The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HELP! Serious mail issue!

Discussion in 'E-mail Discussions' started by dgbaker, Feb 20, 2003.

  1. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Hey Everyone,

    I 've doing some work for someone trying to get spammers under control on their servers, every night the server gets flooded with over 10,000 mail msg from ficticious ID's some are numeric domains, others are variants of yahoo addresses.

    We tried adding yahoo.com to the /etc/spammers file with no luck. We've done open relay tests and they were fine, but it still seems to be doing relaying.

    Here is sample of one of the messages.

    18loYW-0002zA-00-H
    nobody 99 99
    <nobody@server.thisdomain.com>
    1045739276 0
    -ident nobody
    -received_protocol local
    -body_linecount 1
    -auth_id nobody
    -auth_sender nobody@server.thisdomain.com
    -deliver_firsttime
    -local
    XX
    1
    congchuadethuong86@yahoo.com

    162P Received: from nobody by server.thisdomain.com with local (Exim 3.36 #1)
    id 18loYW-0002zA-00
    for congchuadethuong86@yahoo.com; Thu, 20 Feb 2003 06:07:56 -0500
    033T To: congchuadethuong86@yahoo.com
    016 Subject: 539880
    024F From: 190415@271222.com
    055I Message-Id: <E18loYW-0002zA-00@server.thisdomain.com>
    038 Date: Thu, 20 Feb 2003 06:07:56 -0500



    Now there are so many files in /var/spool/exim/input that I cannot grep through to clean out, and obviously cannot afford to lose the real users e-mails.

    This is a Cpanel 5.3.0-S116 RedHat 7.3 server.

    Yes I know that going to 6.0 would probably help with the disabling of nobody for mail, but I also figure that there must be a way to manually edit to block nobody.

    Server queue is so bad that runq -v is now a cron job to force the queue out. Also this is affecting server performace majorly it is steadily around load average: 19.40, 15.69, 13.59. Once the queue finally clears in about 4-5 hours, loads go back to normal. This is a heavily used and loaded server.


    I really need to find a solution to this before the server crokes.


    I'm really hoping some of you Mail Guru's can help me out here.

    Thanks Everyone
     
    #1 dgbaker, Feb 20, 2003
    Last edited: Feb 20, 2003
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    *BUMP*
     
  3. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    The mail is going out from the server to the world? Or coming in to the server from somewhere else? Based on your post, it looks they have a spammer onboard, not that the server itself is being mailbombed. Adding yahoo to /etc/spammers isn't going to do anything in that case. When did this start happening? If recently, or if the date can be pinpointed, look at the accounts that were added during that time. Do the domains associated with those accounts resolve? Are they even registered? Do a locate on known spamming scripts (lstmrge, etc.). Look at the actual details of one of those messages in the queue - does it give a pointer back to the spammer's site and is that site on the server there, by IP or name? If the server is not running suexec, look at the mySQL processes when all that mail starts flowing out, since the sender is nobody - if the spammer is using a mySQL backend for their lists, that will be a good way to catch them. There are any number of ways to deal with spambags on a system.
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Hi Annette - Thanks for the info.

    These messages it seems are being sent from the server to garbage mail accounts with yahoo.com. Yahoo.com comes back with no such address. Here though is a complete msg from the input directory

    Owner root:nobody
    bash# cat 18lmyh-0004mS-00-D
    18lmyh-0004mS-00-D
    Hello Kitty

    Now there are litterly hundreds upon hundreds of these in the input diretory.
    And in the msglog directory.
    Owner root:nobody
    Tons of these different domains and addresses.

