how to track mail abuser who sends via SMTP ?

[dchepishev]

Hi guys,

I have the following problem. One of the cpanel users is infected with virus/spyware. The user uses pop before smtp auth and as you can imagine the virus can freely send mail using our server.

When I look in the logs, there is no way to find who is the cpanel user which sends this mail.
I have the following options enabled:

1. Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
2. Prevent the user "nobody" from sending out mail to remote addresses
3. Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail.

1. makes sense if the mail is sent locally php/perl/some other scripts and it does nothing in the current case, because the headers addes are useless
2. Is not related to this case
3. Adds pretty good list of pop before smtp authenticated users which is really cool, however the main problem is that nothing of the above is shown in the exim log.
The user I am talking about is sending random emails to yahoo.com which today just rejected the IP address of the server. I see in the logs that someone was trying to send tons of mail to yahoo.com and most of them were failing, because of unexistent user and after some time, yahoo started rejecting all the mail from our server to theirs. So the main problem is that even if the header popBeforeSMTP is added to the mail, I dont have a sample of this mail and since nothing is written in the log I can not track the user.

My question is: Is there any way to make exim to log which is the pop before smtp user which sends the mail?
Thanks in advance

 

[yapluka]

Search for the sending IP in /etc/relayhostsusers and you'll find the pop user.

This files is storing the hosts who pop before smtp within the last 30mn only so you may want to set a cronjob to keep a track of all connections :

cat /etc/relayhostsusers >> ippopusers.txt

Good luck !

 

[dchepishev]

Search for the sending IP in /etc/relayhostsusers and you'll find the pop user.

This files is storing the hosts who pop before smtp within the last 30mn only so you may want to set a cronjob to keep a track of all connections :

cat /etc/relayhostsusers >> ippopusers.txt

Good luck !

Thank you for the reply. This could do the job if I had a track of this file

 

[yapluka]

Which file do you refer to ?
If the service "Antirelayd" (Pop before smtp) is enabled, you should have this file /etc/relayhostsusers.

To add the cronjob (and create ippopsusers.txt if it doesn't exist) :

crontab -e

then add this line and save :
*/15 * * * * cat /etc/relayhostsusers >> /root/ippopusers.txt

service crond restart

If /etc/relayhostsusers is not being written :

service syslog restart

 

[dchepishev]

Which file do you refer to ?
If the service "Antirelayd" (Pop before smtp) is enabled, you should have this file /etc/relayhostsusers.

To add the cronjob (and create ippopsusers.txt if it doesn't exist) :

crontab -e

then add this line and save :
*/15 * * * * cat /etc/relayhostsusers >> /root/ippopusers.txt

service crond restart

If /etc/relayhostsusers is not being written :

service syslog restart

Thanks for the help. I know how can I have the file, just wanted to say thay I was not keeping record of this file untill now, so it will not be that easy to track the user

 

[chirpy]

Since they're authenticating, you should be able to get the user account by checking your exim_mainlog if you know the offending IP address. If not, enable extended logging in exim to help track outgoing email.

 

[dchepishev]

Since they're authenticating, you should be able to get the user account by checking your exim_mainlog if you know the offending IP address. If not, enable extended logging in exim to help track outgoing email.

They are authenticating but only pop3 auth. Not SMTP auth. In SMTP auth yes you can see the offending user in exim_mainlog, but when pop3 before smtp is used in exim_mainlog there is nothing. I even tried with log_selector=+all and still there is nothing which could help you to easily track the offending user.

 

[brianoz]

/var/log/maillog logs IPs against authenticating user, so you can get them from there.

/etc/relayhostsusers tracks the currently authenticated users for POP3 and is condensed into /etc/relayhosts which is what is used by exim for pop-before-smtp, as far as I remember.

(sorry, this is a month old now, but thought it was worth having in the thread for searchability)