Mail sent as spam from nobody

[andrew.whm]

How to prevent nobody (local user / 127.0.0.1) keep sending non stop mail /SPAM; There are so many email frozen/queue/send by non existing user email account.

Action: already check prevent email from nobody but not solved yet?

Already searching but there still no solution?

 

[cPanelMichael]

Hello

I recommend investigating the source of the abusive emails. Look through the mail headers to see if you can determine where they originate so you can take appropriate action.

Note: Please ensure you attach images directly instead of linking to external image hosting websites.

Thank you.

 

[HostingH]

Hello,

Need to check mail headers, there you can see more information about the source.
Following commands will help you to find the spammer.

#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
#awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
#ps -C exim -fH ewww | grep home

Thanks,

 

[andrew.whm]

Hello

I recommend investigating the source of the abusive emails. Look through the mail headers to see if you can determine where they originate so you can take appropriate action.

Note: Please ensure you attach images directly instead of linking to external image hosting websites.

Thank you.

Hello,

Need to check mail headers, there you can see more information about the source.
Following commands will help you to find the spammer.

#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
#awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
#ps -C exim -fH ewww | grep home

Thanks,

Dear Michael and Hostripples, thanks for the respons.

Temporary the problem are solved even though keep sending email from non existing user (Spamming activity) until now but get blocked after set OFF on exim this two:

Trust X-PHP-Script headers to determine the sender of email messages sent from processes running as nobody

Query Apache server status to determine the sender of email messages sent from processes running as nobody

Capture attached before/after.

For Hostripples,
Hereis the results from your scripts:

-bash-3.2# exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uni q -c | sort -n
-bash-3.2# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mai nlog | sort | uniq -c | sort -nk 1
2 cwd=/home/userdirectory/public_html
3 cwd=/home/userdirectory/public_html/cgi-bin
216 cwd=/home/userdirectory/public_html
93941 cwd=/home/userdirectory/public_html/libraries/joomla/github
-bash-3.2# ps -C exim -fH ewww | grep home

Any thought for the result?

 

[cPanelMichael]

I suggest investigating the following directory that you referenced in the output of the command:

/home/userdirectory/public_html/libraries/joomla/github

Check to see if a script within this directory is being utilized to send out SPAM and then disable/move that directory if necessary, as the output you provided suggests it's sending out a heavy volume of email.

Thank you.

 

[HostingH]

Hello,

Yes, as per the result: 93941 cwd=/home/userdirectory/public_html/libraries/joomla/github, it means 93941 mails has been sent from the path /home/userdirectory/public_html/libraries/joomla/github so there must be a suspicious script which is sending spam mails as nobody user. Please check it and let us know if you still need any further help.

Thanks,

 

[andrew.whm]

Hello,

Yes, as per the result: 93941 cwd=/home/userdirectory/public_html/libraries/joomla/github, it means 93941 mails has been sent from the path /home/userdirectory/public_html/libraries/joomla/github so there must be a suspicious script which is sending spam mails as nobody user. Please check it and let us know if you still need any further help.

Thanks,

I suggest investigating the following directory that you referenced in the output of the command:

/home/userdirectory/public_html/libraries/joomla/github

Check to see if a script within this directory is being utilized to send out SPAM and then disable/move that directory if necessary, as the output you provided suggests it's sending out a heavy volume of email.

Thank you.

Hi guys, pardon me for very late in respon.

The problem is completely solved after delete file "indexDqSf.php" in suspicious folder cwd=/home/userdirectory/public_html/libraries/joomla/github which is created and set to user and group as "nobody", capture attached for the source code indexDqSf.php.


Question: What the used 'user nobody' in whm? Thanks.

 

[Infopro]

Dear andrew, do not report posts of your own just because they are being held in moderation. This was explained to you last time in the ticket you opened on same topic.

 

[ThinIce]

I'd have a read of How to: Prevent Email Abuse if you haven't already. You can branch off from that article to learn about the differences between mod_php and suphp and how you can prevent abuse of the nobody user.

