[email protected]

Well-Known Member
Mar 5, 2002
487
0
316
Los Angeles California
Hi guys,

I am running into a serious problem here.
There is a script on my server that is using sendmail to send to the same email over and over again non-stop. And there is no way to stop them. Here is what I get when I do a tail -f /var/log/exim_mainlog:

2004-10-18 05:39:12 1CJWnW-0002v2-43 <= [email protected] U=nobody P=local S=314
2004-10-18 05:39:13 1CJWmW-0002kz-G3 => [email protected] R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.253.99]
2004-10-18 05:39:13 1CJWnW-0002v0-18 <= [email protected] U=nobody P=local S=320
2004-10-18 05:39:13 1CJWnV-0002uy-Sw <= [email protected] U=nobody P=local S=314
2004-10-18 05:39:13 1CJWmW-0002kz-G3 Completed
2004-10-18 05:39:13 1CJWnW-0002v7-TR <= [email protected] U=nobody P=local S=314
2004-10-18 05:39:13 1CJWmY-0002lJ-98 Failed to get write lock for /var/spool/exim/db/wait-remote_smtp.lockfile: timed out
2004-10-18 05:39:13 1CJWmX-0002lE-QB Failed to get write lock for /var/spool/exim/db/wait-remote_smtp.lockfile: timed out
2004-10-18 05:39:13 1CJWmY-0002lJ-98 => [email protected] R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.167.5]
2004-10-18 05:39:13 1CJWmX-0002lE-QB => [email protected] R=lookuphost T=remote_smtp H=mx1.hotmail.com [65.54.252.99]
2004-10-18 05:39:13 1CJWmX-0002lE-QB Completed
2004-10-18 05:39:13 1CJWmX-0002l9-DT => [email protected] R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.253.99]
2004-10-18 05:39:13 1CJWmY-0002lJ-98 Completed
2004-10-18 05:39:13 1CJWmX-0002l9-DT Completed
2004-10-18 05:39:14 1CJWmX-0002lB-Lz => [email protected] R=lookuphost T=remote_smtp H=mx2.hotmail.com [65.54.252.230]
2004-10-18 05:39:14 1CJWnX-0002vH-Ff <= [email protected] U=nobody P=local S=314
2004-10-18 05:39:14 1CJWmX-0002lB-Lz Completed
2004-10-18 05:39:14 1CJWnX-0002v9-44 <= [email protected] U=nobody P=local S=320
2004-10-18 05:39:14 1CJWmZ-0002lV-Ph => [email protected] R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.167.5]
2004-10-18 05:39:14 1CJWnX-0002vF-C7 <= [email protected] U=nobody P=local S=314
2004-10-18 05:39:14 1CJWmZ-0002lV-Ph Completed
2004-10-18 05:39:14 1CJWnY-0002vQ-4h <= [email protected]

Thanks in advance for taking the time to checkout this problem.
 

Aric1

Well-Known Member
Oct 15, 2003
324
0
166
cPanel Access Level
DataCenter Provider
You sound like you know what script it is... to stop it is easy... remove it. They can't use a script to send mail if it isn't there anymore. ;)

If you don't know where the script is... take a look at these messages in your mail queue. If you have exim set to do so, it adds several X headers that append info that can help you track down the problem. In fact, it will actually list the script used and its location.

Then just remove the offending script and contact the owner of the account. Likely they are using an insecure mailing script and a spammer is taking advantage of this.
 

LiNUxG0d

Well-Known Member
Jun 25, 2003
206
1
168
Gatineau, Quebec, Canada
Just for the heck of it, add this to your /etc/exim.conf after "hostlist auth_relay_hosts = *"

log_selector = \
+address_rewrite \
+all_parents \
+arguments \
+connection_reject \
+delay_delivery \
+delivery_size \
+dnslist_defer \
+incoming_interface \
+incoming_port \
+lost_incoming_connection \
+queue_run \
+received_sender \
+received_recipients \
+retry_defer \
+sender_on_delivery \
+size_reject \
+skip_delivery \
+smtp_confirmation \
+smtp_connection \
+smtp_protocol_error \
+smtp_syntax_error \
+subject \
+tls_cipher \
+tls_peerdn

In my opinion, default Exim 4 doesn't run enough logging. This way, you can see what's going out, from where, sizes, subjects, scripts that execute the mail send, etc.

Pretty cool! :)

LMK!
 

Marty

Well-Known Member
Oct 10, 2001
630
1
318
LiNUxG0d said:
Just for the heck of it, add this to your /etc/exim.conf after "hostlist auth_relay_hosts = *"

log_selector = \
+address_rewrite \
+all_parents \
+arguments \
+connection_reject \
+delay_delivery \
+delivery_size \
+dnslist_defer \
+incoming_interface \
+incoming_port \
+lost_incoming_connection \
+queue_run \
+received_sender \
+received_recipients \
+retry_defer \
+sender_on_delivery \
+size_reject \
+skip_delivery \
+smtp_confirmation \
+smtp_connection \
+smtp_protocol_error \
+smtp_syntax_error \
+subject \
+tls_cipher \
+tls_peerdn

In my opinion, default Exim 4 doesn't run enough logging. This way, you can see what's going out, from where, sizes, subjects, scripts that execute the mail send, etc.

Pretty cool! :)

LMK!
I just tested this by going to the exim advanced configuration editor in WHM and putting it in the very first text box at the top of the exim configuration file. It seems to work there as well.
 

LiNUxG0d

Well-Known Member
Jun 25, 2003
206
1
168
Gatineau, Quebec, Canada
Yep!

I'm just a shell-whoe, so, y'know... ;) I post what works for me. :) Definately though, you're right. I believe cPanel should consider adding an exim "Logging" feature for enhanced logging. It can be VERY handy.

