The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mass mail!!! HELP

Discussion in 'E-mail Discussions' started by SetLar8, Jan 14, 2006.

  1. SetLar8

    SetLar8 Well-Known Member

    Joined:
    Mar 5, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Hi, someone on my server is sending out mass mail which is slowing my server right down.

    All i can see in the CPU usage section is 100s of the following process:

    18284 mailnull 0 0.0 0.4 /usr/sbin/exim -Mc 1ExvkC-0004kd-C9


    How can i find out what account is send this mail?

    Thanks.
     
  2. SetLar8

    SetLar8 Well-Known Member

    Joined:
    Mar 5, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    hi, im still having this problem. please see the attachment text file for a fill rundown of the server load.

    any help on stopping this is appreciated.

    Thanks
     
    #2 SetLar8, Jan 14, 2006
    Last edited: Oct 7, 2006
  3. SetLar8

    SetLar8 Well-Known Member

    Joined:
    Mar 5, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Hi, im having the same problem only i cannot find the user that is sending the mail.

    I have looked through the logs and all i can see is user=nobody.

    How can i find out which account is send the mail?

    Thanks.
     
  4. MattGetWeb

    MattGetWeb Well-Known Member

    Joined:
    Aug 4, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Well, there's a few ways.

    First - look at the obvious. If someone is abusing one of your customer's contact/feedback forms, look at the addresses on the outgoing mail. Do they all include a recipient like 'info@oneofyourdomains.com' ? Chances are, that's your culprit because the form is also hardcoded to include your customer as a recipient.

    If they are abusing some other kind of form, you might be able to do some other investigating. Issue this command - grep 'cwd=' /var/log/exim_mainlog . If your logging allows it*, you should see a great deal of output. I'd be suspicious of a lot of anything that appears to point at /home (ie here's a legitimate one from one of my customer's forms - "2006-02-14 11:33:50 cwd=/home/betterhm/public_html 3 args: /usr/sbin/sendmail -t -i").

    Hopefully one of these two should get you some results.

    * You may need to increase the logging of exim. WHM -> Service Configuration -> Exim Configuration Editor -> Advanced Mode. In the VERY TOP box, add "log_selector = +all" (without the quotes) and save.
     
  5. SetLar8

    SetLar8 Well-Known Member

    Joined:
    Mar 5, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Exim statistics from 2006-02-12 04:20:30 to 2006-02-14 03:09:39

    Grand total summary
    -------------------
    At least one address
    TOTAL Volume Messages Hosts Delayed Failed
    Received 95MB 22758 347 7379 32.4% 12976 57.0%
    Delivered 55MB 18780 1898

    Deliveries by transport
    -----------------------
    Volume Messages
    boxtrapper_autowhitelist 340KB 269
    local_delivery 42MB 432
    mailman_virtual_transport 342 1
    remote_smtp 12MB 18000
    virtual_userdelivery 1331KB 78

    Messages received per hour (each dot is 84 messages)
    ----------------------------------------------------

    00-01 3954 ...............................................
    01-02 2805 .................................
    02-03 2151 .........................
    03-04 598 .......
    04-05 297 ...
    05-06 419 ....
    06-07 510 ......
    07-08 278 ...
    08-09 343 ....
    09-10 362 ....
    10-11 379 ....
    11-12 406 ....
    12-13 347 ....
    13-14 340 ....
    14-15 270 ...
    15-16 301 ...
    16-17 226 ..
    17-18 306 ...
    18-19 164 .
    19-20 142 .
    20-21 159 .
    21-22 183 ..
    22-23 3613 ...........................................
    23-24 4205 ..................................................

    Deliveries per hour (each dot is 45 deliveries)
    -----------------------------------------------

    00-01 2211 .................................................
    01-02 1439 ...............................
    02-03 307 ......
    03-04 122 ..
    04-05 543 ............
    05-06 860 ...................
    06-07 1035 .......................
    07-08 508 ...........
    08-09 703 ...............
    09-10 734 ................
    10-11 758 ................
    11-12 773 .................
    12-13 688 ...............
    13-14 612 .............
    14-15 513 ...........
    15-16 536 ...........
    16-17 367 ........
    17-18 598 .............
    18-19 316 .......
    19-20 237 .....
    20-21 338 .......
    21-22 375 ........
    22-23 1941 ...........................................
    23-24 2266 ..................................................


    This is far to many and must be a spammer. I have tried your tips above but cannot find the account that is send the emails it just comes up with nothing.

    I really need help fid this person.
     
