The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Someone sending spam through my server

Discussion in 'General Discussion' started by Chris Blount, Jan 7, 2006.

  1. Chris Blount

    Chris Blount Member

    Joined:
    Jan 30, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I was just notified by my ISP that someone is sending SPAM through my server. They said it might be the formmail exploit.

    I deleted the formmail.pl and formmail.cgi files from the server. The SPAM is still coming through.

    I really don't understand what could be happening. I did a search here and found some other threads about this subject but I couldn't find anything relavent.

    Thanks for the help.
     
  2. Izzee

    Izzee Well-Known Member

    Joined:
    Feb 6, 2004
    Messages:
    469
    Likes Received:
    0
    Trophy Points:
    16
    More detailed info would help like extracts from your log files and spam email headers etc. As much detail as you can so someone might know what your issues are and offer their friendly and free help ;)

    :)
     
  3. Chris Blount

    Chris Blount Member

    Joined:
    Jan 30, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi there,

    Thanks for the quick reply. Here is an example of the spam header. A few of the e-mail addresses have been masked. My server is dbstalk.com:

    Return-path: <tradingalert@worldnet.att.net>
    Received: from ms-mta-04 (ms-mta-04-smtp.texas.rr.com [10.93.38.42])
    by ms-mss-03.texas.rr.com
    (iPlanet Messaging Server 5.2 HotFix 2.04 (built Feb 8 2005))
    with ESMTP id <0ISR00FTKDV23U@ms-mss-03.texas.rr.com> for me@me.com;
    Sat, 07 Jan 2006 23:28:15 -0600 (CST)
    Received: from clmboh-mx-03.mgw.rr.com (clmboh-mx-03.mgw.rr.com [65.24.7.12])
    by ms-mta-04.texas.rr.com
    (iPlanet Messaging Server 5.2 HotFix 2.04 (built Feb 8 2005))
    with ESMTP id <0ISR00451DV21H@ms-mta-04.texas.rr.com> for me@me.com
    (ORCPT me@me.com); Sat, 07 Jan 2006 23:28:15 -0600 (CST)
    Received: from www2.ultimatepositiveness.com (HELO host.dbstalk.com)
    ([67.19.74.170]) by clmboh-mx-03.mgw.rr.com with ESMTP; Sun,
    08 Jan 2006 00:28:15 -0500
    Received: from [61.10.79.73] (helo=worldnet.att.net)
    by host.dbstalk.com with smtp (Exim 4.52)
    id 1EvT69-00068s-OF for ****@dbstalk.com; Sat,
    07 Jan 2006 23:28:10 -0600
    Date: Sat, 07 Jan 2006 21:59:50 -0800
    From: Young <tradingalert@worldnet.att.net>
    Subject: Promotion Alert- on the move
    To: ****@dbstalk.com
    Message-id: <085AE43D.0A01575@worldnet.att.net>
    MIME-version: 1.0
    Content-type: text/html; charset=us-ascii
    Content-transfer-encoding: 8BIT
    X-Accept-Language: en-us
    User-Agent: Mozilla 4.73 [en]C-SYMPA (Win98; U)
    X-AntiAbuse: This header was added to track abuse,
    please include it with any abuse report
    X-AntiAbuse: Primary Hostname - host.dbstalk.com
    X-AntiAbuse: Original Domain - dbstalk.com
    X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
    X-AntiAbuse: Sender Address Domain - worldnet.att.net
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Original-recipient: rfc822;me@me.com
     
  4. Izzee

    Izzee Well-Known Member

    Joined:
    Feb 6, 2004
    Messages:
    469
    Likes Received:
    0
    Trophy Points:
    16
    To try and find who is sending check your /var/log/exim_mainlog. It should have some info in there that might match up to the header. Also you can watch this log file in real time as mail comes in and goes out. Again so you can try and catch who it is. This command in shell will do this for you.

    tail -f /var/log/exim_mainlog

    If you had phpSuexec compiled into Apache and mod-Security installed with a good set of rules you might be able to stop most of this hijacking form occurring.

    The forum has many post about this and it really is a matter of using the search function and messing with the key words until something pops up that helps. Most questions and solutions have already beed found many times over. There is lots to see and a detective instinct might help ;)

    :)
     
Loading...

Share This Page