As well as that, I'd check the joomla install (and all of it's installed modules, extensions, themes etc) in question is up to date and that any writeable directories are free of other malicious scripts.

 

[sahostking]

Some 3rd party addons also help in stopping outgoing spam. Find one that could be useful and use it. Also use php mail.log variable to create a log file of the emails sent via server and let it email you once it goes above the average amount so you can check if it's spam and from what user.

 

[andrew.whm]

Dear andrew, do not report posts of your own just because they are being held in moderation. This was explained to you last time in the ticket you opened on same topic.

Dear Infopro Why every post being held in moderation? It's that just me?; this forum should be make more user friendly, if user like me (newbie) came to post/reply when finished / automatic redirect again to this thread should be given attention that my post is in moderation; so I'm not waiting to long just blank no single reply meanwhile I'm already write something to reply.

Thanks

 

[Infopro]

All new users posts that contains links or images are are moderated. As you become more active, these restrictions are removed. To get around that, keep your posts to text only. As you'll note, the post you just made, was not restricted in any way, no attachments or links in it. Also, your IP address is continuing to be flagged at this time because it's been used for spamming by someone at some point.

These restrictions on new users are intended to keep these forums user friendly, and spam free.


Please feel free to review this post at your leisure: Forum Best Practices, Rules and Guidelines

 

[andrew.whm]

All new users posts that contains links or images are are moderated. As you become more active, these restrictions are removed. To get around that, keep your posts to text only. As you'll note, the post you just made, was not restricted in any way, no attachments or links in it. Also, your IP address is continuing to be flagged at this time because it's been used for spamming by someone at some point.

These restrictions on new users are intended to keep these forums user friendly, and spam free.


Please feel free to review this post at your leisure: Forum Best Practices, Rules and Guidelines

Okay then, so I could understand now

 

[andrew.whm]

Update,

HELP, my curent mail server have another problem with spamming activity, this time thounsand mail sent as spam from domain; for example at whm there are domain ABC. If previously mail sent as spam from nobody user, now mail have been sent from exist domain ABC but the "account email" from domain ABC never exist. How to solved this issue? thx b4

 

[cPanelPeter]

Hello,

Have you reviewed the /var/log/exim_mainlog file yet? I suggest you do that to find out where the spam is originating from.

 

[andrew.whm]

Hello,

Have you reviewed the /var/log/exim_mainlog file yet? I suggest you do that to find out where the spam is originating from.

Hello,

Here is an example from exim mainlog:

2014-03-31 12:32:28 1WUUpf-0003Au-3h <= tu(non exist user)@existdomain H=(uzrompkmgaxe) [31.162.xxx.xxx]:4596 P=esmtpa A=dovecot_login:existuser@existdomain S=639 T="" for - Removed List of Emails -

2014-03-31 12:32:32 1WUUpj-0003Au-Iq <= noxicy(non exist user)@existdomain H=(uzrompkmgaxe) [31.162.xxx.xxx]:4596 P=esmtpa A=dovecot_login:existuser@existdomain S=565 T="" for - Removed List of Emails -

=================================================================================================

My question is, All the email spam coming from "dovecot_login:existuser@existdomain" how to check more advance for this account user? I think the password for that user is leaked or that user do some spamming activity?

 

[cPanelMichael]

My question is, All the email spam coming from "dovecot_login:existuser@existdomain" how to check more advance for this account user? I think the password for that user is leaked or that user do some spamming activity?

You can try changing the email password and then checking to see if additional SPAM is sent out.

Thank you.

 

[vishnu243]

Hi,

Am also have the same problem but i don't have root access i have the cpanel user access so does i can sort this spam mail issue.

I can see bounce back error message with script [X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)].

but i can't find any folders in my cpanel.

Any buddy could you give us a solution to sort out the issue,

Thank you guys

 

[cPanelMichael]

You can try searching each file to see if it's capable of sending out email, but it's likely more easily identified by your web hosting provider if you are able to contact them.

Thank you.