Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Please help me find this spammer

Discussion in 'General Discussion' started by gal3ler, Jan 13, 2006.

  1. gal3ler

    gal3ler Active Member

    Dec 7, 2003
    Likes Received:
    Trophy Points:
    I have been trying to stop this spammer for weeks now and I can't find them. Here is a copy of the spam message:

    root 0 0
    1137197475 0
    -helo_name User
    -host_auth fixed_login
    -received_protocol esmtpa
    -body_linecount 59
    -auth_id smart

    153P Received: from [] (port=2875 helo=User)
    by wizard.xxxx with esmtpa (Exim 4.52)
    id 1ExZ0l-0004lt-6P; Fri, 13 Jan 2006 18:11:23 -0600
    045F From: ""<>
    059 Subject: Security Measures.Renew your account immediately!
    038 Date: Sat, 14 Jan 2006 02:11:14 +0200
    018 MIME-Version: 1.0
    049 Content-Type: text/html;
    032 Content-Transfer-Encoding: 7bit
    014 X-Priority: 1
    024 X-MSMail-Priority: High
    051 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    057 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

    No it's not a nobody spammer I already checked for that. It appears they are connecting via Outlook Express, changing the from address and authenticating.

    Steps to stop it:

    Install HELO Tests - doesnt stop it
    Monitor Sendmail - Nothing
    Netstat - Shows user 47 (mailnull)

    Someone Please help me stop them from spamming through this box.
  2. lloyd_tennison

    lloyd_tennison Well-Known Member

    Mar 12, 2004
    Likes Received:
    Trophy Points:
    Backtrack the message ID in exim_mainlog and then you will see who authenticated and then know who the sender was. I would also use some to the rules mentioned for limiting bcc's.

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. chirpy

    chirpy Well-Known Member Verifed Vendor

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
    Actually, it's all in that exim mail header:

    -host_auth fixed_login
    -auth_id smart

    That spam was relayed through your server by the cPanel account smart using SMTP AUTH. That user either:

    1. Has a week password that has been guessed
    2. Has a virus that is using their local PC(s) to send out spam
    3. Is a spammer

    Solution: suspend account until user guarantees that it wasn't done deliberately and that they've clean off all viruses/adware/spyware on all local PCs using that account and have changed all their password.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice