Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

mass mail!!! HELP

Discussion in 'E-mail Discussion' started by SetLar8, Jan 14, 2006.

  1. SetLar8

    SetLar8 Well-Known Member

    Joined:
    Mar 5, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    156
    Hi, someone on my server is sending out mass mail which is slowing my server right down.

    All i can see in the CPU usage section is 100s of the following process:

    18284 mailnull 0 0.0 0.4 /usr/sbin/exim -Mc 1ExvkC-0004kd-C9


    How can i find out what account is send this mail?

    Thanks.
     
  2. SetLar8

    SetLar8 Well-Known Member

    Joined:
    Mar 5, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    156
    hi, im still having this problem. please see the attachment text file for a fill rundown of the server load.

    any help on stopping this is appreciated.

    Thanks
     
    #2 SetLar8, Jan 14, 2006
    Last edited: Oct 7, 2006
  3. SetLar8

    SetLar8 Well-Known Member

    Joined:
    Mar 5, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    156
    Hi, im having the same problem only i cannot find the user that is sending the mail.

    I have looked through the logs and all i can see is user=nobody.

    How can i find out which account is send the mail?

    Thanks.
     
  4. MattGetWeb

    MattGetWeb Well-Known Member

    Joined:
    Aug 4, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    156
    Well, there's a few ways.

    First - look at the obvious. If someone is abusing one of your customer's contact/feedback forms, look at the addresses on the outgoing mail. Do they all include a recipient like 'info@oneofyourdomains.com' ? Chances are, that's your culprit because the form is also hardcoded to include your customer as a recipient.

    If they are abusing some other kind of form, you might be able to do some other investigating. Issue this command - grep 'cwd=' /var/log/exim_mainlog . If your logging allows it*, you should see a great deal of output. I'd be suspicious of a lot of anything that appears to point at /home (ie here's a legitimate one from one of my customer's forms - "2006-02-14 11:33:50 cwd=/home/betterhm/public_html 3 args: /usr/sbin/sendmail -t -i").

    Hopefully one of these two should get you some results.

    * You may need to increase the logging of exim. WHM -> Service Configuration -> Exim Configuration Editor -> Advanced Mode. In the VERY TOP box, add "log_selector = +all" (without the quotes) and save.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. SetLar8

    SetLar8 Well-Known Member

    Joined:
    Mar 5, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    156
    Exim statistics from 2006-02-12 04:20:30 to 2006-02-14 03:09:39

    Grand total summary
    -------------------
    At least one address
    TOTAL Volume Messages Hosts Delayed Failed
    Received 95MB 22758 347 7379 32.4% 12976 57.0%
    Delivered 55MB 18780 1898

    Deliveries by transport
    -----------------------
    Volume Messages
    boxtrapper_autowhitelist 340KB 269
    local_delivery 42MB 432
    mailman_virtual_transport 342 1
    remote_smtp 12MB 18000
    virtual_userdelivery 1331KB 78

    Messages received per hour (each dot is 84 messages)
    ----------------------------------------------------

    00-01 3954 ...............................................
    01-02 2805 .................................
    02-03 2151 .........................
    03-04 598 .......
    04-05 297 ...
    05-06 419 ....
    06-07 510 ......
    07-08 278 ...
    08-09 343 ....
    09-10 362 ....
    10-11 379 ....
    11-12 406 ....
    12-13 347 ....
    13-14 340 ....
    14-15 270 ...
    15-16 301 ...
    16-17 226 ..
    17-18 306 ...
    18-19 164 .
    19-20 142 .
    20-21 159 .
    21-22 183 ..
    22-23 3613 ...........................................
    23-24 4205 ..................................................

    Deliveries per hour (each dot is 45 deliveries)
    -----------------------------------------------

    00-01 2211 .................................................
    01-02 1439 ...............................
    02-03 307 ......
    03-04 122 ..
    04-05 543 ............
    05-06 860 ...................
    06-07 1035 .......................
    07-08 508 ...........
    08-09 703 ...............
    09-10 734 ................
    10-11 758 ................
    11-12 773 .................
    12-13 688 ...............
    13-14 612 .............
    14-15 513 ...........
    15-16 536 ...........
    16-17 367 ........
    17-18 598 .............
    18-19 316 .......
    19-20 237 .....
    20-21 338 .......
    21-22 375 ........
    22-23 1941 ...........................................
    23-24 2266 ..................................................


    This is far to many and must be a spammer. I have tried your tips above but cannot find the account that is send the emails it just comes up with nothing.

    I really need help fid this person.
     
  6. SetLar8

    SetLar8 Well-Known Member

    Joined:
    Mar 5, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    156
    Ok now all i get is when i run "grep 'cwd=' /var/log/exim_mainlog" is:


    2006-02-14 03:16:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfv-0004tm-D4
    2006-02-14 03:16:26 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfw-0004ts-Gz
    2006-02-14 03:16:26 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:26 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfw-0004tt-PW
    2006-02-14 03:16:26 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfw-0004ts-Gz
    2006-02-14 03:16:27 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfy-0004ty-8I
    2006-02-14 03:16:27 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:27 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfy-0004ty-8I
    2006-02-14 03:16:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfy-0004u2-M2
    2006-02-14 03:16:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfz-0004u4-Gz
    2006-02-14 03:16:28 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:29 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfz-0004u4-Gz
    2006-02-14 03:16:29 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfz-0004u5-KY
    2006-02-14 03:16:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg0-0004uA-T9
    2006-02-14 03:16:30 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:30 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg0-0004uA-T9
    2006-02-14 03:16:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg1-0004uB-9X
    2006-02-14 03:16:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg2-0004uG-D9
    2006-02-14 03:16:31 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg2-0004uH-Fj
    2006-02-14 03:16:31 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg2-0004uG-D9
    2006-02-14 03:16:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg3-0004uM-Df
    2006-02-14 03:16:32 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:32 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg3-0004uM-Df
    2006-02-14 03:16:33 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg3-0004uS-W1
    2006-02-14 03:16:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg4-0004uU-Bk
    2006-02-14 03:16:34 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg4-0004uV-J5
    2006-02-14 03:16:34 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg4-0004uU-Bk
    2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg6-0004ua-2I
    2006-02-14 03:16:38 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:38 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg6-0004ua-2I
    2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg6-0004ue-BH
    2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004ug-6o
    2006-02-14 03:16:38 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:38 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgA-0004ug-6o
    2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004uh-GG
    2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004um-QU
    2006-02-14 03:16:39 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004un-RO
    2006-02-14 03:16:39 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgA-0004um-QU
    2006-02-14 03:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgB-0004us-KZ
    2006-02-14 03:16:40 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgB-0004uw-Qv
    2006-02-14 03:16:40 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgB-0004us-KZ
    2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgC-0004uy-AE
    2006-02-14 03:16:41 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:41 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgC-0004uy-AE
    2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgC-0004v0-HD
    2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004v4-9p
    2006-02-14 03:16:41 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:42 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004v5-CP
    2006-02-14 03:16:42 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgD-0004v4-9p
    2006-02-14 03:16:43 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgE-0004vF-9y
    2006-02-14 03:16:43 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004vB-Tv
    2006-02-14 03:16:43 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:43 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgD-0004vB-Tv
    2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgF-0004vK-8p
    2006-02-14 03:16:44 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgF-0004vL-D7
    2006-02-14 03:16:44 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgF-0004vK-8p
    2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vN-2r
    2006-02-14 03:16:44 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vR-Ah
    2006-02-14 03:16:45 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgG-0004vN-2r
    2006-02-14 03:16:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vT-TO
    2006-02-14 03:16:45 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgH-0004vV-8c
    2006-02-14 03:16:46 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgG-0004vT-TO
    2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgH-0004va-WB
    2006-02-14 03:16:47 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:47 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgH-0004va-WB
    2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgI-0004ve-KP
    2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vg-7n
    2006-02-14 03:16:47 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vh-B3
    2006-02-14 03:16:48 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgJ-0004vg-7n
    2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vm-Rw
    2006-02-14 03:16:48 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgK-0004vo-57
    2006-02-14 03:16:49 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgJ-0004vm-Rw
    2006-02-14 03:16:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgK-0004vs-OY
    2006-02-14 03:16:50 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:50 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgK-0004vs-OY
    2006-02-14 03:16:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgL-0004vw-1n
    2006-02-14 03:16:51 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgM-0004w1-7L
    2006-02-14 03:16:52 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgM-0004vy-3p
    2006-02-14 03:16:52 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:53 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgM-0004vy-3p
    2006-02-14 03:16:57 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgO-0004w7-Cu
    2006-02-14 03:16:57 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:57 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgO-0004w7-Cu
    2006-02-14 03:16:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgP-0004wB-3A
    2006-02-14 03:16:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgT-0004wF-PC
    2006-02-14 03:16:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgT-0004wE-Kn
    2006-02-14 03:16:59 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:59 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgT-0004wE-Kn
    2006-02-14 03:17:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgV-0004wO-VO
    2006-02-14 03:17:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgV-0004wL-Fn
    2006-02-14 03:17:02 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:17:03 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgV-0004wL-Fn
    2006-02-14 03:17:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgZ-0004wX-GB
    2006-02-14 03:17:05 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:17:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgY-0004wV-T1
    2006-02-14 03:17:07 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgb-0004wb-Vg
    2006-02-14 03:17:07 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:17:07 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgb-0004wb-Vg
    2006-02-14 03:17:07 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgY-0004wV-T1
    2006-02-14 03:17:07 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wg-3C
    2006-02-14 03:17:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wi-Dv
    2006-02-14 03:17:08 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgd-0004wg-3C
    2006-02-14 03:17:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wh-Bi
    2006-02-14 03:17:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qge-0004wm-Ba
    2006-02-14 03:17:14 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:17:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgk-0004wy-KF
    2006-02-14 03:17:15 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:17:15 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgk-0004wy-KF




    There has to be something i can do? Please i need to find this person.
     
  7. MattGetWeb

    MattGetWeb Well-Known Member

    Joined:
    Aug 4, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    156
    I think you are going to have to give us some more information. Can you post a (not too huge) chunk of some of exim_mainlog that shows some of these spams being sent? Hopefully you have the logging at maximum as I suggested above.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    166
    switch on phpsuexec for a day.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice