problem e-mails from my server and can't stop it everydaty over 50.000

el-abda3.com

Registered
Jul 14, 2011
2
0
51
hello

i have one of my servers which attack from arabic spamer
and i dont know who is this
i tried alot but can't know him

the msg from nobidy
here is example from my exaim log

Displaying the last 30 lines of /var/log/exim_mainlog...

Code:
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrR-0002js-Gu
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrT-0002nv-4Q
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrT-0002p4-FB
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrT-0002p8-Fh
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrU-0002qd-La
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrU-0002qi-MS
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrY-0002z0-6y
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrY-0002zs-Ra
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RpyrZ-00031n-8p
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1Rpyra-000334-1Z
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1Rpyrc-00033v-3S
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1Rq9l2-0000nH-9L
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RqIph-0002lE-Fg
2012-01-26 13:31:28 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: exim -Mvh 1RqIpn-0002mk-Nh
2012-01-26 13:31:58 cwd=/home/statmasr/public_html/vb 3 args: /usr/sbin/sendmail -t -i
2012-01-26 13:31:58 1RqNYc-0005QH-NX <= [email][email protected][/email] U=nobody P=local S=2140 [email protected] T="=?windows-1256?q?=D8=E1=C8_=CA=DD=DA=ED=E1_=C7=E1=DA=D6=E6=ED=C9_=DD=ED_=E3=E4=CA=CF=EC_=D3=CA=C7=CA" from  for [email][email protected][/email]
2012-01-26 13:31:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1RqNYc-0005QH-NX
2012-01-26 13:32:00 1RqNYc-0005QH-NX => [email][email protected][/email] F= R=lookuphost T=remote_smtp S=2497 H=mta5.am0.yahoodns.net [98.139.175.224] C="250 ok dirdel"
2012-01-26 13:32:00 1RqNYc-0005QH-NX Completed
2012-01-26 13:32:00 cwd=/var/spool/exim 9 args: /usr/sbin/exim -MCS -MCP -MC remote_smtp mta5.am0.yahoodns.net 98.139.175.224 2 1RpXOf-0007eK-5X
2012-01-26 13:32:01 1RpXOf-0007eK-5X ** [email][email protected][/email] F= R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host mta5.am0.yahoodns.net [98.139.175.224]: 554 delivery error: dd This user doesn't have a yahoo.com account ([email protected]) [0] - mta1066.mail.bf1.yahoo.com
2012-01-26 13:32:01 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1RpXOf-0007eK-5X
2012-01-26 13:32:01 1RqNYf-0005Qj-0Y <= <> R=1RpXOf-0007eK-5X U=mailnull P=local S=1556 T="Mail delivery failed: returning message to sender" from <> for [email][email protected][/email]
2012-01-26 13:32:01 1RpXOf-0007eK-5X Completed
2012-01-26 13:32:01 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1RqNYf-0005Qj-0Y
2012-01-26 13:32:01 1RqNYf-0005Qj-0Y User 0 set for local_delivery transport is on the never_users list
2012-01-26 13:32:01 1RqNYf-0005Qj-0Y == [email][email protected][/email] ([email protected], [email][email protected][/email])  R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
2012-01-26 13:32:01 1RqNYf-0005Qj-0Y ** [email][email protected][/email] : retry timeout exceeded
2012-01-26 13:32:01 1RqNYf-0005Qj-0Y [email][email protected][/email] : error ignored
2012-01-26 13:32:01 1RqNYf-0005Qj-0Y Completed

and its example of the msgs


Code:
============
1RpWgN-0000gT-8n-H
nobody 99 99
<[email protected]>
1327374267 0
-ident nobody
-received_protocol local
-body_linecount 3
-max_received_linelength 70
-auth_id nobody
-auth_sender [email][email protected][/email]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email][email protected][/email]

188P Received: from nobody by server.el-abda3.com with local (Exim 4.69)
	(envelope-from <[email protected]>)
	id 1RpWgN-0000gT-8n
	for [email][email protected][/email]; Tue, 24 Jan 2012 05:04:27 +0200
019T To: [email][email protected][/email]
054  Subject: صفحة المصمم والمطور (zekuo)
071F From: صفحة المصمم والمطور (zekuo) <[email protected]>
018  MIME-Version: 1.0
024  Content-Type: text/html
052I Message-Id: <[email protected]>
038  Date: Tue, 24 Jan 2012 05:04:27 +0200
=====================
please help me to stop this cause i fraid to block my server from hotmail and gamil

but my server is still send mails and great but i want to stop him
eveen i tried to limit hours msgs to every account but nothing done :(
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,243
463
Hello :)

The following thread includes some steps you can take to prevent SPAM from being sent by the "nobody" user on your server:

Exim Hardening Practices

It also includes some configuration changes you can make that can help identify the source of the sender.

Thank you.
 

storminternet

Well-Known Member
Nov 2, 2011
460
0
66
cPanel Access Level
Root Administrator
I believe this is more with the vbulletin security that caused spams being receiving to your server.
Exim logs clearly suggests that spams were being sent through
cwd=/home/statmasr/public_html/vb
It would be better if you contact to vb support also for their advice on security tips.