Like, when you:

tail -f /var/log/exim_mainlog | grep viagra

;)

You could even create your own spam scanner if you wanted at that point. ;)

Glad you gave it a whirl. LMK if you think it's handy.

J
 

Marty

Well-Known Member
Oct 10, 2001
630
1
318
LiNUxG0d said:
Yep!

I'm just a shell-whoe, so, y'know... ;) I post what works for me. :) Definately though, you're right. I believe cPanel should consider adding an exim "Logging" feature for enhanced logging. It can be VERY handy.

Like, when you:

tail -f /var/log/exim_mainlog | grep viagra

;)

You could even create your own spam scanner if you wanted at that point. ;)

Glad you gave it a whirl. LMK if you think it's handy.

J
Yea, I do most from shell, but I figured if it worked through the WHM configuration editor, I wouldn't have to worry about cpanel updates overwriting it. I have sent a few messages from scripts, and the logging is really good. It gives you the complete path to the script and all arguments that were used by that script to execute sendmail.
 

LiNUxG0d

Well-Known Member
Jun 25, 2003
206
1
168
Gatineau, Quebec, Canada
Sweetness. :)

Enjoy!

Wait, are you telling me that editing exim.conf through the WHM prevents over-writes?! EGAD! I never knew that!!!

Can you confirm this? We have a script copying a ghosted version over after CP updates.

Let me know.
 

nickn

Well-Known Member
PartnerNOC
Jun 15, 2003
617
1
168
LiNUxG0d said:
Sweetness. :)

Enjoy!

Wait, are you telling me that editing exim.conf through the WHM prevents over-writes?! EGAD! I never knew that!!!

Can you confirm this? We have a script copying a ghosted version over after CP updates.

Let me know.
That's the point in it. Whatever you put into the WHM Exim text fields will be replaced on upgrades, opposed to what you put directly in the exim.conf which is erased :)
 

[email protected]

Well-Known Member
Mar 5, 2002
487
0
316
Los Angeles California
Kicks major ass.
This is really good stuff.
Wonder why Cpanel doesn't make it the default configuration.
 

LiNUxG0d

Well-Known Member
Jun 25, 2003
206
1
168
Gatineau, Quebec, Canada
Hopefully, if this thread makes enough waves, they'll add an option. Frankly, I don't know why they don't add some extensive exim features.

They could add easy blacklist editing, DNS based SBL's (Spamcop, Spamhaus, SORBS) and others. I don't see why they don't do it.

Best example, one specific IP is sending lots of mail to my server for "Viagra", why can't I just go into cPanel WHM, add an IP to a Blacklist Hostlist (ACL) and then boom, blocked from sending mail to my machine.

Bill Gates once commented in an interview saying, "I don't release new versions of my software to fix bugs, but to implement features."

In my mind, I hope cPanel takes into consideration that Mail/Spam plays a SERIOUS role in everyday internet life and it should be offered some flexibility. :)

I'm glad I could provide some advanced features for all to see. I might just add a new thread altogether, repeating them. :)

Warmest regards,

J
Kiosk.ws
 

Marty

Well-Known Member
Oct 10, 2001
630
1
318
LiNUxG0d said:
Wait, are you telling me that editing exim.conf through the WHM prevents over-writes?! EGAD! I never knew that!!!

That's exactly what I was saying, and yes, I can confirm that. As nickn said, that is the whole reason for the editing boxes in WHM.
 

anand

Well-Known Member
Nov 11, 2002
1,435
1
168
India
cPanel Access Level
DataCenter Provider
LiNUxG0d said:
Hopefully, if this thread makes enough waves, they'll add an option. Frankly, I don't know why they don't add some extensive exim features.

They could add easy blacklist editing, DNS based SBL's (Spamcop, Spamhaus, SORBS) and others. I don't see why they don't do it.

Best example, one specific IP is sending lots of mail to my server for "Viagra", why can't I just go into cPanel WHM, add an IP to a Blacklist Hostlist (ACL) and then boom, blocked from sending mail to my machine.

Bill Gates once commented in an interview saying, "I don't release new versions of my software to fix bugs, but to implement features."

In my mind, I hope cPanel takes into consideration that Mail/Spam plays a SERIOUS role in everyday internet life and it should be offered some flexibility. :)

I'm glad I could provide some advanced features for all to see. I might just add a new thread altogether, repeating them. :)

Warmest regards,

J
Kiosk.ws
Adding exim features is one thing, blocking ips is another. Cpanel is a control panel and is present to assist. If you want to block an ip, just put a iptables rule to drop all traffic from an ip.

You can use the below rule to block complete traffic from any ip

iptables -I INPUT -s SOURCEIP -j DROP

Replace SOURCEIP with the ip you want to block traffic from.
 

anand

Well-Known Member
Nov 11, 2002
1,435
1
168
India
cPanel Access Level
DataCenter Provider
LiNUxG0d said:
Wait, are you telling me that editing exim.conf through the WHM prevents over-writes?! EGAD! I never knew that!!!

Can you confirm this? We have a script copying a ghosted version over after CP updates.

Let me know.
The whole idea of cpanel releasing the WHM exim editor was that any changes a user makes will survive any future cpanel/exim update. Even though the WHM exim editor offers limited changes, it still saves lot of time in checking changes to exim.conf after every exim/cpanel update.
 

R[email protected]

Well-Known Member
Mar 5, 2002
487
0
316
Los Angeles California
Right, great my post got stickified. :(

Now everybody knows how terrible I am at server management.. :(
But Im a skinner, not an apache prodigy, so I guess its understandable yeah? :D
 
Last edited: