Need help finding e-mail source

[n000b]

Hi,

Someone/something on my dedicated server is sending spam and I need to find out how they're doing it.

Basically, a few days ago I had a report of spam from a user. I didn't have time to look in to it, so I suspended the account in question. Today, more spam is being sent (it's not just a backlog of spam from the other day, it's definetely new spam). It's being sent from the suspended account.

In one of the spam e-mail headers is this:

Return-Path: <[email protected]<my-hostname>>

Where spud is the user that the spam mails are being sent from (and the user spud's website is suspended in WHM).

Also in the e-mail is:

X-AntiAbuse: Originator/Caller UID/GID - [32171 503] / [47 12]

I took a look at /etc/group - 503 is the user "mailtrap". 32171 does not exist. 47 is "mailnull". 12 is "mail".



So, obviously the spam is not being injected through the users website as it is suspended. What other methods could be being used to send the spam? Is there any way that I can track the issue? And what do the four UID/GID's above mean and can they help me in tracking the problem?

Thanks

 

[mtindor]

32171 is going to be the id of the user - You can probably do something like this to find out who that belongs to:

grep 32171 /home/*/etc/*/passwd

That should search the passwd file of every virtual domain and find the ID 32171 - you'll then see the directory (which will tell you the user).

It may sound intensive, but it shouldn't be intensive at all - the passwd files are very small, and even if you had 1000 accounts on the server it should zip through fairly quickly.

But my guess is that 32171 is just going to end up being 'spud'. How about posting the complete message (munge the IP address and from/to if you are so inclined). Oftentimes in the headers you can get as to what application (phpBb, some other script) may be sending it.

You probably should tail the /usr/local/apache/domlogs/domainname.ext file (obviously replace domainname.ext with the domain you believe its being sent from) and see what's up. If it is suspended you really shouldn't see much, but you never know. When you suspend the account, DNS is suspended but it may not actually stop somebody from going to http://xxx.xxx.xxx.xxx/spamcausingscript to get to it if the domain has a dedicated ip.

MIke

Hi,

Someone/something on my dedicated server is sending spam and I need to find out how they're doing it.

Basically, a few days ago I had a report of spam from a user. I didn't have time to look in to it, so I suspended the account in question. Today, more spam is being sent (it's not just a backlog of spam from the other day, it's definetely new spam). It's being sent from the suspended account.

In one of the spam e-mail headers is this:

Return-Path: <[email protected]<my-hostname>>

Where spud is the user that the spam mails are being sent from (and the user spud's website is suspended in WHM).

Also in the e-mail is:

X-AntiAbuse: Originator/Caller UID/GID - [32171 503] / [47 12]

I took a look at /etc/group - 503 is the user "mailtrap". 32171 does not exist. 47 is "mailnull". 12 is "mail".



So, obviously the spam is not being injected through the users website as it is suspended. What other methods could be being used to send the spam? Is there any way that I can track the issue? And what do the four UID/GID's above mean and can they help me in tracking the problem?

Thanks

 

[n000b]

/home/atp/etc/<domain>/passwd:adam:x:32170:32171::/home/atp/mail/<domain>/adam:/usr/local/cpanel/bin/noshell
/home/atp/etc/<domain>/passwd:mzulpo:x:32170:32171::/home/atp/mail/<domain>/mzulpo:/usr/local/cpanel/bin/noshell
/home/atp/etc/<domain>/passwd:bgrant:x:32170:32171::/home/atp/mail/<domain>/bgrant:/usr/local/cpanel/bin/noshell
/home/atp/etc/<domain>/passwd:swallace:x:32170:32171::/home/atp/mail/<domain>/swallace:/usr/local/cpanel/bin/noshell
/home/atp/etc/<domain>/passwd:admin:x:32170:32171::/home/atp/mail/<domain>/admin:/usr/local/cpanel/bin/noshell
/home/atp/etc/<domain>/passwd:enquiries:x:32170:32171::/home/atp/mail/<domain>/enquiries:/usr/local/cpanel/bin/noshell
/home/spud/etc/<domain>/passwd:cobra:x:32171:674::/home/spud/mail/<domain>/cobra:/usr/local/cpanel/bin/noshell
/home/spud/etc/<domain>/passwd:fudd:x:32171:674::/home/spud/mail/<domain>/fudd:/usr/local/cpanel/bin/noshell


That's what I get from running that command. Looks like 32171 is just the user "spud" (as expected). Why do the first 6 lines (the atp ones) have the group ID 32171 though?


Anyone got any ideas on how they are sending the spam?

 

[mtindor]

Wish I had the thread in front of me but I don't. I'll look for it. Should be able to add a particular line in /etc/exim.conf and then restart Exim - that particular line will add provide some more verbose logging that will allow you to see what script is sending the mail I believe, including full path and such if I'm not mistaken. I'll see if I can find it.

Mike

 

[mtindor]

Check these threads for more verbose Exim logging. Will only help you if it is still sending spam.

http://forums.cpanel.net/showthread.php?t=69176&highlight=log_selector
http://forums.cpanel.net/showthread.php?t=66246&highlight=log_selector
http://forums.cpanel.net/showthread.php?t=61428&highlight=log_selector

Mike

 

[n000b]

Thanks Mike

Unfortunately it won't help with this problem as it's not sending spam any more, but it'll certainly be useful for any future spam problems

Anyone else got any ideas?