The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A BIG SPAMMER ATACK - help

Discussion in 'E-mail Discussions' started by duranduran, May 17, 2007.

  1. duranduran

    duranduran Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    Hi Guys,

    I have a BIG problem - a SPAMMER is using one of my servers to send thousands off emails. I realy dont know how. I try everything, all solutions and i simple canot identify how this SPAMER is sending those emails. The SPAMMER continues to use this server.

    Please, i am realy need a help.

    This is a mail header (sent to me by my DC - ThePlanet):

    Received: from ssl.lx8server.com (ssl.lx8server.com [209.62.14.18]) by rly-ma05.mail.aol.com (v115.11) with ESMTP id MAILRELAYINMA058-8ae4647a2e785; Sun, 13 May 2007 19:44:42 -0400
    Received: from ypwhw (240.55.175.245)
    by ssl.lx8server.com; Sun, 13 May 2007 20:44:32 -0300
    Date: Sun, 13 May 2007 20:44:32 -0300
    From: <amyr@compuvision.net>
    X-Mailer: The Bat! (v2.01)
    Reply-To: <20maxcandy@hotmail.com>
    X-Priority: 3 (Normal)
    Message-ID: <39425751.20060609052006@compuvision.net>
    To: redacted@aol.com
    Subject: =?iso-8859-5?B?ZnJlZSB2YWNhbmN5?=
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----------3F5DDCD38AAF7"
    X-AOL-IP: 209.62.14.18


    Other:

    Return-Path: <noreply@site.careerbuilder.com>
    Received: from rly-ma07.mail.aol.com (rly-ma07.mail.aol.com [172.20.116.51]) by air-ma06.mail.aol.com (v115.11) with ESMTP id MAILINMA061-8be4648c5301bb; on, 14 May 2007 16:23:36 -0400
    Received: from ssl.lx8server.com (ssl.lx8server.com [209.62.14.18]) by rly-ma07.mail.aol.com (v115.11) with ESMTP id MAILRELAYINMA078-8be4648c5301bb; Mon, 14 May 2007 16:23:12 -0400
    Received: from askepy (237.83.205.19)
    by ssl.lx8server.com; Mon, 14 May 2007 17:23:05 -0300
    Date: Mon, 14 May 2007 17:23:05 -0300
    From: <noreply@site.careerbuilder.com>
    X-Mailer: The Bat! (v2.01)
    Reply-To: <noreply@site.careerbuilder.com>
    X-Priority: 3 (Normal)
    Message-ID: <16100012.20060911152825@site.careerbuilder.com>
    To: redacted@aol.com
    Subject: =?iso-8859-5?B?Q2FyZWVyQnVpbGRlci5jb20g?=
    =?iso-8859-5?B?Sm9iIE1hdGNoZXM6IEVuam95?=
    =?iso-8859-5?B?IHdvcmtpbmcgaW4gYSBjaGFs?=
    =?iso-8859-5?B?bGVuZ2luZyBhbmQgcmV3YXJk?=
    =?iso-8859-5?B?aW5nIGVudmlyb25tZW50Lg==?=
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----------F3712F2DB5"
    X-AOL-IP: 209.62.14.18


    Other:

    Return-Path: <no_reply@paypal.com>
    Received: from rly-ma04.mail.aol.com (rly-ma04.mail.aol.com [172.20.116.48]) by air-ma10.mail.aol.com (v115.11) with ESMTP id MAILINMA102-8a1464a9134297; Wed, 16 May 2007 01:06:13 -0400
    Received: from ssl.lx8server.com (ssl.lx8server.com [209.62.14.18]) by rly-ma04.mail.aol.com (v115.11) with ESMTP id MAILRELAYINMA043-8a1464a9134297; Wed, 16 May 2007 01:05:56 -0400
    Received: from wkqsiq (159.213.21.132)
    by ssl.lx8server.com; Wed, 16 May 2007 02:05:44 -0300
    Message-ID: <007f01c4a93f$ab84947d$473ffb22@wkqsiq>
    Reply-To: <no_reply@paypal.com>
    From: <no_reply@paypal.com>
    To: redacted@aol.com
    Subject: =?iso-8859-5?B?UGF5UGFsIEZyYXVkIE1lZGlh?=
    =?iso-8859-5?B?dGlvbiBSZXF1ZXN0KEFsZXJ0?=
    =?iso-8859-5?B?SUQgQ09ERTo=?=
    Date: Wed, 16 May 2007 02:05:44 -0300
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0072_01C4FB22.473F947D"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1158
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    X-AOL-IP: 209.62.14.18


