Hello All,
I have a very very serious problem here. Would really appreciate any assistance or suggestion. You may contact me at
[email protected]
Someone is sending out alot emails from my server(exim) About 40,000 of them and most of them to .ru and .ua
I have tried but i do not have a clue who is he. Whether it is an internal (clients) or external spammer.
I have included a the mail he is trying to send below. It is obtain at the mail que (incl all header and etc)
17lvXN-0002Yo-00-H
nobody 99 99
1030989777 0
-ident nobody
-received_protocol local
-body_linecount 30
-auth_id nobody
-auth_sender [email protected]
-local
XX
1
[email protected]
154P Received: from nobody by ez1.ezhostings.net with local (Exim 3.35 #1)
id 17lvXN-0002Yo-00
for [email protected]; Mon, 02 Sep 2002 13:02:57 -0500
029T To: [email protected]
010 Subject:
024F From: [email protected]
076 Subject: =?koi8-r?B?9/Ll7fEg9+zh8/T39eX0IO7h5CD38+XtLCDr8u/t5SDt+fPs6Q==?=
038 Date: Mon, 2 Sep 2002 11:42:05 +0400
019 MIME-Version: 1.0
093 Content-Type: multipart/alternative;
boundary=&----=_NextPart_000_0010_01C25275.C4587D20&
015 X-Priority: 3
027 X-MSMail-Priority: Normal
013 X-Unsent: 1
058 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
051I Message-Id:
17lvXN-0002Yo-00-D
This is a multi-part message in MIME format.
------=_NextPart_000_0010_01C25275.C4587D20
Content-Type: text/plain;
charset=&koi8-r&
Content-Transfer-Encoding: quoted-printable
www.newacropol.ru=20
------=_NextPart_000_0010_01C25275.C4587D20
Content-Type: text/html;
charset=&koi8-r&
Content-Transfer-Encoding: quoted-printable
www.newacropol.ru=20
------=_NextPart_000_0010_01C25275.C4587D20--
If you have any idea....or suggestion on...which area i should look at, please let me know. Any wild suggestion or idea will be very very much appreciated. It has been 3 days and I am still working on it. Thank you once again.
I have also contact my distributor and he is confidence that it is not a Formmail.pl exploit.
Anyway i have deleted all previous version of formmail except the latest on.
ANother thing is that when he starts to SPAM, i notice that this process /usr/local/apache/bin/httpd-DSSL will become very high (own by nobody) at about 60% cpu usage and it hog down the whole server.
2. Even i stop exim and the mails will still be queing.
If you want me to provide further information so you can analyse the situation further, please contact me at [email protected]
I will try to get them for u asap.
Any help, assistance, suggestion is much appreciated.
Thank You
Albert.
I have a very very serious problem here. Would really appreciate any assistance or suggestion. You may contact me at
[email protected]
Someone is sending out alot emails from my server(exim) About 40,000 of them and most of them to .ru and .ua
I have tried but i do not have a clue who is he. Whether it is an internal (clients) or external spammer.
I have included a the mail he is trying to send below. It is obtain at the mail que (incl all header and etc)
17lvXN-0002Yo-00-H
nobody 99 99
1030989777 0
-ident nobody
-received_protocol local
-body_linecount 30
-auth_id nobody
-auth_sender [email protected]
-local
XX
1
[email protected]
154P Received: from nobody by ez1.ezhostings.net with local (Exim 3.35 #1)
id 17lvXN-0002Yo-00
for [email protected]; Mon, 02 Sep 2002 13:02:57 -0500
029T To: [email protected]
010 Subject:
024F From: [email protected]
076 Subject: =?koi8-r?B?9/Ll7fEg9+zh8/T39eX0IO7h5CD38+XtLCDr8u/t5SDt+fPs6Q==?=
038 Date: Mon, 2 Sep 2002 11:42:05 +0400
019 MIME-Version: 1.0
093 Content-Type: multipart/alternative;
boundary=&----=_NextPart_000_0010_01C25275.C4587D20&
015 X-Priority: 3
027 X-MSMail-Priority: Normal
013 X-Unsent: 1
058 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
051I Message-Id:
17lvXN-0002Yo-00-D
This is a multi-part message in MIME format.
------=_NextPart_000_0010_01C25275.C4587D20
Content-Type: text/plain;
charset=&koi8-r&
Content-Transfer-Encoding: quoted-printable
www.newacropol.ru=20
------=_NextPart_000_0010_01C25275.C4587D20
Content-Type: text/html;
charset=&koi8-r&
Content-Transfer-Encoding: quoted-printable
www.newacropol.ru=20
------=_NextPart_000_0010_01C25275.C4587D20--
If you have any idea....or suggestion on...which area i should look at, please let me know. Any wild suggestion or idea will be very very much appreciated. It has been 3 days and I am still working on it. Thank you once again.
I have also contact my distributor and he is confidence that it is not a Formmail.pl exploit.
Anyway i have deleted all previous version of formmail except the latest on.
ANother thing is that when he starts to SPAM, i notice that this process /usr/local/apache/bin/httpd-DSSL will become very high (own by nobody) at about 60% cpu usage and it hog down the whole server.
2. Even i stop exim and the mails will still be queing.
If you want me to provide further information so you can analyse the situation further, please contact me at [email protected]
I will try to get them for u asap.
Any help, assistance, suggestion is much appreciated.
Thank You
Albert.
