Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

H=localhost (User) spammer

Discussion in 'E-mail Discussion' started by CapriSkye, Jan 20, 2011.

  1. CapriSkye

    CapriSkye Registered

    Joined:
    Oct 6, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    Hello, I've been trying to track down a spammer, was wondering if anyone can give me some directions. The log is here,

    Code:
    2011-01-10 07:06:41 [16082] 1PdLwq-0004BO-Ep <= test@test.com H=localhost (User) [127.0.0.1]:37420 I=[127.0.0.1]:25 P=smtp S=226 from <test@test.com> for test@test.com
    
    I'm unable to find any other information from the exim log. I know if I login to SSH and telnet to localhost and send emails that way, it would show the similar log, but I'm not seeing anyone logged in during that time. Any other places I should check?
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,782
    Likes Received:
    94
    Trophy Points:
    353
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    run this command from ssh
    netstat -cen | grep 127.0.0.1:25


    watch & wait for their next spam run and it will give you the uid (you may have to wait a while)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello dalem,

    That's a helpful command. Thanks for providing it, but rather than waiting, wouldn't it be easier to run it to write to a file?

    Code:
    netstat -cen | grep 127.0.0.1:25 > /root/spammer.txt &
    You can test this out by connecting to localhost on the machine after running the above command to see the results:

    Code:
    telnet localhost 25
    The best benefit is that it wouldn't then require waiting in SSH for them to do it again. The above netstat command will save to /root/spammer.txt file as a log of connections on localhost on port 25. Please note that you could always put the log in whatever location you prefer and call it whatever name you prefer.

    Once you see the user spamming again, simply kill the netstat process:

    Code:
    ps aux | grep netstat
    kill -9 netstatPID#
    Then check who has the last logs in the file around that time. Personally, I always prefer to log things when possible.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. CapriSkye

    CapriSkye Registered

    Joined:
    Oct 6, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    thank you all for the suggestions.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice