The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

problem e-mails from my server and can't stop it everydaty over 50.000

Discussion in 'E-mail Discussions' started by el-abda3.com, Jan 26, 2012.

  1. el-abda3.com

    el-abda3.com Registered

    Joined:
    Jul 14, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    hello

    i have one of my servers which attack from arabic spamer
    and i dont know who is this
    i tried alot but can't know him

    the msg from nobidy
    here is example from my exaim log

    Displaying the last 30 lines of /var/log/exim_mainlog...

    Code:
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrR-0002js-Gu
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrT-0002nv-4Q
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrT-0002p4-FB
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrT-0002p8-Fh
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrU-0002qd-La
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrU-0002qi-MS
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrY-0002z0-6y
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrY-0002zs-Ra
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrZ-00031n-8p
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1Rpyra-000334-1Z
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1Rpyrc-00033v-3S
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1Rq9l2-0000nH-9L
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RqIph-0002lE-Fg
    2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RqIpn-0002mk-Nh
    2012-01-26 13:31:58 cwd=/home/statmasr/public_html/vb 3 args: /usr/sbin/sendmail -t -i
    2012-01-26 13:31:58 1RqNYc-0005QH-NX <= [email]nobody@server.el-abda3.com[/email] U=nobody P=local S=2140 id=20120126113158.fefb1b4a2a24@www.stat-masr.com T="=?windows-1256?q?=D8=E1=C8_=CA=DD=DA=ED=E1_=C7=E1=DA=D6=E6=ED=C9_=DD=ED_=E3=E4=CA=CF=EC_=D3=CA=C7=CA" from  for [email]noura.mouhamed93@yahoo.com[/email]
    2012-01-26 13:31:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1RqNYc-0005QH-NX
    2012-01-26 13:32:00 1RqNYc-0005QH-NX => [email]noura.mouhamed93@yahoo.com[/email] F= R=lookuphost T=remote_smtp S=2497 H=mta5.am0.yahoodns.net [98.139.175.224] C="250 ok dirdel"
    2012-01-26 13:32:00 1RqNYc-0005QH-NX Completed
    2012-01-26 13:32:00 cwd=/var/spool/exim 9 args: /usr/sbin/exim -MCS -MCP -MC remote_smtp mta5.am0.yahoodns.net 98.139.175.224 2 1RpXOf-0007eK-5X
    2012-01-26 13:32:01 1RpXOf-0007eK-5X ** [email]morad772002@yahoo.com[/email] F= R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host mta5.am0.yahoodns.net [98.139.175.224]: 554 delivery error: dd This user doesn't have a yahoo.com account (morad772002@yahoo.com) [0] - mta1066.mail.bf1.yahoo.com
    2012-01-26 13:32:01 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1RpXOf-0007eK-5X
    2012-01-26 13:32:01 1RqNYf-0005Qj-0Y <= <> R=1RpXOf-0007eK-5X U=mailnull P=local S=1556 T="Mail delivery failed: returning message to sender" from <> for [email]nobody@server.el-abda3.com[/email]
    2012-01-26 13:32:01 1RpXOf-0007eK-5X Completed
    2012-01-26 13:32:01 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1RqNYf-0005Qj-0Y
    2012-01-26 13:32:01 1RqNYf-0005Qj-0Y User 0 set for local_delivery transport is on the never_users list
    2012-01-26 13:32:01 1RqNYf-0005Qj-0Y == [email]root@server.el-abda3.com[/email] (root@server.el-abda3.com, [email]root@server.el-abda3.com[/email])  R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
    2012-01-26 13:32:01 1RqNYf-0005Qj-0Y ** [email]root@server.el-abda3.com[/email] : retry timeout exceeded
    2012-01-26 13:32:01 1RqNYf-0005Qj-0Y [email]root@server.el-abda3.com[/email] : error ignored
    2012-01-26 13:32:01 1RqNYf-0005Qj-0Y Completed

    and its example of the msgs


    Code:
    ============
    1RpWgN-0000gT-8n-H
    nobody 99 99
    <nobody@server.el-abda3.com>
    1327374267 0
    -ident nobody
    -received_protocol local
    -body_linecount 3
    -max_received_linelength 70
    -auth_id nobody
    -auth_sender [email]nobody@server.el-abda3.com[/email]
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    XX
    1
    [email]amnh1@ayne.com[/email]
    
    188P Received: from nobody by server.el-abda3.com with local (Exim 4.69)
    	(envelope-from <nobody@server.el-abda3.com>)
    	id 1RpWgN-0000gT-8n
    	for [email]amnh1@ayne.com[/email]; Tue, 24 Jan 2012 05:04:27 +0200
    019T To: [email]amnh1@ayne.com[/email]
    054  Subject: صفحة المصمم والمطور (zekuo)
    071F From: صفحة المصمم والمطور (zekuo) <zekuo@hotmail.com>
    018  MIME-Version: 1.0
    024  Content-Type: text/html
    052I Message-Id: <E1RpWgN-0000gT-8n@server.el-abda3.com>
    038  Date: Tue, 24 Jan 2012 05:04:27 +0200
    =====================
    
    please help me to stop this cause i fraid to block my server from hotmail and gamil

    but my server is still send mails and great but i want to stop him
    eveen i tried to limit hours msgs to every account but nothing done :(
     
    #1 el-abda3.com, Jan 26, 2012
    Last edited by a moderator: Jan 26, 2012
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The following thread includes some steps you can take to prevent SPAM from being sent by the "nobody" user on your server:

    Exim Hardening Practices

    It also includes some configuration changes you can make that can help identify the source of the sender.

    Thank you.
     
  3. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I believe this is more with the vbulletin security that caused spams being receiving to your server.
    Exim logs clearly suggests that spams were being sent through
    It would be better if you contact to vb support also for their advice on security tips.
     
Loading...

Share This Page