Mail sent as spam from nobody

andrew.whm · Jan 15, 2014

How to prevent nobody (local user / 127.0.0.1) keep sending non stop mail /SPAM; There are so many email frozen/queue/send by non existing user email account.

Action: already check prevent email from nobody but not solved yet?

Already searching but there still no solution?

cPanelMichael · Jan 16, 2014

Hello

I recommend investigating the source of the abusive emails. Look through the mail headers to see if you can determine where they originate so you can take appropriate action.

Note: Please ensure you attach images directly instead of linking to external image hosting websites.

Thank you.

HostingH · Jan 16, 2014

Hello,

Need to check mail headers, there you can see more information about the source.
Following commands will help you to find the spammer.

#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
#awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
#ps -C exim -fH ewww | grep home

Thanks,

andrew.whm · Jan 16, 2014

cPanelMichael said: ↑

Hello

I recommend investigating the source of the abusive emails. Look through the mail headers to see if you can determine where they originate so you can take appropriate action.

Note: Please ensure you attach images directly instead of linking to external image hosting websites.

Thank you.
Click to expand...

Hostripples said: ↑

Hello,

Need to check mail headers, there you can see more information about the source.
Following commands will help you to find the spammer.

#exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
#awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
#ps -C exim -fH ewww | grep home

Thanks,
Click to expand...

Dear Michael and Hostripples, thanks for the respons.

Temporary the problem are solved even though keep sending email from non existing user (Spamming activity) until now but get blocked after set OFF on exim this two:

Trust X-PHP-Script headers to determine the sender of email messages sent from processes running as nobody

Query Apache server status to determine the sender of email messages sent from processes running as nobody

Capture attached before/after.

For Hostripples,
Hereis the results from your scripts:

-bash-3.2# exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uni q -c | sort -n
-bash-3.2# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mai nlog | sort | uniq -c | sort -nk 1
2 cwd=/home/userdirectory/public_html
3 cwd=/home/userdirectory/public_html/cgi-bin
216 cwd=/home/userdirectory/public_html
93941 cwd=/home/userdirectory/public_html/libraries/joomla/github
-bash-3.2# ps -C exim -fH ewww | grep home

Any thought for the result?

cPanelMichael · Jan 17, 2014

I suggest investigating the following directory that you referenced in the output of the command:

/home/userdirectory/public_html/libraries/joomla/github

Check to see if a script within this directory is being utilized to send out SPAM and then disable/move that directory if necessary, as the output you provided suggests it's sending out a heavy volume of email.

Thank you.

HostingH · Jan 17, 2014

Hello,

Yes, as per the result: 93941 cwd=/home/userdirectory/public_html/libraries/joomla/github, it means 93941 mails has been sent from the path /home/userdirectory/public_html/libraries/joomla/github so there must be a suspicious script which is sending spam mails as nobody user. Please check it and let us know if you still need any further help.

Thanks,

andrew.whm · Jan 23, 2014

Hostripples said: ↑

Hello,

Yes, as per the result: 93941 cwd=/home/userdirectory/public_html/libraries/joomla/github, it means 93941 mails has been sent from the path /home/userdirectory/public_html/libraries/joomla/github so there must be a suspicious script which is sending spam mails as nobody user. Please check it and let us know if you still need any further help.

Thanks,
Click to expand...

cPanelMichael said: ↑

I suggest investigating the following directory that you referenced in the output of the command:

/home/userdirectory/public_html/libraries/joomla/github

Check to see if a script within this directory is being utilized to send out SPAM and then disable/move that directory if necessary, as the output you provided suggests it's sending out a heavy volume of email.

Thank you.
Click to expand...

Hi guys, pardon me for very late in respon.

The problem is completely solved after delete file "indexDqSf.php" in suspicious folder cwd=/home/userdirectory/public_html/libraries/joomla/github which is created and set to user and group as "nobody", capture attached for the source code indexDqSf.php.

Question: What the used 'user nobody' in whm? Thanks.

Infopro · Jan 23, 2014

Dear andrew, do not report posts of your own just because they are being held in moderation. This was explained to you last time in the ticket you opened on same topic.

ThinIce · Jan 23, 2014

I'd have a read of How to: Prevent Email Abuse if you haven't already. You can branch off from that article to learn about the differences between mod_php and suphp and how you can prevent abuse of the nobody user.

As well as that, I'd check the joomla install (and all of it's installed modules, extensions, themes etc) in question is up to date and that any writeable directories are free of other malicious scripts.

sahostking · Jan 23, 2014

Some 3rd party addons also help in stopping outgoing spam. Find one that could be useful and use it. Also use php mail.log variable to create a log file of the emails sent via server and let it email you once it goes above the average amount so you can check if it's spam and from what user.

andrew.whm · Jan 23, 2014

Infopro said: ↑

Dear andrew, do not report posts of your own just because they are being held in moderation. This was explained to you last time in the ticket you opened on same topic.
Click to expand...

Dear Infopro Why every post being held in moderation? It's that just me?; this forum should be make more user friendly, if user like me (newbie) came to post/reply when finished / automatic redirect again to this thread should be given attention that my post is in moderation; so I'm not waiting to long just blank no single reply meanwhile I'm already write something to reply.

