Mail sent as spam from nobody

How to prevent nobody (local user / 127.0.0.1) keep sending non stop mail /SPAM; There are so many email frozen/queue/send by non existing user email account.

Action: already check prevent email from nobody but not solved yet?

Already searching but there still no solution?

 

Dear Michael and Hostripples, thanks for the respons.

Temporary the problem are solved even though keep sending email from non existing user (Spamming activity) until now but get blocked after set OFF on exim this two:

Trust X-PHP-Script headers to determine the sender of email messages sent from processes running as nobody

Query Apache server status to determine the sender of email messages sent from processes running as nobody

Capture attached before/after.

For Hostripples,
Hereis the results from your scripts:

-bash-3.2# exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uni q -c | sort -n
-bash-3.2# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mai nlog | sort | uniq -c | sort -nk 1
2 cwd=/home/userdirectory/public_html
3 cwd=/home/userdirectory/public_html/cgi-bin
216 cwd=/home/userdirectory/public_html
93941 cwd=/home/userdirectory/public_html/libraries/joomla/github
-bash-3.2# ps -C exim -fH ewww | grep home

Any thought for the result?

 

Hi guys, pardon me for very late in respon.

The problem is completely solved after delete file "indexDqSf.php" in suspicious folder cwd=/home/userdirectory/public_html/libraries/joomla/github which is created and set to user and group as "nobody", capture attached for the source code indexDqSf.php.


Question: What the used 'user nobody' in whm? Thanks.

 

Dear Infopro Why every post being held in moderation? It's that just me?; this forum should be make more user friendly, if user like me (newbie) came to post/reply when finished / automatic redirect again to this thread should be given attention that my post is in moderation; so I'm not waiting to long just blank no single reply meanwhile I'm already write something to reply.

Thanks

 

Okay then, so I could understand now

 

Update,

HELP, my curent mail server have another problem with spamming activity, this time thounsand mail sent as spam from domain; for example at whm there are domain ABC. If previously mail sent as spam from nobody user, now mail have been sent from exist domain ABC but the "account email" from domain ABC never exist. How to solved this issue? thx b4

 

Hello,

Here is an example from exim mainlog:

Code:

2014-03-31 12:32:28 1WUUpf-0003Au-3h <= tu(non exist user)@existdomain H=(uzrompkmgaxe) [31.162.xxx.xxx]:4596 P=esmtpa A=dovecot_login:existuser@existdomain S=639 T="" for - Removed List of Emails -

2014-03-31 12:32:32 1WUUpj-0003Au-Iq <= noxicy(non exist user)@existdomain H=(uzrompkmgaxe) [31.162.xxx.xxx]:4596 P=esmtpa A=dovecot_login:existuser@existdomain S=565 T="" for - Removed List of Emails -

=================================================================================================

My question is, All the email spam coming from "dovecot_login:existuser@existdomain" how to check more advance for this account user? I think the password for that user is leaked or that user do some spamming activity?