The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help finding e-mail source

Discussion in 'E-mail Discussions' started by n000b, Jul 29, 2007.

  1. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    Someone/something on my dedicated server is sending spam and I need to find out how they're doing it.

    Basically, a few days ago I had a report of spam from a user. I didn't have time to look in to it, so I suspended the account in question. Today, more spam is being sent (it's not just a backlog of spam from the other day, it's definetely new spam). It's being sent from the suspended account.

    In one of the spam e-mail headers is this:

    Return-Path: <spud@<my-hostname>>

    Where spud is the user that the spam mails are being sent from (and the user spud's website is suspended in WHM).

    Also in the e-mail is:

    X-AntiAbuse: Originator/Caller UID/GID - [32171 503] / [47 12]

    I took a look at /etc/group - 503 is the user "mailtrap". 32171 does not exist. 47 is "mailnull". 12 is "mail".



    So, obviously the spam is not being injected through the users website as it is suspended. What other methods could be being used to send the spam? Is there any way that I can track the issue? And what do the four UID/GID's above mean and can they help me in tracking the problem?

    Thanks :)
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    32171 is going to be the id of the user - You can probably do something like this to find out who that belongs to:

    grep 32171 /home/*/etc/*/passwd

    That should search the passwd file of every virtual domain and find the ID 32171 - you'll then see the directory (which will tell you the user).

    It may sound intensive, but it shouldn't be intensive at all - the passwd files are very small, and even if you had 1000 accounts on the server it should zip through fairly quickly.

    But my guess is that 32171 is just going to end up being 'spud'. How about posting the complete message (munge the IP address and from/to if you are so inclined). Oftentimes in the headers you can get as to what application (phpBb, some other script) may be sending it.

    You probably should tail the /usr/local/apache/domlogs/domainname.ext file (obviously replace domainname.ext with the domain you believe its being sent from) and see what's up. If it is suspended you really shouldn't see much, but you never know. When you suspend the account, DNS is suspended but it may not actually stop somebody from going to http://xxx.xxx.xxx.xxx/spamcausingscript to get to it if the domain has a dedicated ip.

    MIke


     
    #2 mtindor, Jul 29, 2007
    Last edited: Jul 29, 2007
  3. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    /home/atp/etc/<domain>/passwd:adam:x:32170:32171::/home/atp/mail/<domain>/adam:/usr/local/cpanel/bin/noshell
    /home/atp/etc/<domain>/passwd:mzulpo:x:32170:32171::/home/atp/mail/<domain>/mzulpo:/usr/local/cpanel/bin/noshell
    /home/atp/etc/<domain>/passwd:bgrant:x:32170:32171::/home/atp/mail/<domain>/bgrant:/usr/local/cpanel/bin/noshell
    /home/atp/etc/<domain>/passwd:swallace:x:32170:32171::/home/atp/mail/<domain>/swallace:/usr/local/cpanel/bin/noshell
    /home/atp/etc/<domain>/passwd:admin:x:32170:32171::/home/atp/mail/<domain>/admin:/usr/local/cpanel/bin/noshell
    /home/atp/etc/<domain>/passwd:enquiries:x:32170:32171::/home/atp/mail/<domain>/enquiries:/usr/local/cpanel/bin/noshell
    /home/spud/etc/<domain>/passwd:cobra:x:32171:674::/home/spud/mail/<domain>/cobra:/usr/local/cpanel/bin/noshell
    /home/spud/etc/<domain>/passwd:fudd:x:32171:674::/home/spud/mail/<domain>/fudd:/usr/local/cpanel/bin/noshell


    That's what I get from running that command. Looks like 32171 is just the user "spud" (as expected). Why do the first 6 lines (the atp ones) have the group ID 32171 though?


    Anyone got any ideas on how they are sending the spam?
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Wish I had the thread in front of me but I don't. I'll look for it. Should be able to add a particular line in /etc/exim.conf and then restart Exim - that particular line will add provide some more verbose logging that will allow you to see what script is sending the mail I believe, including full path and such if I'm not mistaken. I'll see if I can find it.

    Mike
     
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
  6. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Thanks Mike :)

    Unfortunately it won't help with this problem as it's not sending spam any more, but it'll certainly be useful for any future spam problems :)

    Anyone else got any ideas?
     
Loading...

Share This Page