The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I think I have a spammer on my webserver

Discussion in 'E-mail Discussions' started by Senor, Mar 11, 2010.

  1. Senor

    Senor Member

    Joined:
    Jun 12, 2007
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Long story short:

    My outbound internet connection at work is being taxed, heavily. If I kill Exim on my webserver, my connection returns to normal. Re-enable Exim and seconds later I'm being hosed again.

    Abuse.net doesn't seem to think I have an open relay. I have tried telnet'ing in and sending email, only to be denied access. I can't seem to find a rogue process that might be sending tons of spam.

    I'm nowhere near an Exim expert so I don't really know how to read the logfiles to pinpoint possible causes of the massive bandwidth usage.

    Any thoughts on what I can do/check to hopefully fix my problem? I'm at a complete loss here.

    Thanks in advance.
     
  2. Senor

    Senor Member

    Joined:
    Jun 12, 2007
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    I've been looking at /var/log/exim_mainlog and you'd think that a compromised exim that's completely saturating a 1meg upload would be constantly writing to that file, right?

    It's barely updating every couple seconds. I don't get it.

    Any thoughts?
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    You want to look at all the logs, these are just a few ...

    /var/log/maillog
    /var/log/exim_mainlog
    /var/log/exim_rejectlog

    One that might be more important in your case:

    /var/log/exim_paniclog

    You could also have a configuration error in your exim or your firewall that could be dragging your connection down and might not be doing anything with spam at all (Then again it could be that too). Depending on your security configuration, you could also have some script somewhere that is bypassing your system processes and making direct connections but this can very easily be restricted.

    If you have not done so already, I would suggest setting up extended logging for your mail server so you can more readily detect scripts making repeat mail server calls

    To do this, go in to "Exim Configuration Editor" in WHM and click on the "Advanced Editor" button and in the page that comes up, go to the first white textbox you see scrolling down from the top of the page and write the following line and then save everything:
    Code:
    log_selector = +arguments +subject +received_recipients
    How much system memory do you have? If you are operating on a low memory configuration such as the case may be with a VPS server, you will probably want to use "Dovecot" instead of "Courier" as it has a bit lower memory overhead and might work better in that situation.

    If you want to get a better feel of what is going on in your system, here is a couple of commands you may want to take a look at:
    Code:
    ps aux | less
    top
    netstat -ntu
    
    You can always reset Exim's configuration back to default from the "Exim Configuration Editor" at anytime and start over or reinstall Exim using Cpanel's included script "/scripts/eximup --force"

    Chirpy has a few scripts at configserver.net that may be of interest to you also and are easy to install and most notable to for this particular issue would be "Mail Queues" (cmq) and "Mail Manage" (cmm)
     
Loading...

Share This Page