Find spammer sending out of our server

steele

Active Member
Aug 27, 2003
35
0
156
Hi all,

We have been having problem with some user sending spam out of our server. He is sending out Paypal phishing site spam. Also the mail queue gets into thousands every few days because fo this. We are unable to determine which user this is. This is becoming a serious problem, because the server gets listed with Spamcop way too often now.

I was wondering if there is a way to find out which user is responsible for this.

Thanks!


Below are headers of a sample email (I changed the domain names):
-----------------------------------------------------

1EoTZ1-0001Xj-39-H
nobody 99 99
<[email protected]>
1135031583 0
-ident nobody
-received_protocol local
-body_linecount 88
-auth_id nobody
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
XX
1
[email protected]

152P Received: from nobody by host2.mydomain.com with local (Exim 4.52)
id 1EoTZ1-0001Xj-39
for [email protected]; Mon, 19 Dec 2005 17:33:03 -0500
024T To: [email protected]
048 Subject: Notification of Limited Account Access
060F From: PayPal Account Review Department <[email protected]>
011R Reply-To:
018 MIME-Version: 1.0
024 Content-Type: text/html
032 Content-Transfer-Encoding: 8bit
057I Message-Id: <[email protected]>
038 Date: Mon, 19 Dec 2005 17:33:03 -0500
 

simplestar

Well-Known Member
Nov 15, 2005
97
0
156
WHG has a script

Stop Nobody Spammers

As stated in their tutorial:

Requirements:
We assume you're using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we're only tested it on a Cpanel/WHM Red Hat Enterprise system.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
I'd suggest that you read the multitude of threads about nobody spam which have already discussed at great length what you can do about such spam.
 

steele

Active Member
Aug 27, 2003
35
0
156
fikse said:
are you sure it's one of your actual users? there are many vulnerable scripts that users install that end up being exploited remotely and used to send out spam....
It actually is probably someone from outside. What I'd like to know if there is a way to find out the source script from the email headers...

Thanks.
 

RickG

Well-Known Member
Feb 28, 2005
238
2
168
North Carolina
steele said:
What I'd like to know if there is a way to find out the source script from the email headers...
You can add the following to the first box of the Exim Configuration Editor (WHM >> Service Configuration >> Switch to Advanced Mode):

log_selector = +all

FYI - here are the additional items that are logged to /var/log/exim_mainlog when you use "+all" -- any of them can be used in combination to get just what you need:

+address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

You may want to run this way for awhile and you'll probably end up finding which script has been compromised.

Hope this helps -
 

parasane

Well-Known Member
Oct 19, 2003
48
0
156
Dickson City, Pennsylvania (USA)
cPanel Access Level
DataCenter Provider
Twitter
Steele,

Check out the Received: and DomainKey-Signature: headers in the emails.

If all else fails, do a full manual check on the server. I have to do it for people all the time. It usually comes down to a poorly-written Perl or PHP script and accessed through the web using a simple multithreader.

~ Dan