Mail Server (EXIM) Someone is sending SPAM and i cannot trac

albertg

Well-Known Member
PartnerNOC
Sep 4, 2002
61
0
156
Hello All,

I have a very very serious problem here. Would really appreciate any assistance or suggestion. You may contact me at
[email protected]

Someone is sending out alot emails from my server(exim) About 40,000 of them and most of them to .ru and .ua

I have tried but i do not have a clue who is he. Whether it is an internal (clients) or external spammer.
I have included a the mail he is trying to send below. It is obtain at the mail que (incl all header and etc)
17lvXN-0002Yo-00-H
nobody 99 99

1030989777 0
-ident nobody
-received_protocol local
-body_linecount 30
-auth_id nobody
-auth_sender [email protected]
-local
XX
1
[email protected]

154P Received: from nobody by ez1.ezhostings.net with local (Exim 3.35 #1)
id 17lvXN-0002Yo-00
for [email protected]; Mon, 02 Sep 2002 13:02:57 -0500
029T To: [email protected]
010 Subject:
024F From: [email protected]
076 Subject: =?koi8-r?B?9/Ll7fEg9+zh8/T39eX0IO7h5CD38+XtLCDr8u/t5SDt+fPs6Q==?=
038 Date: Mon, 2 Sep 2002 11:42:05 +0400
019 MIME-Version: 1.0
093 Content-Type: multipart/alternative;
boundary=&----=_NextPart_000_0010_01C25275.C4587D20&
015 X-Priority: 3
027 X-MSMail-Priority: Normal
013 X-Unsent: 1
058 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
051I Message-Id:


17lvXN-0002Yo-00-D

This is a multi-part message in MIME format.

------=_NextPart_000_0010_01C25275.C4587D20
Content-Type: text/plain;
charset=&koi8-r&
Content-Transfer-Encoding: quoted-printable

www.newacropol.ru=20

------=_NextPart_000_0010_01C25275.C4587D20
Content-Type: text/html;
charset=&koi8-r&
Content-Transfer-Encoding: quoted-printable








www.newacropol.ru=20


------=_NextPart_000_0010_01C25275.C4587D20--


If you have any idea....or suggestion on...which area i should look at, please let me know. Any wild suggestion or idea will be very very much appreciated. It has been 3 days and I am still working on it. Thank you once again.

I have also contact my distributor and he is confidence that it is not a Formmail.pl exploit.
Anyway i have deleted all previous version of formmail except the latest on.

ANother thing is that when he starts to SPAM, i notice that this process /usr/local/apache/bin/httpd-DSSL will become very high (own by nobody) at about 60% cpu usage and it hog down the whole server.

2. Even i stop exim and the mails will still be queing.

If you want me to provide further information so you can analyse the situation further, please contact me at [email protected]

I will try to get them for u asap.

Any help, assistance, suggestion is much appreciated.
Thank You

Albert.
 

albertg

Well-Known Member
PartnerNOC
Sep 4, 2002
61
0
156
I have check and my server is NOT an open relay.
Did some test from abuse.net and it said my server is not an open relay.
So, would i be right if i say that the SPAM is deriving from one of my customers?

Thank You..and please suggest any idea or ways to track him down.
Thank You so much.
 

kwimberl

Well-Known Member
Aug 13, 2001
123
0
316
Yes, it is likely a perl script running from one of your customers. Take a look at the scripts running on your server and at the sendmail / exim processes. Also check your logs. It is most likely sent by sendmail.
 

albertg

Well-Known Member
PartnerNOC
Sep 4, 2002
61
0
156
I have kinda stop the SPAM but i even stop (i not sure what i did) :(

mails cannot be send out from httpd process. ie: mail cannot be send out via FormMail.pl or any other script that send mail via the server.

Any assistance?
Can someone...pls pls pls....post their default /etc/exim.conf file here so i can check what i have change.
Please....

Many thanks!
 

furquan

Well-Known Member
Jul 27, 2002
471
4
168
hi albertg

I was also affected by the same problem with on one of my servers, a user signed up and immediately started sending thousands of mails, although i terminated his account within 4 hours of activation, but the damage had already been done.

Could you tell me as to what method did you apply or follow or what changes did u do to exim so that it does not happen again.

Expecting to hear from you soon.

Regards/-
 

albertg

Well-Known Member
PartnerNOC
Sep 4, 2002
61
0
156
please check exim.org and add additional command that will improve the 'checks' exim does before a mail is being sent out.
 

hostbet

Well-Known Member
Aug 13, 2001
80
0
306
[quote:b828c6db21][i:b828c6db21]Originally posted by albertg[/i:b828c6db21]

please check exim.org and add additional command that will improve the 'checks' exim does before a mail is being sent out.

[/quote:b828c6db21]

Tha is not helping us who have the same problem.
can you tell us what steps to take now that you know?

thanks
 

tonyxp

Member
Feb 10, 2004
24
0
151
Originally posted by albertg
please check exim.org and add additional command that will improve the 'checks' exim does before a mail is being sent out.
Would you share what you have found?