The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail Server (EXIM) Someone is sending SPAM and i cannot trac

Discussion in 'E-mail Discussions' started by albertg, Sep 5, 2002.

  1. albertg

    albertg Well-Known Member
    PartnerNOC

    Joined:
    Sep 4, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Hello All,

    I have a very very serious problem here. Would really appreciate any assistance or suggestion. You may contact me at
    myxoxo@netspace.net.au.

    Someone is sending out alot emails from my server(exim) About 40,000 of them and most of them to .ru and .ua

    I have tried but i do not have a clue who is he. Whether it is an internal (clients) or external spammer.
    I have included a the mail he is trying to send below. It is obtain at the mail que (incl all header and etc)
    17lvXN-0002Yo-00-H
    nobody 99 99

    1030989777 0
    -ident nobody
    -received_protocol local
    -body_linecount 30
    -auth_id nobody
    -auth_sender nobody@ez1.ezhostings.net
    -local
    XX
    1
    alexsander@ic.dcn-asu.ru

    154P Received: from nobody by ez1.ezhostings.net with local (Exim 3.35 #1)
    id 17lvXN-0002Yo-00
    for alexsander@ic.dcn-asu.ru; Mon, 02 Sep 2002 13:02:57 -0500
    029T To: alexsander@ic.dcn-asu.ru
    010 Subject:
    024F From: konkurs-na@nm.ru
    076 Subject: =?koi8-r?B?9/Ll7fEg9+zh8/T39eX0IO7h5CD38+XtLCDr8u/t5SDt+fPs6Q==?=
    038 Date: Mon, 2 Sep 2002 11:42:05 +0400
    019 MIME-Version: 1.0
    093 Content-Type: multipart/alternative;
    boundary=&----=_NextPart_000_0010_01C25275.C4587D20&
    015 X-Priority: 3
    027 X-MSMail-Priority: Normal
    013 X-Unsent: 1
    058 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    051I Message-Id:


    17lvXN-0002Yo-00-D

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0010_01C25275.C4587D20
    Content-Type: text/plain;
    charset=&koi8-r&
    Content-Transfer-Encoding: quoted-printable

    www.newacropol.ru=20

    ------=_NextPart_000_0010_01C25275.C4587D20
    Content-Type: text/html;
    charset=&koi8-r&
    Content-Transfer-Encoding: quoted-printable








    www.newacropol.ru=20


    ------=_NextPart_000_0010_01C25275.C4587D20--


    If you have any idea....or suggestion on...which area i should look at, please let me know. Any wild suggestion or idea will be very very much appreciated. It has been 3 days and I am still working on it. Thank you once again.

    I have also contact my distributor and he is confidence that it is not a Formmail.pl exploit.
    Anyway i have deleted all previous version of formmail except the latest on.

    ANother thing is that when he starts to SPAM, i notice that this process /usr/local/apache/bin/httpd-DSSL will become very high (own by nobody) at about 60% cpu usage and it hog down the whole server.

    2. Even i stop exim and the mails will still be queing.

    If you want me to provide further information so you can analyse the situation further, please contact me at myxoxo@netspace.net.au

    I will try to get them for u asap.

    Any help, assistance, suggestion is much appreciated.
    Thank You

    Albert.
     
  2. albertg

    albertg Well-Known Member
    PartnerNOC

    Joined:
    Sep 4, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    I have check and my server is NOT an open relay.
    Did some test from abuse.net and it said my server is not an open relay.
    So, would i be right if i say that the SPAM is deriving from one of my customers?

    Thank You..and please suggest any idea or ways to track him down.
    Thank You so much.
     
  3. kwimberl

    kwimberl Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Yes, it is likely a perl script running from one of your customers. Take a look at the scripts running on your server and at the sendmail / exim processes. Also check your logs. It is most likely sent by sendmail.
     
  4. albertg

    albertg Well-Known Member
    PartnerNOC

    Joined:
    Sep 4, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    I have kinda stop the SPAM but i even stop (i not sure what i did) :(

    mails cannot be send out from httpd process. ie: mail cannot be send out via FormMail.pl or any other script that send mail via the server.

    Any assistance?
    Can someone...pls pls pls....post their default /etc/exim.conf file here so i can check what i have change.
    Please....

    Many thanks!
     
  5. albertg

    albertg Well-Known Member
    PartnerNOC

    Joined:
    Sep 4, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    That problem has been fixed!
    thanks all!
     
  6. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    hi albertg

    I was also affected by the same problem with on one of my servers, a user signed up and immediately started sending thousands of mails, although i terminated his account within 4 hours of activation, but the damage had already been done.

    Could you tell me as to what method did you apply or follow or what changes did u do to exim so that it does not happen again.

    Expecting to hear from you soon.

    Regards/-
     
  7. albertg

    albertg Well-Known Member
    PartnerNOC

    Joined:
    Sep 4, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    please check exim.org and add additional command that will improve the 'checks' exim does before a mail is being sent out.
     
  8. hostbet

    hostbet Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    [quote:b828c6db21][i:b828c6db21]Originally posted by albertg[/i:b828c6db21]

    please check exim.org and add additional command that will improve the 'checks' exim does before a mail is being sent out.

    [/quote:b828c6db21]

    Tha is not helping us who have the same problem.
    can you tell us what steps to take now that you know?

    thanks
     
  9. LinuxFreaky

    LinuxFreaky Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    I'm interested in this as well. Does anyone know what the extra check commands are that I can configure into Exim?
     
  10. tonyxp

    tonyxp Member

    Joined:
    Feb 10, 2004
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Would you share what you have found?
     
Loading...

Share This Page