    [/var/spool/exim/msglog]# cat 18lnti-0008TT-00
    2003-02-20 05:29:16 net.co.il [192.116.202.58]: Connection timed out
    2003-02-20 05:29:18 khackel@net.co.il T=remote_smtp defer (110): Connection timed out
    2003-02-20 05:39:23 khackel@net.co.il T=remote_smtp defer (-44): retry time not reached for any host
    2003-02-20 09:24:05 net.co.il [192.116.202.58]: Connection timed out
    2003-02-20 09:24:05 khackel@net.co.il T=remote_smtp defer (110): Connection timed out
    2003-02-20 11:18:16 khackel@net.co.il T=remote_smtp defer (-44): retry time not reached for any host
    2003-02-20 11:18:24 khackel@net.co.il T=remote_smtp defer (-44): retry time not reached for any host
    2003-02-20 11:27:01 khackel@net.co.il T=remote_smtp defer (-44): retry time not reached for any host
    2003-02-20 12:00:11 khackel@net.co.il T=remote_smtp defer (-44): retry time not reached for any host
    2003-02-20 13:11:27 khackel@net.co.il T=remote_smtp defer (-44): retry time not reached for any host
    2003-02-20 14:03:55 khackel@net.co.il T=remote_smtp defer (-44): retry time not reached for any host
    2003-02-20 15:14:32 khackel@net.co.il T=remote_smtp defer (-44): retry time not reached for any host



    I will though do some googling for some info and background.

    Thanks
     
  5. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    If moving up to WHM 6.x is not yet an option and catching someone using 'nobody' requires tracking -- very difficult timing it to catch them 'when' they are doing it -- I would suggest they spend the money for either of these two scripts which will watch & track for you:

    http://webhostingbilling.com/software.shtml
    SendMail SpamStopper
    Abuse Package

    They're each US $50.00 and one or both should help stop the problem.

    I too, am seeing a rise in eMails from the Server using a 'nobody' address -- although not to the same degree as some. I have so far determined it is (or is becoming) a popular method with PHP scripts, sometimes and sometimes not, using mySQL.

    Depending upon how their Server/WHM is setup, they should be receiving eMails from the Server whenever an eMail script is first used or installed. If they have been saving those eMails, then looking for PHP scripts would be the first place I would start looking.

    Another suggestion is:

    # cd /home
    # find -type f -name '*.php' -exec grep -s \
    "function mail" {} \; -print

    # find -type f -name '*.*' -exec grep -s \
    "print MAIL \"From\:" {} \; -print

    Which should also give you some starting points. You might want to print the second 'find' to a file though, as it could be fairly large -- might include some HTML pages within the find.
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Thanks Rob, Appreciate the info.
     
  7. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    This is just a question

    Hi,

    How do you do this ?

    Regards,
    Garry
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    For example, one common one bomb.php

    So, in an SSH session type

    locate bomb.php

    I also like Rob's find command it works very well at sniffing things out. Just remember that it can take a while to run.
     
  9. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    The nightly notices about uploaded scripts are good; however, for a loaded server where a number of people use forums or have a lot of forms attached to their account, it can take a long time to get through the report. We have 40 servers under our wing, and don't pay attention to those reports at all since we do our own sweeps - it would take too much time to sort through what was acceptable and what was not.

    For this particular situation - if you want a hand, and access to the server is not an issue for third parties, drop me a note. We've caught spammers in the midst of their runs as well as looking through the detritus they've left on servers after making a run for several other companies and can generally track down the problematic user/script.
     
  10. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Hi Annette;

    Actually they are moving up CP 6 as we speak and are going to eliminate nobody from sending mail.

    Thanks
     
  11. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    Cool. Good luck squishing the spambag.
     
  12. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    By eliminate nobody from sending mail, what sort of affect does this have on the server ?

    Regards,
    Garry
     
  13. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    php scripts can't send mail to addresses off the server.

    For your legit users:

    If they wanted to have a form send to their aol address. Just have them create a forward to the aol address and then have the form send the the forward.

    Example:

    joe.com has a form that submits to joe@aol.com. Since joe@aol.com isn't on the server it will be blocked.

    Solution:

    create the foward.
    joeaol@joe.com to forward to joe@aol.com. Change the form to send to joeaol@joe.com. Since joeaol@joe.com is a local address it will go though and then get forwarded from there.
     
  14. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    So by eliminate nobody from sending mail, it block all out going mail, to the outside world ?

    Only allow account on the server to get mail from forms etc...

    What about Forums which are PHP are these affected ?

    Regards,
    Garry
     
  15. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Forms still get sent off server IF it uses a different e-mail address to send with.

    Most good forums and php mailers, have a legitimate e-mail addresses that they use instead of the "nobody" ID.

    For example for marketing we use List Mailer, which does not use nobody but uses the e-mail address you specify.

    It also does not effect PHPBB, it works fine with nobody disabled.
     
Loading...

Share This Page