The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to identify account or PHP/Perl script used for spamming?

Discussion in 'General Discussion' started by ShirazDindar, Sep 29, 2007.

  1. ShirazDindar

    ShirazDindar Member

    Joined:
    Jan 19, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    We're using the standard Exim setup on Cpanel. I'm experiencing a lot of outgoing SPAM from the nobody user, as I can see by the "view relayer" option, and in the mail queue.

    Is there any way to identify which account or, better yet, which PHP/Perl CGI script is being used to send this spam? It's funny how hard it is to find this info out online. Maybe I'm just looking in the wrong places.

    Our server is pretty heavily loaded and I don't want to suffer the performance hit of suexec, phpsusec or suphp.

    Previously, I installed a sendmail replacement script which intercepts all sendmail access, logs the script that accesses it, and then sends it along to the actual sendmail binary, but the script was buggy and it broke my outgoing mail from all scripts, including legitimate ones.


    Also, can anyone tell me if turning on the SMTP Tweak may break any legitimate script mailers?


    Thank you kindly,

    Shiraz
     
  2. tanfwc

    tanfwc Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
  3. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    The quickest and easiest way is to add 'log_selector = +arguments +subject' to the exim configuration. You can do this by using the Advanded exim config editor in WHM and adding that line to the first text box.

    Once this is added, you can monitor /var/log/exim_mainlog. You will see where all emails are originated from. If there is a php/perl script sending spam, you will be able to find exactly what folder the script resides in.
     
  4. ShirazDindar

    ShirazDindar Member

    Joined:
    Jan 19, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Wow, both very very practical suggestions! I wish I'd asked sooner. Thanks guys.
     
  5. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Also some very handy tools to add THanks to Chirpy...

    www.configserver.com

    ConfigServer Mail Queues
    ConfigServer Mail Manage

    cheers
     
Loading...

Share This Page