The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Please help me find this spammer

Discussion in 'General Discussion' started by gal3ler, Jan 13, 2006.

  1. gal3ler

    gal3ler Active Member

    Joined:
    Dec 7, 2003
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    I have been trying to stop this spammer for weeks now and I can't find them. Here is a copy of the spam message:

    1ExZ0l-0004lt-6P-H
    root 0 0
    <service@chase.com>
    1137197475 0
    -helo_name User
    -host_address 80.97.186.54.2875
    -host_auth fixed_login
    -interface_address 70.85.134.15.25
    -received_protocol esmtpa
    -body_linecount 59
    -auth_id smart
    -deliver_firsttime
    -host_lookup_failed
    XX
    100
    mike.w.ross@gmail.com
    mike.wechsberg@cox.net
    mike.wong@nyu.edu
    mike.zeigler@utah.edu
    mike@21stcenturytransportation.net
    mike@americanalive.net
    mike@arl.arizona.edu
    mike@asgoodasitgoetz.com
    mike@campusspeak.com
    mike@careyatlanta.com
    mike@coxaviation.net
    mike@cross-browser.com
    mike@cs.utah.edu
    mike@documentationexpress.com
    mike@engineering-software.com
    mike@eolas.com
    mike@ibmchim1.ch.unito.it
    mike@idle.org
    mike@kiteboarding.ca
    mike@lawyerinjuryexpert.com
    mike@lomonico.com
    mike@m-13.com
    mike@melia.com
    mike@mheim.com
    mike@michaelmoore.com
    mike@mikeagranoff.com
    mike@mikefried.net
    mike@mpnsoft.com
    mike@mulman.com
    mike@paxchristiusa.org
    mike@pc759.cs.msu.su
    mike@photoreaserchers.com
    mike@photoresearchers.com
    mike@psych.nyu.edu
    mike@rankandfile.org
    mike@repsofpain.com
    mike@sentex.ca
    mike@shiftcontrol.org
    mike@spec.u-net.com
    mike@spyware.atspace.biz
    mike@tawayama.com
    mike@virtualdigitalimaging.com
    mike@wernert.com
    mike_almasy@hotmail.com
    mike_choquette@hotmail.com
    mike_colon@hotmail.com
    mike_finkel@yahoo.com
    mike_george@mail.utexas.edu
    mike_lewis@vanderbilt.edu
    mike_mcgovern@yahoo.com
    mike_mcgrady@yahoo.com
    mike_mcgrath@lineone.net
    mike_mollusk@yahoo.com
    mike_n_s@hotmail.com
    mike_regans@ncsu.edu
    mike_saun@hotmail.com
    mike_shu@hotmail.com
    mike_tse@hotmail.com
    mike_wolin@nymc.edu
    mike122@bellsouth.net
    mike31@peoplepc.com
    mike331199@yahoo.com
    mike4musik@aol.com
    mike9560@bellatlantic.net
    mikeandsharon91@hotmail.com
    mikeapmann@hotmail.com
    mikeat1140@aol.com
    mikeb100@aol.com
    mikebann@ufl.edu
    mikeber@execpc.com
    mikebl4482@aol.com
    mikeblanc@aol.com
    mikebrim@msn.com
    mikeburke99@yahoo.com
    mikec@ext.usu.edu
    mikec375@aol.com
    mikec375@yahoo.com
    mikecahn@kingwoodcable.com
    mikecatrin@aol.com
    mikechen@cs.berkeley.edu
    mikeckmei@yahoo.com
    mikedbull@yahoo.com
    mikedg@buffalostate.edu
    mikeeriksson@utah.gov
    mikef@emailremoved.com
    mikefazio@comcast.net
    mikefleche@alumni.lemoyne.edu
    mikeg@1015thefox.com
    mikeg@csmd.edu
    mikeg3@earthlink.net
    mikeg8r@yahoo.com
    mikegal@att.net
    mikegarcia@utah.gov
    mikegbarth@comcast.net
    mikegranick@verizon.net
    mikegranick@worldnet.att.net
    mikeh@brooklyn.cuny.edu
    mikeh@media.mit.edu
    mikeh@passeybond.com
    mikeh411@aol.com

    153P Received: from [80.97.186.54] (port=2875 helo=User)
    by wizard.xxxx with esmtpa (Exim 4.52)
    id 1ExZ0l-0004lt-6P; Fri, 13 Jan 2006 18:11:23 -0600
    045F From: "service@chase.com"<service@chase.com>
    059 Subject: Security Measures.Renew your account immediately!
    038 Date: Sat, 14 Jan 2006 02:11:14 +0200
    018 MIME-Version: 1.0
    049 Content-Type: text/html;
    charset="Windows-1251"
    032 Content-Transfer-Encoding: 7bit
    014 X-Priority: 1
    024 X-MSMail-Priority: High
    051 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    057 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000


    No it's not a nobody spammer I already checked for that. It appears they are connecting via Outlook Express, changing the from address and authenticating.

    Steps to stop it:

    Install HELO Tests - doesnt stop it
    Monitor Sendmail - Nothing
    Netstat - Shows user 47 (mailnull)

    Someone Please help me stop them from spamming through this box.
     
  2. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    Backtrack the message ID in exim_mainlog and then you will see who authenticated and then know who the sender was. I would also use some to the rules mentioned for limiting bcc's.

    1ExZ0l-0004lt-6P
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Actually, it's all in that exim mail header:

    -host_auth fixed_login
    -auth_id smart


    That spam was relayed through your server by the cPanel account smart using SMTP AUTH. That user either:

    1. Has a week password that has been guessed
    2. Has a virus that is using their local PC(s) to send out spam
    3. Is a spammer

    Solution: suspend account until user guarantees that it wasn't done deliberately and that they've clean off all viruses/adware/spyware on all local PCs using that account and have changed all their password.
     
Loading...

Share This Page