The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim Sending spam as root user

Discussion in 'E-mail Discussions' started by waddy, Jun 8, 2013.

  1. waddy

    waddy Member

    Joined:
    Aug 26, 2008
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Our mail queue is filling up at a rate of 4000 emails an hour. Server is struggling, users are not able to send email as the ip of this server is blacklisted.

    Huge volumes of spam coming out from our whm server. I have followed some articles on this issue with exim/cpanel and found the scripts sending the emails in user accounts and fixed them.

    But we are getting a huge volume of outgoing spam from sender: root@server.domain.com and I cannot work out how or why?

    Any help appreciated.

    I have installed and enabled csf and followed the csf recommendations, the outgoing spam problem is still happening.

    I have enabled +all logging in exim, enabled smtp auth before pop. I have rate limited outgoing mails.

    INFORMATION:

    #eximstats -ne -nr /var/log/exim_mainlog

    Top 50 local senders by message count
    -------------------------------------
    Messages Bytes Average Local sender
    55424 16GB 0 root
    52732 3840MB 15KB mailnull
    48 57KB 1216 supportu
    13 47KB 3702 kikoffco

    Top 50 local senders by volume
    ------------------------------
    Messages Bytes Average Local sender
    55424 16GB 0 root
    52732 3840MB 15KB mailnull
    48 57KB 1216 supportu
    13 47KB 3702 kikoffco


    Exim statistics from 2013-06-09 03:06:06 to 2013-06-09 09:36:47

    Grand total summary
    -------------------
    At least one address
    TOTAL Volume Messages Addresses Hosts Delayed Failed
    Received 20GB 108276 55 53749 49.6% 104946 96.9%
    Delivered 511MB 1882 1882 545
    Rejects 495 29
    Temp Rejects 13 1

    Top 50 sending hosts by message count
    -------------------------------------
    Messages Bytes Average Sending host
    108217 20GB 0 local
    3 13KB 4437 mail33c50.megamailservers.eu
    2 8916 4458 mail228c50.megamailservers.eu
    2 7935 3967 mail56c50.megamailservers.eu
    2 7868 3934 mail-oa0-f43.google.com

    Message header:

    Return-path: <root@srv07.domain.com.au>
    Received: from root by srv07.domain.com.au with local (Exim 4.80)
    (envelope-from <root@srv07.domain.com.au>)
    id 1UlTTK-0004B4-8U
    for mia.a.karlsson@telia.com; Sun, 09 Jun 2013 10:27:02 +1000
    From: Casino Dealer <casino_dealer@casino-dealer.org>
    To: mia.a.karlsson@telia.com


    exim -bp |tail -40

    0m 101K 1UlTlR-0004Na-Bd <root@srv07.valuwebhosting.com.au>
    oscarjoseerazo@hotmail.com

    0m 102K 1UlTlR-0004No-G9 <>
    root@srv07.valuwebhosting.com.au

    0m 102K 1UlTlR-0004O1-J6 <>
    root@srv07.valuwebhosting.com.au

    0m 101K 1UlTlR-0004O4-KD <root@srv07.valuwebhosting.com.au>
    smith-porritt03@live.com

    0m 102K 1UlTlR-0004OP-MF <>
    root@srv07.valuwebhosting.com.au


    awk '$4 ~ /^cwd/{print $4}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

    Result:

    151014 cwd=/var/spool/exim
    51859 cwd=/tmp
    48 cwd=/
    24 cwd=/home/supportu/public_html/cronjobs
    8 cwd=/usr/local/cpanel/whostmgr/docroot
    2 cwd=/root

    - - - Updated - - -

    Also disabled the nobody account from sending email...

    Some more info

    /usr/sbin/exim -Mvh 1UlTpP-0000wy-Og |more
    1UlTpP-0000wy-Og-H
    mailnull 47 12
    <>
    1370738991 0
    -ident mailnull
    -received_protocol local
    -body_linecount 1390
    -max_received_linelength 427
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -localerror
    XX
    1
    root@srv07.valuwebhosting.com.au

    170P Received: from mailnull by srv07.valuwebhosting.com.au with local (Exim 4.80)
    id 1UlTpP-0000wy-Og
    for root@srv07.valuwebhosting.com.au; Sun, 09 Jun 2013 10:49:51 +1000
    041 X-Failed-Recipients: hoj1968@hotmail.com
    029 Auto-Submitted: auto-replied
    071F From: Mail Delivery System <Mailer-Daemon@srv07.valuwebhosting.com.au>
    037T To: root@srv07.valuwebhosting.com.au
    059 Subject: Mail delivery failed: returning message to sender
    060I Message-Id: <E1UlTpP-0000wy-Og@srv07.valuwebhosting.com.au>
    038 Date: Sun, 09 Jun 2013 10:49:51 +1000
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The following document includes some useful information on preventing email abuse:

    Preventing Email Abuse

    It appears you may have implemented most of these features already. There is a possibility that your server has been hacked. Have you scanned your server for exploits or investigated to see if your server has been rooted?

    Thank you.
     
Loading...

Share This Page