The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Serious SPAM Help !!

Discussion in 'General Discussion' started by PDW, Apr 18, 2006.

  1. PDW

    PDW Well-Known Member

    Joined:
    Dec 29, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    I need some serious help with a SPAM issue on my server. Starting a few weeks ago the server load jumped and I saw a huge increase amount of SPAM being sent from
    the server. This is odd since I have everything isntalled and blocked properly. Running pop before smtp, phpsuex etc... I have mod_sec. installed, and I am tracking all of the emails.
    I have checked for insecure scripts....

    In fact this is on one of my own domains that I own myself.
    Relaying is closed
    and tested.
    All updated are done and running.
    APF firewall up and running as well as bfd


    I tracked the email logs and here is an example that I got today on this
    2006-04-18 05:21:10 1FVpCf-00013R-UX <= incident@s2.swat1.com U=incident P=local S=4517 T="Voce recebeu um cartao" from <incident@s2.swat1.com> for igfreit$
    2006-04-18 05:21:10 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1FVpCf-00013R-UX

    I have changed the "Incident" Password, that does not do anything.

    Any other suggestions?
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Track dwon the script used to send out email.
     
  3. PDW

    PDW Well-Known Member

    Joined:
    Dec 29, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Its not a script. there are no scripts there in that location.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The following might provide more information:

    grep 1FVpCf-00013R-UX /var/log/exim_mainlog

    The log line does suggest that the email was sent from within the incident but locally on the server (i.e. not from an external email client).
     
Loading...

Share This Page