Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Need help finding e-mail source

Discussion in 'E-mail Discussion' started by n000b, Jul 29, 2007.

  1. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    166
    Hi,

    Someone/something on my dedicated server is sending spam and I need to find out how they're doing it.

    Basically, a few days ago I had a report of spam from a user. I didn't have time to look in to it, so I suspended the account in question. Today, more spam is being sent (it's not just a backlog of spam from the other day, it's definetely new spam). It's being sent from the suspended account.

    In one of the spam e-mail headers is this:

    Return-Path: <spud@<my-hostname>>

    Where spud is the user that the spam mails are being sent from (and the user spud's website is suspended in WHM).

    Also in the e-mail is:

    X-AntiAbuse: Originator/Caller UID/GID - [32171 503] / [47 12]

    I took a look at /etc/group - 503 is the user "mailtrap". 32171 does not exist. 47 is "mailnull". 12 is "mail".



    So, obviously the spam is not being injected through the users website as it is suspended. What other methods could be being used to send the spam? Is there any way that I can track the issue? And what do the four UID/GID's above mean and can they help me in tracking the problem?

    Thanks :)
     
    #1 n000b, Jul 29, 2007
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,338
    Likes Received:
    56
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    32171 is going to be the id of the user - You can probably do something like this to find out who that belongs to:

    grep 32171 /home/*/etc/*/passwd

    That should search the passwd file of every virtual domain and find the ID 32171 - you'll then see the directory (which will tell you the user).

    It may sound intensive, but it shouldn't be intensive at all - the passwd files are very small, and even if you had 1000 accounts on the server it should zip through fairly quickly.

    But my guess is that 32171 is just going to end up being 'spud'. How about posting the complete message (munge the IP address and from/to if you are so inclined). Oftentimes in the headers you can get as to what application (phpBb, some other script) may be sending it.

    You probably should tail the /usr/local/apache/domlogs/domainname.ext file (obviously replace domainname.ext with the domain you believe its being sent from) and see what's up. If it is suspended you really shouldn't see much, but you never know. When you suspend the account, DNS is suspended but it may not actually stop somebody from going to http://xxx.xxx.xxx.xxx/spamcausingscript to get to it if the domain has a dedicated ip.

    MIke


     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 mtindor, Jul 29, 2007
    Last edited: Jul 29, 2007
  3. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    166
    /home/atp/etc/<domain>/passwd:adam:x:32170:32171::/home/atp/mail/<domain>/adam:/usr/local/cpanel/bin/noshell
    /home/atp/etc/<domain>/passwd:mzulpo:x:32170:32171::/home/atp/mail/<domain>/mzulpo:/usr/local/cpanel/bin/noshell
    /home/atp/etc/<domain>/passwd:bgrant:x:32170:32171::/home/atp/mail/<domain>/bgrant:/usr/local/cpanel/bin/noshell
    /home/atp/etc/<domain>/passwd:swallace:x:32170:32171::/home/atp/mail/<domain>/swallace:/usr/local/cpanel/bin/noshell
    /home/atp/etc/<domain>/passwd:admin:x:32170:32171::/home/atp/mail/<domain>/admin:/usr/local/cpanel/bin/noshell
    /home/atp/etc/<domain>/passwd:enquiries:x:32170:32171::/home/atp/mail/<domain>/enquiries:/usr/local/cpanel/bin/noshell
    /home/spud/etc/<domain>/passwd:cobra:x:32171:674::/home/spud/mail/<domain>/cobra:/usr/local/cpanel/bin/noshell
    /home/spud/etc/<domain>/passwd:fudd:x:32171:674::/home/spud/mail/<domain>/fudd:/usr/local/cpanel/bin/noshell


    That's what I get from running that command. Looks like 32171 is just the user "spud" (as expected). Why do the first 6 lines (the atp ones) have the group ID 32171 though?


    Anyone got any ideas on how they are sending the spam?
     
    #3 n000b, Jul 30, 2007
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,338
    Likes Received:
    56
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Wish I had the thread in front of me but I don't. I'll look for it. Should be able to add a particular line in /etc/exim.conf and then restart Exim - that particular line will add provide some more verbose logging that will allow you to see what script is sending the mail I believe, including full path and such if I'm not mistaken. I'll see if I can find it.

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 mtindor, Jul 30, 2007
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,338
    Likes Received:
    56
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 mtindor, Jul 30, 2007
  6. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    166
    Thanks Mike :)

    Unfortunately it won't help with this problem as it's not sending spam any more, but it'll certainly be useful for any future spam problems :)

    Anyone else got any ideas?
     
    #6 n000b, Jul 30, 2007
(You must log in or sign up to post here.)
Loading...
Similar Threads - Need help finding
  1. Spork Schivago

    Need help Setting up more than one DMARC record.

    Spork Schivago, Apr 29, 2018, in forum: Bind/DNS/Nameserver
    Replies:
    8
    Views:
    149
    Spork Schivago
    May 4, 2018
  2. xyourxhighnessx

    Need help with CSV/file manager.

    xyourxhighnessx, Apr 20, 2018, in forum: General Discussion
    Replies:
    4
    Views:
    114
    cPanelLauren
    Apr 20, 2018
  3. brianc

    Need some help with an account transfer

    brianc, Mar 15, 2018, in forum: Data Protection
    Replies:
    4
    Views:
    140
    brianc
    Mar 17, 2018
  4. Azim

    Need help to setup the exim routing

    Azim, Mar 13, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    189
    cPanelMichael
    Mar 13, 2018
  5. glpglp

    SOLVED Need help setting up Cron to delete jpg files older than 1 day

    glpglp, Mar 5, 2018, in forum: General Discussion
    Replies:
    5
    Views:
    194
    cPanelMichael
    Mar 8, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice