H=localhost (User) spammer

CapriSkye

Registered
Oct 6, 2004
4
0
151
Hello, I've been trying to track down a spammer, was wondering if anyone can give me some directions. The log is here,

Code:
2011-01-10 07:06:41 [16082] 1PdLwq-0004BO-Ep <= [email protected] H=localhost (User) [127.0.0.1]:37420 I=[127.0.0.1]:25 P=smtp S=226 from <[email protected]> for [email protected]
I'm unable to find any other information from the exim log. I know if I login to SSH and telnet to localhost and send emails that way, it would show the similar log, but I'm not seeing anyone logged in during that time. Any other places I should check?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello dalem,

That's a helpful command. Thanks for providing it, but rather than waiting, wouldn't it be easier to run it to write to a file?

Code:
netstat -cen | grep 127.0.0.1:25 > /root/spammer.txt &
You can test this out by connecting to localhost on the machine after running the above command to see the results:

Code:
telnet localhost 25
The best benefit is that it wouldn't then require waiting in SSH for them to do it again. The above netstat command will save to /root/spammer.txt file as a log of connections on localhost on port 25. Please note that you could always put the log in whatever location you prefer and call it whatever name you prefer.

Once you see the user spamming again, simply kill the netstat process:

Code:
ps aux | grep netstat
kill -9 netstatPID#
Then check who has the last logs in the file around that time. Personally, I always prefer to log things when possible.