The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to track mail abuser who sends via SMTP ?

Discussion in 'E-mail Discussions' started by dchepishev, Sep 13, 2006.

  1. dchepishev

    dchepishev Well-Known Member
    PartnerNOC

    Joined:
    Oct 19, 2005
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Hi guys,

    I have the following problem. One of the cpanel users is infected with virus/spyware. The user uses pop before smtp auth and as you can imagine the virus can freely send mail using our server.

    When I look in the logs, there is no way to find who is the cpanel user which sends this mail.
    I have the following options enabled:

    1. Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
    2. Prevent the user "nobody" from sending out mail to remote addresses
    3. Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail.

    1. makes sense if the mail is sent locally php/perl/some other scripts and it does nothing in the current case, because the headers addes are useless
    2. Is not related to this case
    3. Adds pretty good list of pop before smtp authenticated users which is really cool, however the main problem is that nothing of the above is shown in the exim log.
    The user I am talking about is sending random emails to yahoo.com which today just rejected the IP address of the server. I see in the logs that someone was trying to send tons of mail to yahoo.com and most of them were failing, because of unexistent user and after some time, yahoo started rejecting all the mail from our server to theirs. So the main problem is that even if the header popBeforeSMTP is added to the mail, I dont have a sample of this mail and since nothing is written in the log I can not track the user.

    My question is: Is there any way to make exim to log which is the pop before smtp user which sends the mail?
    Thanks in advance
     
  2. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    Search for the sending IP in /etc/relayhostsusers and you'll find the pop user.

    This files is storing the hosts who pop before smtp within the last 30mn only so you may want to set a cronjob to keep a track of all connections :

    cat /etc/relayhostsusers >> ippopusers.txt

    Good luck ! :)
     
  3. dchepishev

    dchepishev Well-Known Member
    PartnerNOC

    Joined:
    Oct 19, 2005
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Thank you for the reply. This could do the job if I had a track of this file ;)
     
  4. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    Which file do you refer to ?
    If the service "Antirelayd" (Pop before smtp) is enabled, you should have this file /etc/relayhostsusers.

    To add the cronjob (and create ippopsusers.txt if it doesn't exist) :

    crontab -e

    then add this line and save :
    */15 * * * * cat /etc/relayhostsusers >> /root/ippopusers.txt

    service crond restart

    If /etc/relayhostsusers is not being written :

    service syslog restart
     
  5. dchepishev

    dchepishev Well-Known Member
    PartnerNOC

    Joined:
    Oct 19, 2005
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the help. I know how can I have the file, just wanted to say thay I was not keeping record of this file untill now, so it will not be that easy to track the user ;)
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Since they're authenticating, you should be able to get the user account by checking your exim_mainlog if you know the offending IP address. If not, enable extended logging in exim to help track outgoing email.
     
  7. dchepishev

    dchepishev Well-Known Member
    PartnerNOC

    Joined:
    Oct 19, 2005
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    They are authenticating but only pop3 auth. Not SMTP auth. In SMTP auth yes you can see the offending user in exim_mainlog, but when pop3 before smtp is used in exim_mainlog there is nothing. I even tried with log_selector=+all and still there is nothing which could help you to easily track the offending user.
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    /var/log/maillog logs IPs against authenticating user, so you can get them from there.

    /etc/relayhostsusers tracks the currently authenticated users for POP3 and is condensed into /etc/relayhosts which is what is used by exim for pop-before-smtp, as far as I remember.

    (sorry, this is a month old now, but thought it was worth having in the thread for searchability)
     
Loading...

Share This Page