The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help me track down some spam!

Discussion in 'General Discussion' started by erinspice, Oct 31, 2007.

  1. erinspice

    erinspice Well-Known Member

    Joined:
    Feb 12, 2006
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    16
    I need some help from the masters! One of my server's is sending spam, and I really need to track it down and find out how to stop it. Here's one:

    UID 47 is mailnull. I have the extra spam tracking headers turned on (X-SOURCE-DIR, et al.), but they aren't showing up. :confused: Will somebody please teach me how to track spam back to a username and an application so that I can secure my server?
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Actually, it looks like your server is _forwarding_ spam.

    Scenario: A user on your system has one of their accounts set up to forward to an AOL.COM account. Then, when it goes to their AOL.COM account they tag it as spam. Then AOL sends you a message telling you that they received a spam mesasge from your server.

    Check for forwarders on all of the myclient.com accounts that are on your server - See who is forwarding to AOL.

    grep 1In481-0005YM-Co /var/log/exim_mainlog
    - see who this email was sent to on your server.

    Mike


     
    #2 mtindor, Oct 31, 2007
    Last edited: Oct 31, 2007
  3. erinspice

    erinspice Well-Known Member

    Joined:
    Feb 12, 2006
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    16
    How is this not a problem for every web host then? And why am I only experiencing this on one of my 5 servers? Is there someway I could configure my server to disallow mail forwarding serverwide, or only allow forwarding between local addresses? Also, what in there let you know it was being forwarded?
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I don't believe there is a way to turn off forwarding altogether, or only allow forwarding between local addresses. Some crafty people could come up with a result, but Cpanel itself does not have any configuration options such as those.

    How did I know it was being forwarded? I looked at the Received headers. If they are to be believed (and oftentimes in spam, one or more Received lines are bogus), you would follow from the bottom to the top.

    The topmost Received header shows the final destination was an AOL server (from an AOL server to another AOL server).

    The second Received header shows where it was sent from your machine to the AOL server.

    The third Received line shows where your server received it from 33.33.33.33.dynamic.dsl.as9105.com

    So if you reverse that order you see:

    the as9105.com IP address sent the spam to your server
    your server then sent it to AOL
    AOL sent it to another one of its servers for final delivery

    There would be no reason for some remote IP to send it to your machine and then it get automatically sent to AOL unless:
    1. It was sent to an account on your server and then forwarded to an AOL.COM account
    OR
    2. Somebody authenticated into your server via the as9105.com IP address and explicitly sent an email through your server to an AOL destination

    Could have been either one, but the more likely scenario just based upon my eyes parsing the headers was that it was simply a piece of spam sent to an account on your server, which in turn was set up to forward to an AOL account.

    I take it I was correct?

    Mike


    Subject: Make her worship you
    From: "Michael Baxter" <xijabsentforaweekhub@absentforaweek.de>
    Date: Wed, 31 Oct 2007 03:57:19 +0000
    To: <Undisclosed Recipients>
    Return-Path: <xijabsentforaweekhub@absentforaweek.de>
    Received: from rly-yc06.mail.aol.com (rly-yc06.mail.aol.com [22.22.22.22]) by air-yc04.mail.aol.com (v120.9) with ESMTP id MAILINYC43-6e74727f47d371; Tue, 30 Oct 2007 23:20:54 -0400
    Received: from hostname.mysite.com (hostname.mysite.com [11.11.11.11]) by rly-yc06.mail.aol.com (v120.9) with ESMTP id MAILRELAYINYC61-6e74727f47d371; Tue, 30 Oct 2007 23:20:30 -0400
    Received: from 33.33.33.33.dynamic.dsl.as9105.com ([33.33.33.33]) by hostname.mysite.com with esmtp (Exim 4.68) (envelope-from <xijabsentforaweekhub@absentforaweek.de>) id 1In481-0005YM-Co; Tue, 30 Oct 2007 22:20:26 -0500
    Received: from [33.33.33.33] by mail.absentforaweek.de; Wed, 31 Oct 2007 03:57:19 +0000
     
  5. erinspice

    erinspice Well-Known Member

    Joined:
    Feb 12, 2006
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    16
    Yep. Fixing that now. One more thing. Do you know where the configuration for forwarders is stored so I can manage this directly instead of having to log into every user's cPanel to check for forwarding issues?
     
    #5 erinspice, Oct 31, 2007
    Last edited: Oct 31, 2007
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    It is a problem for every webhost - especially if they allow forwarding to domains such aol.com, hotmail.com, yahoo.com, comcast.net and many others. Many of those mail systems pay attention to forwarded spam and end up blacklisting the sending IP if it receives too many forwarded emails that then are tagged as spam by the recipient.

    And, of course in the case of AOL users, well, I need not say anymore. It's very very typical of AOL users who have other accounts forwarding to their AOL mailboxes to then tag that legitimately forwarded email (spam or not) as spam in their AOL account, thus causing AOL to bark about it.

    Forwarders are almost always a bad idea anymore for this very reason - especially if you are forwarding to the big elephants like AOL, Yahoo, Hotmail, Comcast, and their other associated domains.

    MANY hosting providers have specific TOS rules prohibiting their customers from setting up forwards to domains such as the ones above.

    Mike
     
  7. erinspice

    erinspice Well-Known Member

    Joined:
    Feb 12, 2006
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    16
    Do you know where the configuration for forwarders is stored so I can manage this directly instead of having to log into every user's cPanel to check for forwarding issues?

    ETA: I found them in /etc/valiases/ . Thanks for your help!
     
    #7 erinspice, Oct 31, 2007
    Last edited: Oct 31, 2007
  8. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    You're welcome!

    Mike
     
  9. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Or you can install Chirpy's Mail Manage script on your server so you can manage your client's email account without having to login to each your client's cpanel.
     
Loading...

Share This Page