techark

Well-Known Member
May 22, 2002
280
0
316
Somehow these spammers have found a hole in all my cpanel servers.
I have customer that is getting all kinds of bounced email returned to her account when I grep exim_mainlog I found these guys.

I then started null routing the IP addresses but they come back with more IP addresses then I started checking all my servers and there are entries from thee guys in all my cpanel servers.

Antirelyd is running I have checked all the obvious things and formmail.pl is not on the accounts they are using to spam from and I can't find any scripts any of these sites have in common.

So does cpanel have a hole? Anybody else see these in their logs?

How can I null route these entire domains or a range of IP's?

2002-11-21 04:57:17 18Eo5F-0007bj-00 &= [email protected]
erticalresponse.com H=mkt4.verticalresponse.com [130.94.4.7] P=smtp S=4737


2002-11-20 19:26:06 18EfAT-0000QP-00 &= 103670667376574-20110200042-xxxxx.com?
[email protected] H=ul2.tilw.net [209.164.4.172] P=smtp S=7170 id=2011020004

2002-11-20 17:47:59 18EddX-0006qr-00 &= b.server1.43-95ec33-74f5.xxxxx.com*[email protected] H=mail05.emailcourrier.com [63.250.32.226] P=esmtp S
=4443 [email protected]