The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do you tell who is sending mail when it's sent from nobody

Discussion in 'E-mail Discussions' started by DWHS.net, Jul 8, 2009.

  1. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    I have some spams sent from my server but the sender only says nobody. Anyone know how to track the email to the user who sent it?
     
  2. acenetgeorge

    acenetgeorge Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2008
    Messages:
    64
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southfield, MI
    cPanel Access Level:
    DataCenter Provider
    Make sure you have WHM -> Server Config -> Tweak Settings -> Mail -> "Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)" enabled. That may help track down the source.

    You may also want to add a line to your Exim Advanced Config. This goes in the first box :

    log_selector = +arguments +subject

    That will place the subject in the mail log (making it easier to search for the spam in your logs), and the arguments will let you know how it is being generated (sendmail, php script, etc,).

    Hope this helps!
     
    #2 acenetgeorge, Jul 9, 2009
    Last edited: Jul 9, 2009
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    It is not very easy to track and though you could add the items
    acenetgeorge listed above, you are still limited as long as the
    mail is being sent from script as the generic user "nobody".

    You should already be running SuExec for Apache. If not, I would enable it!

    This topic is also one one of the biggest reasons to convert your PHP from
    norm Apache module (DSO) to SuPHP as all PHP scripts will then be
    executed by the account owner instead of the generic user nobody and
    if anyone tries to send any spam, it will show up in a heartbeat which
    account sent the mail and what script and is much easier to track!

    Using SuPHP for your PHP also gives you many other important advantages
    in terms of added security that go beyond just email tracking so it is
    definitely something you should strongly consider.

    Meanwhile, if you set sending limits in "Tweak Settings" and either use
    the "SMTP Tweak" or much better install Chirpy's CSF Firewall and setup
    the SMTP_BLOCK portion in that script, that will also help control spam
    from being sent from your server as well.

    Right now, without the expanded logging trails or having SuExec or SuPHP
    running or a good security solution, the only thing you can really do to
    track the current mail already sent is to take a close look at the domain
    logs in /usr/local/apache/domlogs, the main apache logs in /usr/local/apache/logs,
    your maillog in /var/log, and the files in your /tmp folder to determine which site
    is getting calls to execute a mail script around the same time the mails are
    being injected into the mail server. Bulk sending a lot of messages often
    shows up as repeated web calls to some script on an account on your server.

    Now once you make the changes both acenetgeorge and I have suggested,
    it will be much easier to track where the spam is coming from and if you do
    all that I said, will also be much more difficult for anyone to send spam in
    the first place but if they do, will definitely get caught.
     
    #3 Spiral, Jul 9, 2009
    Last edited: Jul 9, 2009
  4. blargman

    blargman Well-Known Member

    Joined:
    Sep 11, 2007
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    If you don't have log_selector = all and you don't see a file path for these mails. You really should just do a clamscan of all your public_html's.


    for i in /home/*/www ; do clamscan -ri -l /some/log "$i" ; done

    Or search the forums here there are also malware grep search scripts etc.
     
  5. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Oh cool so if I use SuPHP it will show the user when email is sent through php through servers mail system. Rather then just "nobody".
     
  6. aneesh.p

    aneesh.p Member

    Joined:
    May 4, 2009
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Edit /etc/exim.conf

    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn \

    If exim_mainlog shows the spams originating from /tmp of the server and check the file in /tmp of the server. wner of the file will be seen as nobody:nobody. Take down the time of creation of file. This time is what we need to find out who uploaded the script. You will need to convert this time into the time format of /usr/local/apache/logs/error_log & then in the format of the domlogs located at /usr/local/apache/domlogs/*



    for file in /usr/local/apache/domlogs/*; do cat $file |grep “example”; done; ( you cannot do direct grep for the query here as it will give error that the arguement list is too long )

    Supportpro.com
     
Loading...

Share This Page