Email sytem hacked, Mail Queqe manager is in meltdown

[CreationsMoody]

I found an account on my system that was sending out insane amounts of emails. I changed the passwords on the account and that send the email system into a meltdown. I have emails that are trying to be sent every few seconds and bouncing back cause the password has changed. I could be wrong, but this seems like it is more likely to be a script issue? So how do I find it and remove it? I found this website which I think would help, but The constant attempt of sending email maybe hendering it from working properly. I try to run the first long set of commands and it just seems to sit there.. Here is the site with the commands it is giving me.

/http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim

Is there a way I can stop the Exim from running long enough to run the commands listed in that site to find my real issue? Or I am open to other suggestions. I have got to get this issue resolved!!!!!

 

[mtindor]

How about opening up one of the offending messages in Mail Queue Manager (inside WHM). Then take a look at the information in there.

By viewing the full message source of one of the messages sent by the script (but not yet delivered to the recipient) it may help you.

I'd ask you to forward one for me for me to take a look at, but (a) you probably don't have enough posts to PM me yet and (b) you probably don't want me to see any particular details in those messages.

But if you're desperate and want to shoot me a PM, I'll give you my email address and you can copy/paste a couple of the messages in the outgoing queue and send them to me, and I can let you know what I think.

Mike

 

[cPanelMichael]

Hello

Try reviewing a message in the mail queue as the previous poster mentioned. You should be able to view the message headers if you confirm it's a SPAM message and the message header should contain more information about the location of the script used to send the email. If you are aware of the specific account, try searching it's public_html directory and subdirectories for files with "email" or "mail" terms.

Thank you.

 

[CreationsMoody]

The system seems to be in constant flow mode.. I can not even access the mail queue manager in the WHM and when i pull it up in SSH, it is like a cascading list of emails.... going by so fast I can't even tell all the different emails it is trying to send too. I know most are aol accounts, but the one constant is the email on my server. It is the same and I can see it. So how do I search their id for issues or rogue mail sccripts via SSH.

 

[CreationsMoody]

Hey if you can help I will give you what I can... Here is a email that came in. If you see anything there that tells you something specific I need to do, by all means let me know please!!?!?!?

 

[mtindor]

Why don't you delete that message above (or remove the specific content identifying your server). That's why I asked you to PM me, so that you don't share it publicly.

1. I know that message is a bounce from AOL, but the original message contained in that bounce -- is it actually spam? Or was a legitimate message?

I think the example above is a bad one -- that's a legitimate message that got bounced by AOL. I'd like to see an actual piece of outgoing spam that hasn't been delivered yet. That will provide more useful info

If you can, send me a PM (private message) via the forums.

Mike

mike

 

[cPanelMichael]

You can review the last few lines of /var/log/exim_mainlog if you want to avoid the log output continuing to appear. EX:

tail -500 /var/log/exim_mainlog

Look for the message ID of a specific message you feel may be SPAM and review it's headers with a command such as:

exim -Mvh <messageID>

Thank you.