The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Find spammer sending out of our server

Discussion in 'General Discussion' started by steele, Dec 19, 2005.

  1. steele

    steele Active Member

    Joined:
    Aug 27, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Hi all,

    We have been having problem with some user sending spam out of our server. He is sending out Paypal phishing site spam. Also the mail queue gets into thousands every few days because fo this. We are unable to determine which user this is. This is becoming a serious problem, because the server gets listed with Spamcop way too often now.

    I was wondering if there is a way to find out which user is responsible for this.

    Thanks!


    Below are headers of a sample email (I changed the domain names):
    -----------------------------------------------------

    1EoTZ1-0001Xj-39-H
    nobody 99 99
    <nobody@host2.mydomain.com>
    1135031583 0
    -ident nobody
    -received_protocol local
    -body_linecount 88
    -auth_id nobody
    -auth_sender nobody@host2.mydomain.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -deliver_firsttime
    -local
    XX
    1
    someone_123@yahoo.com

    152P Received: from nobody by host2.mydomain.com with local (Exim 4.52)
    id 1EoTZ1-0001Xj-39
    for someone_123@yahoo.com; Mon, 19 Dec 2005 17:33:03 -0500
    024T To: someone_123@yahoo.com
    048 Subject: Notification of Limited Account Access
    060F From: PayPal Account Review Department <service@paypal.com>
    011R Reply-To:
    018 MIME-Version: 1.0
    024 Content-Type: text/html
    032 Content-Transfer-Encoding: 8bit
    057I Message-Id: <E1EoTZ1-0001Xj-39@host2.mydomain.com>
    038 Date: Mon, 19 Dec 2005 17:33:03 -0500
     
  2. fikse

    fikse Well-Known Member

    Joined:
    May 10, 2003
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    are you sure it's one of your actual users? there are many vulnerable scripts that users install that end up being exploited remotely and used to send out spam....
     
  3. simplestar

    simplestar Well-Known Member

    Joined:
    Nov 15, 2005
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    6
    WHG has a script

    Stop Nobody Spammers

    As stated in their tutorial:

    Requirements:
    We assume you're using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we're only tested it on a Cpanel/WHM Red Hat Enterprise system.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I'd suggest that you read the multitude of threads about nobody spam which have already discussed at great length what you can do about such spam.
     
  5. steele

    steele Active Member

    Joined:
    Aug 27, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    It actually is probably someone from outside. What I'd like to know if there is a way to find out the source script from the email headers...

    Thanks.
     
  6. RickG

    RickG Well-Known Member

    Joined:
    Feb 28, 2005
    Messages:
    238
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    North Carolina
    You can add the following to the first box of the Exim Configuration Editor (WHM >> Service Configuration >> Switch to Advanced Mode):

    log_selector = +all

    FYI - here are the additional items that are logged to /var/log/exim_mainlog when you use "+all" -- any of them can be used in combination to get just what you need:

    +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

    You may want to run this way for awhile and you'll probably end up finding which script has been compromised.

    Hope this helps -
     
  7. parasane

    parasane Well-Known Member

    Joined:
    Oct 19, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Dickson City, Pennsylvania (USA)
    Steele,

    Check out the Received: and DomainKey-Signature: headers in the emails.

    If all else fails, do a full manual check on the server. I have to do it for people all the time. It usually comes down to a poorly-written Perl or PHP script and accessed through the web using a simple multithreader.

    ~ Dan
     
  8. neonix

    neonix Well-Known Member

    Joined:
    Oct 21, 2004
    Messages:
    124
    Likes Received:
    2
    Trophy Points:
    0
    057I Message-Id: <E1EoTZ1-0001Xj-39@host2.mydomain.com>


    Try this command:

    grep 'E1EoTZ1-0001Xj-39' /var/log/exim_mainlog
     
Loading...

Share This Page