The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim crashing due to spammer

Discussion in 'General Discussion' started by jcsolutions, Aug 19, 2003.

  1. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Exim crashing due to spammer/virus

    Help! :(

    A domain on my server is getting spammed like crazy. I have thousands of these emails in my mail queue. All of these messages have attachments. All from different email addresses.

    How can I stop this?

    Cpanel 7.4.2-S82 on RH 7.3
    Exim 4


    Message below:
    ------------------
    mailnull 47 12
    <>
    1061291422 0
    -ident mailnull
    -received_protocol local
    -body_linecount 1323
    -frozen 1061291422
    -localerror
    XX
    1
    elm@arbortext.com

    158P Received: from mailnull by host.myhost.com with local (Exim 4.20)
    id 19p4Na-00019F-3Y
    for elm@arbortext.com; Tue, 19 Aug 2003 07:10:22 -0400
    041 X-Failed-Recipients: david@domain.com
    074F From: Mail Delivery System <Mailer-Daemon@host.myhost.com>
    022T To: elm@arbortext.com
    059 Subject: Mail delivery failed: returning message to sender
    063I Message-Id: <E19p4Na-00019F-3Y@host.myhost.com>
    038 Date: Tue, 19 Aug 2003 07:10:22 -0400


    19p4Na-00019F-3Y-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    david@domain.com
    This message has been rejected because it has
    a potentially executable attachment "thank_you.pif"
    This form of attachment has been used by
    recent viruses or other malware.
    If you meant to send this file then please
    package it up as a zip file and resend it.

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <elm@arbortext.com>
    Received: from [130.234.81.192] (helo=JY-W8KEPDQSJUIL)
    by host.myhost.com with esmtp (Exim 4.20)
    id 19p4NX-000191-9j
    for david@domain.com; Tue, 19 Aug 2003 07:10:19 -0400
    From: <elm@arbortext.com>
    To: <david@domain.com>
    Subject: Re: Approved
    Date: Tue, 19 Aug 2003 14:15:18 +0300
    X-MailScanner: Found to be clean
    Importance: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MSMail-Priority: Normal
    X-Priority: 3 (Normal)
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="_NextPart_000_0016D58D"
    Message-Id: <E19p4NX-000191-9j@host.myhost.com>

    This is a multipart message in MIME format

    --_NextPart_000_0016D58D
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit

    Please see the attached file for details.
    --_NextPart_000_0016D58D
    Content-Type: application/octet-stream;
    name="thank_you.pif"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    filename="thank_you.pif"
     
    #1 jcsolutions, Aug 19, 2003
    Last edited: Aug 19, 2003
  2. UpsideOut

    UpsideOut Member

    Joined:
    Feb 4, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I'm experiencing the same thing. The emails appear to be generated by a variant of the Sobig virus. I'm not sure why, with all things being equal, that this is affecting only some accounts on some servers. Anybody else seeing this?

    cPanel.net Support Ticket Number:
     
  3. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Don't suppose you know of a way to reject/delete those emails? My queue doesn't even report a number anymore, so I'm scared to know how many messages are there now. The last time it reported, I was over 8000. My CPU has been running at well over 200 most of the day. I keep killing processes to get it down to 20 or so, but then it jumps right back up.

    cPanel.net Support Ticket Number:
     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    The new sobig virus just exploded all over the internet. We are getting hammered from 66.95.150.165 and nobody can be contacted to stop it. They are also sending email out with our support@domain.com address so we are getting abuse and spam errors back to us.

    The internet is turning into a f-cking toilet.

    :mad:

    cPanel.net Support Ticket Number:
     
  5. carlgm

    carlgm Well-Known Member

    Joined:
    Mar 25, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    Talk to your upstream and get them to block all traffic from that IP.

    You could try also installing a firewall and dropping packets from that IP and adding that IP to the blocked list within Exim.

    Basically, block the IP from being able to access your system. You might also wish to block domain.com.

    cPanel.net Support Ticket Number:
     
  6. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Although I'm not experiencing this problem, if I were I would do this:

    tail -f /var/log/exim_mainlog

    Then grab the applicable IPs and put them in my iptables to be dropped.

    May not be the best solution, but seems like the quickest one, to me.

    cPanel.net Support Ticket Number:
     
  7. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Can't find 2 IPs alike in the exim_mainlog. :(

    The majority of messages are being sent to 1 email address on my server in particular. I've been trying to find a way to delete just this persons email in the queue to help lessen the server load, but I've had no luck yet.

    cPanel.net Support Ticket Number:
     
  8. carlgm

    carlgm Well-Known Member

    Joined:
    Mar 25, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    You can always set exim to run every 10 minutes and set a cronjob to empty the queue every 11 minutes. This is until you can block the spammer.

    cPanel.net Support Ticket Number:
     
  9. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    That's a good idea. Unfortunately, I can't implement this until I get the queue cleaned for a first time. I am trying everything I can to avoid deleting the entire queue at the moment, as there are also valid emails in there. Once i get those delivered, I could use your idea.

    cPanel.net Support Ticket Number:
     
  10. ccccanada

    ccccanada Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    Is it possible to delete emails with different type of attachments like .pif for instance??