  6. SetLar8

    SetLar8 Well-Known Member

    Joined:
    Mar 5, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Ok now all i get is when i run "grep 'cwd=' /var/log/exim_mainlog" is:


    2006-02-14 03:16:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfv-0004tm-D4
    2006-02-14 03:16:26 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfw-0004ts-Gz
    2006-02-14 03:16:26 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:26 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfw-0004tt-PW
    2006-02-14 03:16:26 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfw-0004ts-Gz
    2006-02-14 03:16:27 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfy-0004ty-8I
    2006-02-14 03:16:27 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:27 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfy-0004ty-8I
    2006-02-14 03:16:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfy-0004u2-M2
    2006-02-14 03:16:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfz-0004u4-Gz
    2006-02-14 03:16:28 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:29 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfz-0004u4-Gz
    2006-02-14 03:16:29 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfz-0004u5-KY
    2006-02-14 03:16:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg0-0004uA-T9
    2006-02-14 03:16:30 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:30 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg0-0004uA-T9
    2006-02-14 03:16:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg1-0004uB-9X
    2006-02-14 03:16:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg2-0004uG-D9
    2006-02-14 03:16:31 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg2-0004uH-Fj
    2006-02-14 03:16:31 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg2-0004uG-D9
    2006-02-14 03:16:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg3-0004uM-Df
    2006-02-14 03:16:32 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:32 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg3-0004uM-Df
    2006-02-14 03:16:33 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg3-0004uS-W1
    2006-02-14 03:16:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg4-0004uU-Bk
    2006-02-14 03:16:34 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg4-0004uV-J5
    2006-02-14 03:16:34 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg4-0004uU-Bk
    2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg6-0004ua-2I
    2006-02-14 03:16:38 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:38 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg6-0004ua-2I
    2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg6-0004ue-BH
    2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004ug-6o
    2006-02-14 03:16:38 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:38 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgA-0004ug-6o
    2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004uh-GG
    2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004um-QU
    2006-02-14 03:16:39 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004un-RO
    2006-02-14 03:16:39 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgA-0004um-QU
    2006-02-14 03:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgB-0004us-KZ
    2006-02-14 03:16:40 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgB-0004uw-Qv
    2006-02-14 03:16:40 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgB-0004us-KZ
    2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgC-0004uy-AE
    2006-02-14 03:16:41 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:41 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgC-0004uy-AE
    2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgC-0004v0-HD
    2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004v4-9p
    2006-02-14 03:16:41 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:42 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004v5-CP
    2006-02-14 03:16:42 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgD-0004v4-9p
    2006-02-14 03:16:43 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgE-0004vF-9y
    2006-02-14 03:16:43 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004vB-Tv
    2006-02-14 03:16:43 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:43 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgD-0004vB-Tv
    2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgF-0004vK-8p
    2006-02-14 03:16:44 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgF-0004vL-D7
    2006-02-14 03:16:44 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgF-0004vK-8p
    2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vN-2r
    2006-02-14 03:16:44 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vR-Ah
    2006-02-14 03:16:45 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgG-0004vN-2r
    2006-02-14 03:16:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vT-TO
    2006-02-14 03:16:45 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgH-0004vV-8c
    2006-02-14 03:16:46 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgG-0004vT-TO
    2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgH-0004va-WB
    2006-02-14 03:16:47 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:47 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgH-0004va-WB
    2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgI-0004ve-KP
    2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vg-7n
    2006-02-14 03:16:47 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vh-B3
    2006-02-14 03:16:48 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgJ-0004vg-7n
    2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vm-Rw
    2006-02-14 03:16:48 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgK-0004vo-57
    2006-02-14 03:16:49 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgJ-0004vm-Rw
    2006-02-14 03:16:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgK-0004vs-OY
    2006-02-14 03:16:50 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:50 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgK-0004vs-OY
    2006-02-14 03:16:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgL-0004vw-1n
    2006-02-14 03:16:51 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgM-0004w1-7L
    2006-02-14 03:16:52 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgM-0004vy-3p
    2006-02-14 03:16:52 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:53 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgM-0004vy-3p
    2006-02-14 03:16:57 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgO-0004w7-Cu
    2006-02-14 03:16:57 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:57 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgO-0004w7-Cu
    2006-02-14 03:16:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgP-0004wB-3A
    2006-02-14 03:16:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgT-0004wF-PC
    2006-02-14 03:16:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgT-0004wE-Kn
    2006-02-14 03:16:59 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:16:59 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgT-0004wE-Kn
    2006-02-14 03:17:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgV-0004wO-VO
    2006-02-14 03:17:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgV-0004wL-Fn
    2006-02-14 03:17:02 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:17:03 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgV-0004wL-Fn
    2006-02-14 03:17:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgZ-0004wX-GB
    2006-02-14 03:17:05 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:17:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgY-0004wV-T1
    2006-02-14 03:17:07 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgb-0004wb-Vg
    2006-02-14 03:17:07 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:17:07 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgb-0004wb-Vg
    2006-02-14 03:17:07 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgY-0004wV-T1
    2006-02-14 03:17:07 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wg-3C
    2006-02-14 03:17:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wi-Dv
    2006-02-14 03:17:08 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgd-0004wg-3C
    2006-02-14 03:17:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wh-Bi
    2006-02-14 03:17:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qge-0004wm-Ba
    2006-02-14 03:17:14 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:17:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgk-0004wy-KF
    2006-02-14 03:17:15 cwd=/ 3 args: /usr/sbin/sendmail -t -i
    2006-02-14 03:17:15 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgk-0004wy-KF




    There has to be something i can do? Please i need to find this person.
     
  7. MattGetWeb

    MattGetWeb Well-Known Member

    Joined:
    Aug 4, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    I think you are going to have to give us some more information. Can you post a (not too huge) chunk of some of exim_mainlog that shows some of these spams being sent? Hopefully you have the logging at maximum as I suggested above.
     
  8. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    switch on phpsuexec for a day.
     
Loading...

Share This Page