The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server used In Spam Sending

Discussion in 'General Discussion' started by viisage, Dec 14, 2002.

  1. viisage

    viisage Member

    Joined:
    Aug 30, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Since the 7th of December, my server has been the subject of massive spam sending everyday. They have been sending about 1000 emails out at a time.

    The bad thing is that they are showing up as me. They are sending advertisments for my web hosting services.

    I have checked and made sure all 1.6 versions of formmail are deleted.

    I have added rbl_domains =
    to exim.conf and restarted exim, numerous times.

    This morning the bounced back emails were almost 700. I cannot live like this anymore!

    Cpanel support has been of no help really since it started, nor has my NOC.

    Can someone help me get this fixed please as soon as possible?

    I just dont know what else to do.//viisage
     
  2. techark

    techark Well-Known Member

    Joined:
    May 22, 2002
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    Have you greped exim_mainlog to find the sending IP number?
    Once you get that null route them from your server.
     
  3. viisage

    viisage Member

    Joined:
    Aug 30, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    How do I do that? I would like to barr these ip's from the server completly.//
     
  4. techark

    techark Well-Known Member

    Joined:
    May 22, 2002
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    /sbin/route add -host xxx.xxx.xxx.xxx reject

    where xxx is the IP to ban

    This will kill all incoming and outgoing connections from that IP until you reboot the server.

    However, if you reboot the server, the null route is gone.

    If you would like to save the null route after rebooting to protect you in the future, add the command to /etc/rc.d/rc.local and it will re-execute them when the server comes back online.
     
  5. viisage

    viisage Member

    Joined:
    Aug 30, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    If I look at exim_mainlog, how can I tell which ip to add?
     
  6. viisage

    viisage Member

    Joined:
    Aug 30, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Here is the first instance of the issue from exim_mainlog:

    600 2002-12-07 15:41:38 18Kndi-0005rI-00 &= hi@elite-domains.com H=(ttoqmil) [64.35.163.110] P=smtp S=1247 id=qhohpmjopoljlbkrdhsolmahggdlbn@Jim
    601 2002-12-07 15:41:38 18Kndi-0005rI-00 =& mail &25@elite-domains.com& D=virtual_user T=virtual_userdelivery
     
  7. viisage

    viisage Member

    Joined:
    Aug 30, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Actually, here is a better example. Can you add a ip address range?

