Hi,
Someone/something on my dedicated server is sending spam and I need to find out how they're doing it.
Basically, a few days ago I had a report of spam from a user. I didn't have time to look in to it, so I suspended the account in question. Today, more spam is being sent (it's not just a backlog of spam from the other day, it's definetely new spam). It's being sent from the suspended account.
In one of the spam e-mail headers is this:
Return-Path: <[email protected]<my-hostname>>
Where spud is the user that the spam mails are being sent from (and the user spud's website is suspended in WHM).
Also in the e-mail is:
X-AntiAbuse: Originator/Caller UID/GID - [32171 503] / [47 12]
I took a look at /etc/group - 503 is the user "mailtrap". 32171 does not exist. 47 is "mailnull". 12 is "mail".
So, obviously the spam is not being injected through the users website as it is suspended. What other methods could be being used to send the spam? Is there any way that I can track the issue? And what do the four UID/GID's above mean and can they help me in tracking the problem?
Thanks
Someone/something on my dedicated server is sending spam and I need to find out how they're doing it.
Basically, a few days ago I had a report of spam from a user. I didn't have time to look in to it, so I suspended the account in question. Today, more spam is being sent (it's not just a backlog of spam from the other day, it's definetely new spam). It's being sent from the suspended account.
In one of the spam e-mail headers is this:
Return-Path: <[email protected]<my-hostname>>
Where spud is the user that the spam mails are being sent from (and the user spud's website is suspended in WHM).
Also in the e-mail is:
X-AntiAbuse: Originator/Caller UID/GID - [32171 503] / [47 12]
I took a look at /etc/group - 503 is the user "mailtrap". 32171 does not exist. 47 is "mailnull". 12 is "mail".
So, obviously the spam is not being injected through the users website as it is suspended. What other methods could be being used to send the spam? Is there any way that I can track the issue? And what do the four UID/GID's above mean and can they help me in tracking the problem?
Thanks