Somehow these spammers have found a hole in all my cpanel servers.
I have customer that is getting all kinds of bounced email returned to her account when I grep exim_mainlog I found these guys.
I then started null routing the IP addresses but they come back with more IP addresses then I started checking all my servers and there are entries from thee guys in all my cpanel servers.
Antirelyd is running I have checked all the obvious things and formmail.pl is not on the accounts they are using to spam from and I can't find any scripts any of these sites have in common.
So does cpanel have a hole? Anybody else see these in their logs?
How can I null route these entire domains or a range of IP's?
2002-11-21 04:57:17 18Eo5F-0007bj-00 &= [email protected]
erticalresponse.com H=mkt4.verticalresponse.com [130.94.4.7] P=smtp S=4737
2002-11-20 19:26:06 18EfAT-0000QP-00 &= 103670667376574-20110200042-xxxxx.com?
[email protected] H=ul2.tilw.net [209.164.4.172] P=smtp S=7170 id=2011020004
2002-11-20 17:47:59 18EddX-0006qr-00 &= b.server1.43-95ec33-74f5.xxxxx.com*[email protected] H=mail05.emailcourrier.com [63.250.32.226] P=esmtp S
=4443 [email protected]
I have customer that is getting all kinds of bounced email returned to her account when I grep exim_mainlog I found these guys.
I then started null routing the IP addresses but they come back with more IP addresses then I started checking all my servers and there are entries from thee guys in all my cpanel servers.
Antirelyd is running I have checked all the obvious things and formmail.pl is not on the accounts they are using to spam from and I can't find any scripts any of these sites have in common.
So does cpanel have a hole? Anybody else see these in their logs?
How can I null route these entire domains or a range of IP's?
2002-11-21 04:57:17 18Eo5F-0007bj-00 &= [email protected]
erticalresponse.com H=mkt4.verticalresponse.com [130.94.4.7] P=smtp S=4737
2002-11-20 19:26:06 18EfAT-0000QP-00 &= 103670667376574-20110200042-xxxxx.com?
[email protected] H=ul2.tilw.net [209.164.4.172] P=smtp S=7170 id=2011020004
2002-11-20 17:47:59 18EddX-0006qr-00 &= b.server1.43-95ec33-74f5.xxxxx.com*[email protected] H=mail05.emailcourrier.com [63.250.32.226] P=esmtp S
=4443 [email protected]