    This server have :

    WHM 10.8.0 cPanel 10.9.0-S9966
    RedHat Enterprise 4 i686 - WHM X v3.1.0


    PHPsuexec, nobody dont send emails, i have ACL and RBL rules, ConfigServer Firewall, etc. In this moment i canot send emails to AOL and HOTMAIL (i am blocked). Root access is fine i bealive (i execute chkrootkit, rkhunter, no problems found).

    I am need a help - Thanks for all !!!
     
  2. visiox

    visiox Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    in that case you should see some entries in your exim-logfiles.
    go thru them and you will find the used account.
    if you know the account... do whatever you have to do
     
  3. duranduran

    duranduran Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    This is the problem, this account/domain/user dont exist in this server, and antirelay is working as well.
     
  4. sbutler

    sbutler Registered

    Joined:
    May 14, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    This is what I would do. I would login to the whm main control panel go down to service manager and click on it and then uncheck both check boxes for the exim server and then save the change. This is perfectly safe to do. Why because this will disable the mail server. This will be a temporary solution and when called about not able to send email just inform them that the email server is having a security update and should be back up with in one - two hours. Noone will lose any email on the server because all servers on the net use a re-try send period of upto 3 days and default time of every hour to re-send email to you.

    The next thing to do is go to your Email section and click View Mail Statistics
    the look for section and see if their is a list if not your server was not setup right.
    Top 50 mail rejection reasons by message count
    ----------------------------------------------
    now look for section
    Top 50 sending hosts by message count
    -------------------------------------

    the one with unusally high count is probly the one get info for later tracking.

    Now we are going to fix this problem by correcting your server email configuration.

    goto server configuration section and now click Tweak Settings
    goto the mail section and put a check in the box for
    Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
    then save changes.

    Now go back to service manager and re-enable exim mail server.

    now we need to track down this issue.
    monitor the exim usage check to see if your having issues.

    please note that if the spammer domain that sent the email is not in any account this is known as a script email spoofing. This can be check by looking at users per script resource usage.


    goto server status section and click CPU/Memory/MySQL Usage this will show the exact script and how much cpu resource it is using and in the path shows the account name. This is a start. see if this helps you find the person. when I get the exim conf I will post info on what to change to disable relaying email.

    go to Service Configuration section and click on Exim configuration and check verify user and save changes.
     
    #4 sbutler, May 19, 2007
    Last edited: May 19, 2007
  5. Fernis

    Fernis Well-Known Member

    Joined:
    Oct 28, 2006
    Messages:
    192
    Likes Received:
    1
    Trophy Points:
    18
  6. visiox

    visiox Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Ok,

    in this case... check every CGI (perl/php/python, whatever is installed) your users have installed for opening port 25 or something like that.
     
  7. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Not all servers on the net use the same settings. Some might not retry, some might only retry for an hour. All depends. Generally this is close to being correct, just thought I'd point out - not all servers on the net follow this exact formula. :)
     
  8. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Just cleared this looser off one of our clients servers (moving from host to host)


    Add
    log_selector = +arguments +subject
    into your top box of your exim.conf addvanced editor

    tick: Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

    in tweak settings

    and watch your mail logs



    grep your /home dir for parts of the spammy email


    I could hunt them down in a about ten min

    good luck


    cheers
     
Loading...

Share This Page