The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to know which process is spamming

Discussion in 'E-mail Discussions' started by rag_gupta, Oct 15, 2013.

  1. rag_gupta

    rag_gupta Registered

    Joined:
    Sep 16, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    My account has been hacked. I've removed the infections. I've disabled nobody to send email and also limited each domain to send max of 50 email/hr. I've check the raw access logs and error log of Apache.
    I've checked the exim_mainlog.

    I've also gone through this useful thread: http://forums.cpanel.net/f5/server-overloaded-spam-exim-processes-226022.html

    But someone is trying to send emails non-stop. All I want to know which process it is. I'm not able to figure this out using ps aux or the top command.

    Here are some entries from exim_mainlog:
    Code:
    
    2013-10-15 12:14:53 1VVyNA-00046a-Rf => usernamehere_ @gmail.com <nobody@host.domain.in> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
    2013-10-15 12:14:53 1VVyNA-00046a-Rf Completed
    2013-10-15 12:14:54 1VVw2u-0007oC-6z ** usernamehere_ @hotmail.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
    2013-10-15 12:14:54 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVw2u-0007oC-6z
    2013-10-15 12:14:54 1VVyNC-00046u-1T <= <> R=1VVw2u-0007oC-6z U=mailnull P=local S=4230 T="Mail delivery failed: returning message to sender" for nobody@host.domain.in
    2013-10-15 12:14:54 1VVw2u-0007oC-6z Completed
    2013-10-15 12:14:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyNC-00046u-1T
    2013-10-15 12:14:54 1VVyNB-00046h-33 => usernamehere_ @gmail.com <nobody@host.domain.in> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
    2013-10-15 12:14:54 1VVyNB-00046h-33 Completed
    2013-10-15 12:14:54 1VVvwR-0002bL-Cn ** usernamehere_ @hotmail.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
    2013-10-15 12:14:54 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVvwR-0002bL-Cn
    2013-10-15 12:14:54 1VVyNC-000471-90 <= <> R=1VVvwR-0002bL-Cn U=mailnull P=local S=4206 T="Mail delivery failed: returning message to sender" for nobody@host.domain.in
    2013-10-15 12:14:54 1VVvwR-0002bL-Cn Completed
    2013-10-15 12:14:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyNC-000471-90
    2013-10-15 12:14:55 1VVyNC-00046u-1T => usernamehere_ @gmail.com <nobody@host.domain.in> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
    2013-10-15 12:14:55 1VVyNC-00046u-1T Completed
    2013-10-15 12:14:55 1VVvwu-000312-4V ** usernamehere_ @hotmail.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
    2013-10-15 12:14:55 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVvwu-000312-4V
    2013-10-15 12:14:55 1VVyND-00047E-9S <= <> R=1VVvwu-000312-4V U=mailnull P=local S=4206 T="Mail delivery failed: returning message to sender" for nobody@host.domain.in
    2013-10-15 12:14:55 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyND-00047E-9S
    2013-10-15 12:14:55 1VVvwu-000312-4V Completed
    2013-10-15 12:14:55 1VVyNC-000471-90 => usernamehere_ @gmail.com <nobody@host.domain.in> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
    2013-10-15 12:14:55 1VVyNC-000471-90 Completed
    2013-10-15 12:14:55 1VVw1R-0006ml-AR ** usernamehere_ @hotmail.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
    2013-10-15 12:14:55 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVw1R-0006ml-AR
    2013-10-15 12:14:55 1VVyND-00047N-K9 <= <> R=1VVw1R-0006ml-AR U=mailnull P=local S=4226 T="Mail delivery failed: returning message to sender" for nobody@host.domain.in
    2013-10-15 12:14:55 1VVw1R-0006ml-AR Completed
    2013-10-15 12:14:55 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyND-00047N-K9
    2013-10-15 12:14:56 1VVyND-00047E-9S => usernamehere_ @gmail.com <nobody@host.domain.in> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
    2013-10-15 12:14:56 1VVyND-00047E-9S Completed
    2013-10-15 12:14:56 1VVw3u-00007y-Dt ** usernamehere_ @hotmail.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
    2013-10-15 12:14:56 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVw3u-00007y-Dt
    2013-10-15 12:14:56 1VVyND-00047N-K9 => usernamehere_ @gmail.com <nobody@host.domain.in> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
    2013-10-15 12:14:56 1VVyND-00047N-K9 Completed
    2013-10-15 12:14:56 1VVvsR-00079x-5Z ** usernamehere_ @yahoo.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
    2013-10-15 12:14:56 1VVyNE-00047Z-Qq <= <> R=1VVw3u-00007y-Dt U=mailnull P=local S=4214 T="Mail delivery failed: returning message to sender" for nobody@host.domain.in
    2013-10-15 12:14:57 1VVw3u-00007y-Dt Completed
    2013-10-15 12:14:57 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVvsR-00079x-5Z
    2013-10-15 12:14:57 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyNE-00047Z-Qq
    2013-10-15 12:14:57 1VVyNF-00047d-1y <= <> R=1VVvsR-00079x-5Z U=mailnull P=local S=4226 T="Mail delivery failed: returning message to sender" for nobody@host.domain.in
    2013-10-15 12:14:57 1VVvsR-00079x-5Z Completed
    2013-10-15 12:14:57 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyNF-00047d-1y
    
    
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can browse to the "Mail" tab in "WHM Home » Service Configuration » Exim Configuration Manager" and check to ensure the following option is enabled:

    "Query Apache server status to determine the sender of email sent from processes running as nobody"

    Also, have you considered enabling suPHP so that the account username is used for email coming from PHP scripts?

    Thank you.
     
Loading...

Share This Page