have received a spam complaint from spamcop and trying to find out an exact domain which is sending spam messages from my server.

From the logs I have found that the spammer is using remote SMTP authentication to send spam emails. I have tried to find out for exact domain name from exim mainlog located at /var/log/exim_mainlog. But I could not find any.

It seems that the messages where sent out through PHP script. Can anybody tell me where else I need check to find out logs?

I have also tried to find out from apache logs but did not find anything there also.

Thanks!

You seem to imply in this thread that the spammer sent mails without using your SMTP server. I recommend enabling the SMTP tweak to force users to use your SMTP server when sending mail from your server. This can be enabled in WHM -> Security -> Security Center -> SMTP Tweak. You may also consider enabling other security settings in the Security Center if you feel they are appropriate.

[thewebhosting]

You seem to imply in this thread that the spammer sent mails without using your SMTP server. I recommend enabling the SMTP tweak to force users to use your SMTP server when sending mail from your server. This can be enabled in WHM -> Security -> Security Center -> SMTP Tweak. You may also consider enabling other security settings in the Security Center if you feel they are appropriate.

Thanks. SMTP authentication is already enabled on my server. Can you tell me after how many days mail server logs will be overwritten? how and from where I can change these settings?

[cPanelDavidG]

Thanks. SMTP authentication is already enabled on my server. Can you tell me after how many days mail server logs will be overwritten? how and from where I can change these settings?

I wasn't referring to SMTP authentication - I was referring to the SMTP Tweak. SMTP authentication deals with legitimate users using your SMTP server (Exim). The SMTP Tweak blocks users from using your server to send mail by means of an uploaded script that acts as a mail server to avoid/bypass sending mail through your mail server.

Let me get back to you on the mail server logs question.

[acidstudioz]

Hey im having the same problem and i used a few exim commands and the headers of the message just say coming from 127.0.0.1 which is annoying and like you everyone doesn't understand me but i realized i turned off SMTP Tweak for a day and this happened so i turned it back on .. but i still want to find out who did it so if you get any info on how to find out let me know

@cPanelDavidG

Does the tweak stop roundcubemail from working?.

And this doesn't stop my clients from using Outlook etc correct?

[cPanelDavidG]

Hey im having the same problem and i used a few exim commands and the headers of the message just say coming from 127.0.0.1 which is annoying and like you everyone doesn't understand me but i realized i turned off SMTP Tweak for a day and this happened so i turned it back on .. but i still want to find out who did it so if you get any info on how to find out let me know

@cPanelDavidG

Does the tweak stop roundcubemail from working?.

And this doesn't stop my clients from using Outlook etc correct?

SMTP tweak does not affect anything that uses *your* SMTP server such as Roundcube, Horde, Squirrelmail and authenticated POP and SMTP users.

The SMTP tweak prevents scripts from bypassing your SMTP server to send spam from your server's IP.

[acidstudioz]

Ok great thanks.

[thewebhosting]

The SMTP Tweak blocks users from using your server to send mail by means of an uploaded script that acts as a mail server to avoid/bypass sending mail through your mail server.

Let me get back to you on the mail server logs question.

SMTP tweak is disabled on our shared server. If I enable it will the legitimate users also not be able to send legitimate emails through their scripts?