The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

H=localhost (User) spammer

Discussion in 'E-mail Discussions' started by CapriSkye, Jan 20, 2011.

  1. CapriSkye

    CapriSkye Registered

    Joined:
    Oct 6, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hello, I've been trying to track down a spammer, was wondering if anyone can give me some directions. The log is here,

    Code:
    2011-01-10 07:06:41 [16082] 1PdLwq-0004BO-Ep <= test@test.com H=localhost (User) [127.0.0.1]:37420 I=[127.0.0.1]:25 P=smtp S=226 from <test@test.com> for test@test.com
    
    I'm unable to find any other information from the exim log. I know if I login to SSH and telnet to localhost and send emails that way, it would show the similar log, but I'm not seeing anyone logged in during that time. Any other places I should check?
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    run this command from ssh
    netstat -cen | grep 127.0.0.1:25


    watch & wait for their next spam run and it will give you the uid (you may have to wait a while)
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello dalem,

    That's a helpful command. Thanks for providing it, but rather than waiting, wouldn't it be easier to run it to write to a file?

    Code:
    netstat -cen | grep 127.0.0.1:25 > /root/spammer.txt &
    You can test this out by connecting to localhost on the machine after running the above command to see the results:

    Code:
    telnet localhost 25
    The best benefit is that it wouldn't then require waiting in SSH for them to do it again. The above netstat command will save to /root/spammer.txt file as a log of connections on localhost on port 25. Please note that you could always put the log in whatever location you prefer and call it whatever name you prefer.

    Once you see the user spamming again, simply kill the netstat process:

    Code:
    ps aux | grep netstat
    kill -9 netstatPID#
    Then check who has the last logs in the file around that time. Personally, I always prefer to log things when possible.
     
  4. CapriSkye

    CapriSkye Registered

    Joined:
    Oct 6, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    thank you all for the suggestions.
     

Share This Page