Thanks

Infopro · Jan 23, 2014

All new users posts that contains links or images are are moderated. As you become more active, these restrictions are removed. To get around that, keep your posts to text only. As you'll note, the post you just made, was not restricted in any way, no attachments or links in it. Also, your IP address is continuing to be flagged at this time because it's been used for spamming by someone at some point.

These restrictions on new users are intended to keep these forums user friendly, and spam free.

Please feel free to review this post at your leisure: Forum Best Practices, Rules and Guidelines

andrew.whm · Jan 23, 2014

Infopro said: ↑

All new users posts that contains links or images are are moderated. As you become more active, these restrictions are removed. To get around that, keep your posts to text only. As you'll note, the post you just made, was not restricted in any way, no attachments or links in it. Also, your IP address is continuing to be flagged at this time because it's been used for spamming by someone at some point.

These restrictions on new users are intended to keep these forums user friendly, and spam free.

Please feel free to review this post at your leisure: Forum Best Practices, Rules and Guidelines
Click to expand...

Okay then, so I could understand now

andrew.whm · Mar 30, 2014

Update,

HELP, my curent mail server have another problem with spamming activity, this time thounsand mail sent as spam from domain; for example at whm there are domain ABC. If previously mail sent as spam from nobody user, now mail have been sent from exist domain ABC but the "account email" from domain ABC never exist. How to solved this issue? thx b4

cPanelPeter · Mar 30, 2014

Hello,

Have you reviewed the /var/log/exim_mainlog file yet? I suggest you do that to find out where the spam is originating from.

andrew.whm · Mar 31, 2014

cPanelPeter said: ↑

Hello,

Have you reviewed the /var/log/exim_mainlog file yet? I suggest you do that to find out where the spam is originating from.
Click to expand...

Hello,

Here is an example from exim mainlog:
Code:
2014-03-31 12:32:28 1WUUpf-0003Au-3h <= tu(non exist user)@existdomain H=(uzrompkmgaxe) [31.162.xxx.xxx]:4596 P=esmtpa A=dovecot_login:[email protected] S=639 T="" for - Removed List of Emails -

2014-03-31 12:32:32 1WUUpj-0003Au-Iq <= noxicy(non exist user)@existdomain H=(uzrompkmgaxe) [31.162.xxx.xxx]:4596 P=esmtpa A=dovecot_login:[email protected] S=565 T="" for - Removed List of Emails -

=================================================================================================
My question is, All the email spam coming from "dovecot_login:[email protected]" how to check more advance for this account user? I think the password for that user is leaked or that user do some spamming activity?

cPanelMichael · Apr 4, 2014

andrew.whm said: ↑

My question is, All the email spam coming from "dovecot_login:[email protected]" how to check more advance for this account user? I think the password for that user is leaked or that user do some spamming activity?
Click to expand...

You can try changing the email password and then checking to see if additional SPAM is sent out.

Thank you.

vishnu243 · Oct 16, 2015

Hi,

Am also have the same problem but i don't have root access i have the cpanel user access so does i can sort this spam mail issue.

I can see bounce back error message with script [X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)].

but i can't find any folders in my cpanel.

Any buddy could you give us a solution to sort out the issue,

Thank you guys

cPanelMichael · Oct 21, 2015

You can try searching each file to see if it's capable of sending out email, but it's likely more easily identified by your web hosting provider if you are able to contact them.

Thank you.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mail sent as spam from nobody

andrew.whm Member

cPanelMichael Technical Support Community Manager Staff Member

HostingH Well-Known Member

andrew.whm Member

Attached Files:

spamming.JPG

spamming2.JPG

after tweak settings1.JPG

after tweak settings2.JPG

cPanelMichael Technical Support Community Manager Staff Member

HostingH Well-Known Member

andrew.whm Member

Attached Files:

index dot php.JPG

Infopro cPanel Sr. Product Evangelist Staff Member

ThinIce Well-Known Member

sahostking Well-Known Member

andrew.whm Member

Infopro cPanel Sr. Product Evangelist Staff Member

andrew.whm Member

andrew.whm Member

cPanelPeter Technical Analyst III Staff Member

andrew.whm Member

cPanelMichael Technical Support Community Manager Staff Member

vishnu243 Registered

cPanelMichael Technical Support Community Manager Staff Member

Spam email sent and signed by my domain

Emails arrive as spam sent from Webmail

Too many spam emails sent

Spam sent via non-existant email addresses?

All domain emails sent out to spam folder

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mail sent as spam from nobody

andrew.whm Member

cPanelMichael Technical Support Community Manager Staff Member

HostingH Well-Known Member

andrew.whm Member

Attached Files:

cPanelMichael Technical Support Community Manager Staff Member

HostingH Well-Known Member

andrew.whm Member

Attached Files:

Infopro cPanel Sr. Product Evangelist Staff Member

ThinIce Well-Known Member

sahostking Well-Known Member

andrew.whm Member

Infopro cPanel Sr. Product Evangelist Staff Member

andrew.whm Member

andrew.whm Member

cPanelPeter Technical Analyst III Staff Member

andrew.whm Member

cPanelMichael Technical Support Community Manager Staff Member

vishnu243 Registered

cPanelMichael Technical Support Community Manager Staff Member

Share This Page