The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail sent as spam from nobody

Discussion in 'E-mail Discussions' started by andrew.whm, Jan 15, 2014.

  1. andrew.whm

    andrew.whm Member

    Joined:
    Dec 29, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    How to prevent nobody (local user / 127.0.0.1) keep sending non stop mail /SPAM; There are so many email frozen/queue/send by non existing user email account.

    Action: already check prevent email from nobody but not solved yet?

    Already searching but there still no solution?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I recommend investigating the source of the abusive emails. Look through the mail headers to see if you can determine where they originate so you can take appropriate action.

    Note: Please ensure you attach images directly instead of linking to external image hosting websites.

    Thank you.
     
  3. HostingH

    HostingH Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    73
    Likes Received:
    3
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    Need to check mail headers, there you can see more information about the source.
    Following commands will help you to find the spammer.

    #exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
    #awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
    #ps -C exim -fH ewww | grep home

    Thanks,
     
  4. andrew.whm

    andrew.whm Member

    Joined:
    Dec 29, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator

    Dear Michael and Hostripples, thanks for the respons.

    Temporary the problem are solved even though keep sending email from non existing user (Spamming activity) until now but get blocked after set OFF on exim this two:

    Trust X-PHP-Script headers to determine the sender of email messages sent from processes running as nobody

    Query Apache server status to determine the sender of email messages sent from processes running as nobody

    Capture attached before/after.

    For Hostripples,
    Hereis the results from your scripts:

    -bash-3.2# exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uni q -c | sort -n
    -bash-3.2# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mai nlog | sort | uniq -c | sort -nk 1
    2 cwd=/home/userdirectory/public_html
    3 cwd=/home/userdirectory/public_html/cgi-bin
    216 cwd=/home/userdirectory/public_html
    93941 cwd=/home/userdirectory/public_html/libraries/joomla/github
    -bash-3.2# ps -C exim -fH ewww | grep home

    Any thought for the result?
     

    Attached Files:

  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I suggest investigating the following directory that you referenced in the output of the command:

    /home/userdirectory/public_html/libraries/joomla/github

    Check to see if a script within this directory is being utilized to send out SPAM and then disable/move that directory if necessary, as the output you provided suggests it's sending out a heavy volume of email.

    Thank you.
     
  6. HostingH

    HostingH Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    73
    Likes Received:
    3
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, as per the result: 93941 cwd=/home/userdirectory/public_html/libraries/joomla/github, it means 93941 mails has been sent from the path /home/userdirectory/public_html/libraries/joomla/github so there must be a suspicious script which is sending spam mails as nobody user. Please check it and let us know if you still need any further help.

    Thanks,
     
  7. andrew.whm

    andrew.whm Member

    Joined:
    Dec 29, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi guys, pardon me for very late in respon.

    The problem is completely solved after delete file "indexDqSf.php" in suspicious folder cwd=/home/userdirectory/public_html/libraries/joomla/github which is created and set to user and group as "nobody", capture attached for the source code indexDqSf.php.


    Question: What the used 'user nobody' in whm? Thanks.
     

    Attached Files:

  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,469
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Dear andrew, do not report posts of your own just because they are being held in moderation. This was explained to you last time in the ticket you opened on same topic.
     
  9. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    I'd have a read of How to: Prevent Email Abuse if you haven't already. You can branch off from that article to learn about the differences between mod_php and suphp and how you can prevent abuse of the nobody user.

    As well as that, I'd check the joomla install (and all of it's installed modules, extensions, themes etc) in question is up to date and that any writeable directories are free of other malicious scripts.
     
  10. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Some 3rd party addons also help in stopping outgoing spam. Find one that could be useful and use it. Also use php mail.log variable to create a log file of the emails sent via server and let it email you once it goes above the average amount so you can check if it's spam and from what user.
     
  11. andrew.whm

    andrew.whm Member

    Joined:
    Dec 29, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Dear Infopro Why every post being held in moderation? It's that just me?; this forum should be make more user friendly, if user like me (newbie) came to post/reply when finished / automatic redirect again to this thread should be given attention that my post is in moderation; so I'm not waiting to long just blank no single reply meanwhile I'm already write something to reply.

    Thanks
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,469
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    All new users posts that contains links or images are are moderated. As you become more active, these restrictions are removed. To get around that, keep your posts to text only. As you'll note, the post you just made, was not restricted in any way, no attachments or links in it. Also, your IP address is continuing to be flagged at this time because it's been used for spamming by someone at some point.

    These restrictions on new users are intended to keep these forums user friendly, and spam free.


    Please feel free to review this post at your leisure: Forum Best Practices, Rules and Guidelines
     
  13. andrew.whm

    andrew.whm Member

    Joined:
    Dec 29, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Okay then, so I could understand now :)
     
  14. andrew.whm

    andrew.whm Member

    Joined:
    Dec 29, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Update,

    HELP, my curent mail server have another problem with spamming activity, this time thounsand mail sent as spam from domain; for example at whm there are domain ABC. If previously mail sent as spam from nobody user, now mail have been sent from exist domain ABC but the "account email" from domain ABC never exist. How to solved this issue? thx b4
     
  15. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Have you reviewed the /var/log/exim_mainlog file yet? I suggest you do that to find out where the spam is originating from.
     
  16. andrew.whm

    andrew.whm Member

    Joined:
    Dec 29, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Here is an example from exim mainlog:
    Code:
    2014-03-31 12:32:28 1WUUpf-0003Au-3h <= tu(non exist user)@existdomain H=(uzrompkmgaxe) [31.162.xxx.xxx]:4596 P=esmtpa A=dovecot_login:existuser@existdomain S=639 T="" for - Removed List of Emails -
    
    2014-03-31 12:32:32 1WUUpj-0003Au-Iq <= noxicy(non exist user)@existdomain H=(uzrompkmgaxe) [31.162.xxx.xxx]:4596 P=esmtpa A=dovecot_login:existuser@existdomain S=565 T="" for - Removed List of Emails -
    
    =================================================================================================
    My question is, All the email spam coming from "dovecot_login:existuser@existdomain" how to check more advance for this account user? I think the password for that user is leaked or that user do some spamming activity?
     
    #16 andrew.whm, Mar 31, 2014
    Last edited by a moderator: Apr 1, 2014
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can try changing the email password and then checking to see if additional SPAM is sent out.

    Thank you.
     
  18. vishnu243

    vishnu243 Registered

    Joined:
    Oct 16, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    chennai
    cPanel Access Level:
    Website Owner
    Hi,

    Am also have the same problem but i don't have root access i have the cpanel user access so does i can sort this spam mail issue.

    I can see bounce back error message with script [X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)].

    but i can't find any folders in my cpanel.

    Any buddy could you give us a solution to sort out the issue,

    Thank you guys
     
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can try searching each file to see if it's capable of sending out email, but it's likely more easily identified by your web hosting provider if you are able to contact them.

    Thank you.
     
Loading...

Share This Page