The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Having Trouble Tracking down Mail relayer

Discussion in 'E-mail Discussions' started by noimad1, Jan 28, 2008.

  1. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Ok,

    On two different servers we are having a problem with what appears to be mail relaying on the servers. In the past, we've been able to look at the message headers of the messages going out, and usually part of the headers are still in tact. Generally, the cpanel username is still left in the header, and we can track it down to those users. Either they have a virus, or the form mail on their site is hijacked, or whatever (the only thing i have changed is our host name):

    Is there anything I can use from that header to track this down? I've looked in the exim_mainlog for the message ID, and here's what it shows:


    I've even gone as far as to look in the maillog at the time of the above message, but I don't see any specific user logging in or anything like that?

    I click on "view mail relayers" through the WHM, but it comes back empty.

    I just can't figure this one out for the life of me?

    What else can I do to track down where this mail is coming from?
     
  2. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    anyone have any ideas on this one?
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The only header received record you can trust is the first one (127.0.0.1) which suggests the spam is probably being sent out via a web script on the server direct to port 25 on localhost rather than directly through the exim binary. This makes it tricky to track down. You'll probably need to trawl through your apache domlogs at the time the spam was sent.
     
  4. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Yea, this one was a complete nightmare to track down. The only reason I caught them is i just happened to be running a top on the server during one of their attacks.

    They thought they were being smart. I think it was an automated script running. It was logging into the clients site, uploading a cgi script to spam, spamming, then deleting it through ftp.

    It actually happened on two of our servers.

    It was done the same way as those iframe hacks going around, where they had the users actual ftp login details...

    They were logging in through ftp through another hosting provider. I contacted that provider, and they removed the attacking script from their server.

    And of course changing the users passwords stopped it as well..
     
Loading...

Share This Page