    623 2002-12-07 15:41:46 18Kndp-0005rR-00 &= hi@elite-domains.com H=(fkaicgo) [64.35.163.110] P=smtp S=1250 id=atdjcrhneobriolhdhlnknsklchrmq@Mike
    624 2002-12-07 15:41:46 18Kndp-0005rP-00 =& elitedomains@hotmail.com &21@elite-domains.com& R=lookuphost T=remote_smtp H=mx1.hotmail.com [65.54.166.99]
    625 2002-12-07 15:41:46 18Kndp-0005rR-00 =& mail &18@elite-domains.com& D=virtual_user T=virtual_userdelivery
    626 2002-12-07 15:41:46 18Kndp-0005rR-00 =& elitedomains@hotmail.com &18@elite-domains.com& R=lookuphost T=remote_smtp H=mx1.hotmail.com [65.54.254.129]
    627 2002-12-07 15:41:47 18Kndr-0005rU-00 &= hi@elite-domains.com H=(kgtihsb) [64.35.163.110] P=smtp S=1250 id=ailghslclhqiasqrboaephcrgnnejk@Bill
    628 2002-12-07 15:41:47 18Kndr-0005rU-00 =& mail &75@elite-domains.com& D=virtual_user T=virtual_userdelivery
    629 2002-12-07 15:41:48 18Kndr-0005rU-00 =& elitedomains@hotmail.com &75@elite-domains.com& R=lookuphost T=remote_smtp H=mx4.hotmail.com [65.54.254.151]
    630 2002-12-07 15:41:48 18Knds-0005rV-00 &= hi@elite-domains.com H=(gfrhchg) [64.35.163.110] P=smtp S=1252 id=qbsoqrlcbrpjsoehhcnhhrkebjpkek@James
    631 2002-12-07 15:41:48 18Knds-0005rV-00 =& mail &65@elite-domains.com& D=virtual_user T=virtual_userdelivery
    632 2002-12-07 15:41:49 18Knds-0005rV-00 =& elitedomains@hotmail.com &65@elite-domains.com& R=lookuphost T=remote_smtp H=mx4.hotmail.com [65.54.253.230]
    633 2002-12-07 15:41:51 18Kndv-0005rS-00 &= hi@elite-domains.com H=(osgecke) [64.35.163.110] P=smtp S=1250 id=mqrbhentkekahnqeiojqiqsskqgsfq@Alex
    634 2002-12-07 15:41:51 18Kndv-0005rS-00 =& mail &56@elite-domains.com& D=virtual_user T=virtual_userdelivery
    635 2002-12-07 15:41:52 18Kndv-0005rS-00 =& elitedomains@hotmail.com &56@elite-domains.com& R=lookuphost T=remote_smtp H=mx4.hotmail.com [65.54.254.151]
    636 2002-12-07 15:41:52 18Kndw-0005rT-00 &= hi@elite-domains.com H=(tpencol) [64.35.163.110] P=smtp S=1248 id=hdjlhrspsmkmbkebliaddiajjcbsih@Jim
    637 2002-12-07 15:41:52 18Kndw-0005rT-00 =& mail &71@elite-domains.com& D=virtual_user T=virtual_userdelivery
    638 2002-12-07 15:41:53 18Kndw-0005rT-00 =& elitedomains@hotmail.com &71@elite-domains.com& R=lookuphost T=remote_smtp H=mx4.hotmail.com [65.54.254.151]
    639 2002-12-07 15:41:53 18Kndx-0005rW-00 &= hi@elite-domains.com H=(rbqhfgl) [64.35.163.110] P=smtp S=1250 id=fkearckcnqmpeaceadgkitrpmcdfds@Adam
    640 2002-12-07 15:41:53 18Kndx-0005rW-00 =& mail &70@elite-domains.com& D=virtual_user T=virtual_userdelivery
    641 2002-12-07 15:41:54 18Kndx-0005rQ-00 &= hi@elite-domains.com H=host-64-110-87-26.interpacket.net (qjktcfk) [64.110.87.26] P=smtp S=1283 id=gimgmmhjqcsccsgnedbhphnkhletle@Joan
    642 2002-12-07 15:41:54 18Kndx-0005rW-00 =& elitedomains@hotmail.com &70@elite-domains.com& R=lookuphost T=remote_smtp H=mx1.hotmail.com [65.54.166.99]
    643 2002-12-07 15:41:54 18Kndx-0005rQ-00 =& mail &27@elite-domains.com& D=virtual_user T=virtual_userdelivery
     
  8. techark

    techark Well-Known Member

    Joined:
    May 22, 2002
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    You can add a server name or domain address instead of IP number.

    627 2002-12-07 15:41:47 18Kndr-0005rU-00 &= hi@elite-domains.com H=(kgtihsb) [64.35.163.110] P=smtp S=1250 id=ailghslclhqiasqrboaephcrgnnejk@Bill

    64.35.163.110 that is your IP address also I think you can null the &ailghslclhqiasqrboaephcrgnnejk@Bill& although I have not tried it.
     
  9. viisage

    viisage Member

    Joined:
    Aug 30, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Just to be clear ( I really appreciate your help!) when you say &64.35.163.110 that is your IP address&

    Do you mean that is the ip address I would want to barr? //viisage
     
  10. techark

    techark Well-Known Member

    Joined:
    May 22, 2002
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    &= hi@elite-domains.com that part tells you it is sending mail [64.35.163.110] that part tells you that is the IP that is connecting to your server.

    So yeah if you are sure that is an offending mail that is an IP you would want to ban.

    But be aware that means anyone coming from that IP is blocked so if it is like and AOL IP you could end up blocking half the internet.
     
Loading...

Share This Page