andrew.whm

Member
Dec 29, 2013
7
0
1
cPanel Access Level
Root Administrator
How to prevent nobody (local user / 127.0.0.1) keep sending non stop mail /SPAM; There are so many email frozen/queue/send by non existing user email account.

Action: already check prevent email from nobody but not solved yet?

Already searching but there still no solution?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

I recommend investigating the source of the abusive emails. Look through the mail headers to see if you can determine where they originate so you can take appropriate action.

Note: Please ensure you attach images directly instead of linking to external image hosting websites.

Thank you.
 

HostingH

Well-Known Member
Jan 13, 2008
125
17
68
cPanel Access Level
Root Administrator
Hello,

Need to check mail headers, there you can see more information about the source.
Following commands will help you to find the spammer.

#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
#awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
#ps -C exim -fH ewww | grep home

Thanks,
 

andrew.whm

Member
Dec 29, 2013
7
0
1
cPanel Access Level
Root Administrator
Hello :)

I recommend investigating the source of the abusive emails. Look through the mail headers to see if you can determine where they originate so you can take appropriate action.

Note: Please ensure you attach images directly instead of linking to external image hosting websites.

Thank you.

Hello,

Need to check mail headers, there you can see more information about the source.
Following commands will help you to find the spammer.

#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
#awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
#ps -C exim -fH ewww | grep home

Thanks,
Dear Michael and Hostripples, thanks for the respons.

Temporary the problem are solved even though keep sending email from non existing user (Spamming activity) until now but get blocked after set OFF on exim this two:

Trust X-PHP-Script headers to determine the sender of email messages sent from processes running as nobody

Query Apache server status to determine the sender of email messages sent from processes running as nobody

Capture attached before/after.

For Hostripples,
Hereis the results from your scripts:

-bash-3.2# exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uni q -c | sort -n
-bash-3.2# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mai nlog | sort | uniq -c | sort -nk 1
2 cwd=/home/userdirectory/public_html
3 cwd=/home/userdirectory/public_html/cgi-bin
216 cwd=/home/userdirectory/public_html
93941 cwd=/home/userdirectory/public_html/libraries/joomla/github
-bash-3.2# ps -C exim -fH ewww | grep home

Any thought for the result?
 

Attachments

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
I suggest investigating the following directory that you referenced in the output of the command:

/home/userdirectory/public_html/libraries/joomla/github

Check to see if a script within this directory is being utilized to send out SPAM and then disable/move that directory if necessary, as the output you provided suggests it's sending out a heavy volume of email.

Thank you.
 

HostingH

Well-Known Member
Jan 13, 2008
125
17
68
cPanel Access Level
Root Administrator
Hello,

Yes, as per the result: 93941 cwd=/home/userdirectory/public_html/libraries/joomla/github, it means 93941 mails has been sent from the path /home/userdirectory/public_html/libraries/joomla/github so there must be a suspicious script which is sending spam mails as nobody user. Please check it and let us know if you still need any further help.

Thanks,
 

andrew.whm

Member
Dec 29, 2013
7
0
1
cPanel Access Level
Root Administrator
Hello,

Yes, as per the result: 93941 cwd=/home/userdirectory/public_html/libraries/joomla/github, it means 93941 mails has been sent from the path /home/userdirectory/public_html/libraries/joomla/github so there must be a suspicious script which is sending spam mails as nobody user. Please check it and let us know if you still need any further help.

Thanks,
I suggest investigating the following directory that you referenced in the output of the command:

/home/userdirectory/public_html/libraries/joomla/github

Check to see if a script within this directory is being utilized to send out SPAM and then disable/move that directory if necessary, as the output you provided suggests it's sending out a heavy volume of email.

Thank you.
Hi guys, pardon me for very late in respon.

The problem is completely solved after delete file "indexDqSf.php" in suspicious folder cwd=/home/userdirectory/public_html/libraries/joomla/github which is created and set to user and group as "nobody", capture attached for the source code indexDqSf.php.


Question: What the used 'user nobody' in whm? Thanks.
 

