The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help to determine where mail is originating from

Discussion in 'E-mail Discussions' started by avalanche, Dec 30, 2009.

  1. avalanche

    avalanche Member

    Joined:
    Aug 9, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    For a few days now, I have had some spam being stuck in outgoing queues on my server from Exim. I have read ConfigServers tips which I was already somewhat familiar with. I have seen scripts do this before, and can quickly track and shut it down. I have turned on all logging in the Exim log.

    It just seems these do not have a authenticated user listed (a A=blah@whatever.com) to see which mail account or a cwd=home/path/blah to see which script path it is coming from. I am assuming since NOBODY is sending, it wont show an A section in the logs?

    They all seem to be coming from /usr/sbin/exim and the user NOBODY. The user nobody is used when a script doesnt supply a username or email I guess. I know my customers have scripts that send using NOBODY so I didn't want to turn that off in Tweak Settings - but I just did since YAHOO was starting to blacklist me. Can someone tell me how I can find out where all these junk emails are originating from and how I can eliminate it? Here is a grep for one email:

    root@server [/tmp]# grep 1NQ4G6-00083M-Ga /var/log/exim_mainlog
    2009-12-30 13:31:02 1NQ4G6-00083M-Ga <= nobody@server.mydomain.com U=nobody P=local S=3309

    id=2d8140f244ab1c2ce8316cd7d256f98c@hfsbr.com T="Online Banking Service." from <nobody@server.mydomain.com> for

    removed@yahoo.com
    2009-12-30 13:31:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1NQ4G6-00083M-Ga
    2009-12-30 13:31:08 1NQ4G6-00083M-Ga SMTP error from remote mail server after end of data: host c.mx.mail.yahoo.com

    [209.191.88.254]: 421 4.7.0 [TS01] Messages from 66.232.113.230 temporarily deferred due to user complaints - 4.16.55.2; see

    http://postmaster.yahoo.com/421-ts01.html
    2009-12-30 13:31:08 1NQ4G6-00083M-Ga SMTP error from remote mail server after initial connection: host g.mx.mail.yahoo.com

    [98.137.54.238]: 421 4.7.0 [TS01] Messages from 66.232.113.230 temporarily deferred due to user complaints - 4.16.55.1; see

    http://postmaster.yahoo.com/421-ts01.html
    2009-12-30 13:31:08 1NQ4G6-00083M-Ga == removed@yahoo.com R=lookuphost T=remote_smtp defer (0): SMTP error from remote

    mail server after initial connection: host g.mx.mail.yahoo.com [98.137.54.238]: 421 4.7.0 [TS01] Messages from

    66.232.113.230 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
    2009-12-30 13:54:29 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvh 1NQ4G6-00083M-Ga
    2009-12-30 13:54:29 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvb 1NQ4G6-00083M-Ga
    root@server [/tmp]#


    Thanks guys, in advance. I am running out of options here, and have exhausted my Googleing efforts
     
    #1 avalanche, Dec 30, 2009
    Last edited: Dec 30, 2009
  2. never2far

    never2far Active Member

    Joined:
    May 6, 2008
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Try searching on /var/log/phpmail.log for the subject, address at the date,hour,min, sec it appeared in exim
     
  3. avalanche

    avalanche Member

    Joined:
    Aug 9, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I have that directory, contains exim_mainlog, messages, dmesg, etc... but no phpmail.log. Is there another location this could be on my CentOS server?

    Thanks for the assistance.
     
Loading...

Share This Page