How to get removed from SpamCop?

[Jeff75]

I have contacted SpamCop 5 times the past week about having my server's IP address removed from their database. They wrote back one time and sent me an example email and I ended up disabling the allow "nobody" to send emails which I thought fixed the problem. My IP is in their database again and I've written them several times and they're not writing back.

I haven't put any new clients on this box in a year and a half so I know there aren't any users who are "knowingly" sending out spam from it.

Does anybody have any suggestions as to what to do? I'm about to start losing clients over this and it's a pain because I have no idea why the server is listed in their blacklist??

 

[dalem]

best to just go though your mail logs and remove the spamming account or expoited script
If you do not know how to do this hire someone who does or it will just stay in there

 

[Jeff75]

I would like to learn how to do it just to prevent it from happening again in the future.

About a week ago I added "log_selector = +arguments +subject" to my Exim config.

Here's some of the headers that one of the SpamCop people sent me:

Subject: Possibilité d'erreur lors de notre maintenance du réseau
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.net
X-AntiAbuse: Originator/Caller UID/GID - [65534 1201] / [26 6]
X-AntiAbuse: Sender Address Domain - server.net
X-Source: /bin/sh
X-Source-Args: sh -c /usr/sbin/sendmail -t -i
X-Source-Dir: /var/tmp/send

Does this help at all?

 

[Jeff75]

I found this in the mainlog, but it doesn't really give any info that shows what script/user the spam was sent through:

2006-12-12 09:53:10 cwd=/var/spool/exim 3 args: /usr/local/sbin/exim -Mc 1Gu90I-000FK0-Ev
2006-12-12 09:53:10 cwd=/var/tmp/send 3 args: /usr/sbin/sendmail -t -i
2006-12-12 09:53:10 cwd=/var/spool/exim 3 args: /usr/local/sbin/exim -Mc 1Gu90E-000FEI-6V
2006-12-12 09:53:10 1Gu90I-000FK4-Gu <= [email protected] U=nobody P=local S=5987 T="Possibilit\351 d'erreur lors de notre maintenance du r\351seau"

I have the option "Prevent the user "nobody" from sending out mail to remote addresses" checked under Tweak Settings in WHM, so I'm not sure why it's showing nobody??

 

[Jeff75]

Is there anyway to run grep against all of the logs in the domlogs directory so I can search for "12/Dec/2006:09:53:10"?

 

[Jeff75]

Bummer. I figured out how to search all the logs but there weren't any dynamic pages that were loaded at 09:53 (just .html, .js, gifs, etc.) and the method was also just GET and no POSTS?

 

[brianoz]

The most likely cause is a hijacked insecure form contact script, ie something that gets POSTed to by a form, intended to turn the form contents into an email to someone.

The fix is to check for strings like \n and Bcc in the POSTed data, or to use mod_security to check and reject such attempts. You should also be able to limit the outgoing email per hour to something like 100 messages using WHM - search for info on /var/cpanel/maxemails to see how to up that limit on a per-domain basis (100 is fine for most domains).