Attachments

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
I'd have a read of How to: Prevent Email Abuse if you haven't already. You can branch off from that article to learn about the differences between mod_php and suphp and how you can prevent abuse of the nobody user.

As well as that, I'd check the joomla install (and all of it's installed modules, extensions, themes etc) in question is up to date and that any writeable directories are free of other malicious scripts.
 

andrew.whm

Member
Dec 29, 2013
7
0
1
cPanel Access Level
Root Administrator
Dear andrew, do not report posts of your own just because they are being held in moderation. This was explained to you last time in the ticket you opened on same topic.
Dear Infopro Why every post being held in moderation? It's that just me?; this forum should be make more user friendly, if user like me (newbie) came to post/reply when finished / automatic redirect again to this thread should be given attention that my post is in moderation; so I'm not waiting to long just blank no single reply meanwhile I'm already write something to reply.

Thanks
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
All new users posts that contains links or images are are moderated. As you become more active, these restrictions are removed. To get around that, keep your posts to text only. As you'll note, the post you just made, was not restricted in any way, no attachments or links in it. Also, your IP address is continuing to be flagged at this time because it's been used for spamming by someone at some point.

These restrictions on new users are intended to keep these forums user friendly, and spam free.


Please feel free to review this post at your leisure: Forum Best Practices, Rules and Guidelines
 

andrew.whm

Member
Dec 29, 2013
7
0
1
cPanel Access Level
Root Administrator
All new users posts that contains links or images are are moderated. As you become more active, these restrictions are removed. To get around that, keep your posts to text only. As you'll note, the post you just made, was not restricted in any way, no attachments or links in it. Also, your IP address is continuing to be flagged at this time because it's been used for spamming by someone at some point.

These restrictions on new users are intended to keep these forums user friendly, and spam free.


Please feel free to review this post at your leisure: Forum Best Practices, Rules and Guidelines
Okay then, so I could understand now :)
 

andrew.whm

Member
Dec 29, 2013
7
0
1
cPanel Access Level
Root Administrator
Update,

HELP, my curent mail server have another problem with spamming activity, this time thounsand mail sent as spam from domain; for example at whm there are domain ABC. If previously mail sent as spam from nobody user, now mail have been sent from exist domain ABC but the "account email" from domain ABC never exist. How to solved this issue? thx b4
 

andrew.whm

Member
Dec 29, 2013
7
0
1
cPanel Access Level
Root Administrator
Hello,

Have you reviewed the /var/log/exim_mainlog file yet? I suggest you do that to find out where the spam is originating from.
Hello,

Here is an example from exim mainlog:
Code:
2014-03-31 12:32:28 1WUUpf-0003Au-3h <= tu(non exist user)@existdomain H=(uzrompkmgaxe) [31.162.xxx.xxx]:4596 P=esmtpa A=dovecot_login:[email protected] S=639 T="" for - Removed List of Emails -

2014-03-31 12:32:32 1WUUpj-0003Au-Iq <= noxicy(non exist user)@existdomain H=(uzrompkmgaxe) [31.162.xxx.xxx]:4596 P=esmtpa A=dovecot_login:[email protected] S=565 T="" for - Removed List of Emails -

=================================================================================================
My question is, All the email spam coming from "dovecot_login:[email protected]" how to check more advance for this account user? I think the password for that user is leaked or that user do some spamming activity?
 
Last edited by a moderator:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
My question is, All the email spam coming from "dovecot_login:[email protected]" how to check more advance for this account user? I think the password for that user is leaked or that user do some spamming activity?
You can try changing the email password and then checking to see if additional SPAM is sent out.

Thank you.
 

vishnu243

Registered
Oct 16, 2015
1
0
1
chennai
cPanel Access Level
Website Owner
Hi,

Am also have the same problem but i don't have root access i have the cpanel user access so does i can sort this spam mail issue.

I can see bounce back error message with script [X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)].

but i can't find any folders in my cpanel.

Any buddy could you give us a solution to sort out the issue,

Thank you guys
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
You can try searching each file to see if it's capable of sending out email, but it's likely more easily identified by your web hosting provider if you are able to contact them.

Thank you.