    This way at least they would not get stuck in the mail queue since the return path is most likely some innocent person that thinks you are spamming him.

    cPanel.net Support Ticket Number:
     
  11. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    damn that sux. I agree, just block the packets. You may loose some real data, but shit, it may be worth it.

    cPanel.net Support Ticket Number:
     
  12. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Well, I believe I solved my problem (about 14 1/2 hours later!) What a long day!

    I ended up using the How-to at http://www.cpanelplus.com/staticpages/index.php?page=2003073009541160 to install MailScanner and Clam Anti-Virus. By doing this, all email is scanned and I can deny attachments of certain file types (ex: .exe, .scr).

    My server load is coming back down to normal as it removes the virus attachments (had over 32,000 at one point). I'm sure I'll be doing a bit more customizing later, but for now, I'm just happy to go home! :cool:

    If anyone else has a similar problem (UpsideOut, still?), I'd suggest trying this. Let me know if I can assist somehow.

    cPanel.net Support Ticket Number:
     
  13. UpsideOut

    UpsideOut Member

    Joined:
    Feb 4, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the offer jc. Mid-afternoon the emails just stopped. I guess I was lucky. Perhaps I should look into a mail scanner for next time though.

    cPanel.net Support Ticket Number:
     
  14. Bruce

    Bruce Well-Known Member

    Joined:
    Oct 4, 2001
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    W32/Sobig.f@MM

    Is there a way to BlackHole these in the Exim Config file?

    Subject:

    Your details
    Thank you!
    Re: Thank you!
    Re: Details
    Re: Re: My details
    Re: Approved
    Re: Your application
    Re: Wicked screensaver
    Re: That movie

    Attachment:

    your_document.pif
    document_all.pif
    thank_you.pif
    your_details.pif
    details.pif
    document_9446.pif
    application.pif
    wicked_scr.scr
    movie0045.pif

    cPanel.net Support Ticket Number:
     
  15. ciphervendor

    ciphervendor Well-Known Member

    Joined:
    Aug 26, 2002
    Messages:
    1,052
    Likes Received:
    0
    Trophy Points:
    36
    edit /etc/antivirus.exim and scroll all the way to the bottom and add:

    if $header_subject: is "Re: Your Application"
    or $header_subject: is "Re: My Details"
    or $header_subject: is "Re: Details"
    or $header_subject: is "Your Details"
    or $header_subject: is "Re: That movie"
    or $header_subject: is "Re: Wicked screensaver"
    or $header_subject: is "Re: Details"
    or $header_subject: is "Re: Thank you!"
    or $header_subject: is "Thank you!"
    or $header_subject: is "Re: Approved"
    then
    seen finish
    endif

    cPanel.net Support Ticket Number:
     
  16. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    if $header_subject: contains "Re: Your Application"
    or $header_subject: contains "Re: My Details"
    or $header_subject: contains "Re: Details"
    or $header_subject: contains "Your Details"
    or $header_subject: contains "Re: That movie"
    or $header_subject: contains "Re: Wicked screensaver"
    or $header_subject: contains "Re: Details"
    or $header_subject: contains "Re: Thank you!"
    or $header_subject: contains "Thank you!"
    or $header_subject: contains "Re: Approved"
    or $header_subject: contains "Re: Re: My Details"
    then
    seen finish
    endif

    cPanel.net Support Ticket Number:
     
  17. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Will that work?

    cPanel.net Support Ticket Number:
     
  18. Bruce

    Bruce Well-Known Member

    Joined:
    Oct 4, 2001
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    I cant get that to work.

    Is there a way to stop re-sending all this virus/mail back?
    Now, I am getting all this crap set back from AOL and telling me I am the sender of unwanted mail.
    Exim does a good job in reconizing this type of mail but how do you stop it from sending it back ?

    cPanel.net Support Ticket Number:
     
  19. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    Try using that, and then emptying your mail queue. Then it may start working, but it may not work if the messages are already in the queue.

    cPanel.net Support Ticket Number:
     
  20. jsteel

    jsteel Well-Known Member

    Joined:
    Jul 4, 2002
    Messages:
    646
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA

    Doesn't work. Added it, restarted exim, flushed the queue and new ones continue.

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page