The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Someone spamming thru our cPanel server

Discussion in 'General Discussion' started by php-dawg, Oct 15, 2003.

  1. php-dawg

    php-dawg Active Member

    Joined:
    Jul 9, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Atlanta, GA
    I really need some help on this. There is someone sending mail out thru multiple domains, it appears, from our server. Is there any way to track the security hole down and shut them down? Here is the rejected message:

    1A9foI-0001wa-F1-H
    mailnull 47 12
    <>
    1066201866 0
    -ident mailnull
    -received_protocol local
    -body_linecount 69
    -frozen 1066228030
    -localerror
    XX
    1
    ucsc620uu@earthlink.com

    164P Received: from mailnull by xxxxxxxxxx with local (Exim 4.24)
    id 1A9foI-0001wa-F1
    for ucsc620uu@earthlink.com; Wed, 15 Oct 2003 03:11:06 -0400
    042 X-Failed-Recipients: xxx@xxxxxxx.com
    031 Auto-Submitted: auto-generated
    074F From: Mail Delivery System <Mailer-Daemon@xxxx.xxxxxxxxx.com>
    028T To: ucsc620uu@earthlink.com
    059 Subject: Mail delivery failed: returning message to sender
    063I Message-Id: <E1A9foI-0001wa-F1@xxxx.xxxxxxxxxx>
    038 Date: Wed, 15 Oct 2003 03:11:06 -0400


    1A9foI-0001wa-F1-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    xxx@xxxxxxx
    (ultimately generated from xxx@xxxxxxx)
    Unrouteable address

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <ucsc620uu@earthlink.com>
    Received: from [200.222.197.142] (helo=rj222197142.user.veloxzone.com.br)
    by xxxx.xxxxxxxxx.com with smtp (Exim 4.24)
    id 1A9foD-0001w9-Cp
    for xxx@xxxxxxx; Wed, 15 Oct 2003 03:11:05 -0400
    Received: from (HELO awm9h) [157.164.38.43] by rj222197142.user.veloxzone.com.br with SMTP; Tue, 14 Oct 2003 23:13:20 +0300
    Message-ID: <kf5-ki-317-b--dnw$d2jp$0v$gsl-8@7d1sqmmqjy.2d>
    From: "Loren Romano" <ucsc620uu@earthlink.com>
    Reply-To: "Loren Romano" <ucsc620uu@earthlink.com>
    To: xxx@xxxxxxxx
    Subject: ANY MEDS U WANT! Prescribed Online for Free,Shipped Overnight ouvvp x
    Date: Tue, 14 Oct 03 23:13:20 GMT
    X-Mailer: Microsoft Outlook Express 5.50.4133.2400
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="_ACE.49DCEBFF_F__.0"
    X-Priority: 1
    X-MSMail-Priority: High


    --_ACE.49DCEBFF_F__.0
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    <HTML><div align=3D"left"><p><FONT COLOR=3D"#000000" SIZE=3D3 face=3D"Ari=
    al, Helvetica, sans-serif"><strong>SOMA,IONAMIN</strong> ...</FONT><FONT =
    COLOR=3D"#000000" BACK=3D"#ffffff" style=3D"BACKGROUND-COLOR: #ffffff" SIZ=
    E=3D3 PTSIZE=3D10 FAMILY=3D"SANSSERIF" FACE=3D"Arial, Helvetica, sans-seri=
    f" LANG=3D"0"> Low Price. Fast Delivery. DISCREET. </FONT><FONT COLOR=3D"=
    #000000" BACK=3D"#ffffff" style=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D2 PTS=
    IZE=3D10 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"0"><BR> <br>FDA Appro=
    ved Medications online.<br><br></FONT><font size=3D"3"><strong><FONT COLO=
    R=3D"#000000" BACK=3D"#ffffff" style=3D"BACKGROUND-COLOR: #ffffff"
    PTSIZE=3D=
    10 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"0">SOMA, ADIPEX, Viagra and=
    MUCH MORE.</FONT><FONT COLOR=3D"#000000" BACK=3D"#ffffff" style=3D"BACKG=
    ROUND-COLOR: #ffffff" PTSIZE=3D10 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=
    =3D"0"></FONT></strong></font><FONT COLOR=3D"#000000" BACK=3D"#ffffff" st=
    yle=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D2 PTSIZE=3D10 FAMILY=3D"SANSSERIF=
    " FACE=3D"Arial" LANG=3D"0"><BR> <br>Go Online. Fill out your Prescription=
    Request. That Easy.</FONT></p><p><FONT COLOR=3D"#000000" BACK=3D"#ffffff=
    " style=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D2 PTSIZE=3D10 FAMILY=3D"SANSS=
    ERIF" FACE=3D"Arial" LANG=3D"0">Your request will be reviewed by a License=
    d US Physician. If Approved, your medication will be dispensed by a Licens=
    ed US Pharmacy. <BR><br></FONT><FONT COLOR=3D"#408080" BACK=3D"#ffffff" s=
    tyle=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D3 PTSIZE=3D12 FAMILY=3D"SANSSERI=
    F" FACE=3D"Arial" LANG=3D"0">Requests received by 2:00 PM EST will arrive =
    the very next business day.<BR> </FONT><FONT COLOR=3D"#0000ff" BACK=3D"#f=
    fffff" style=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D4 PTSIZE=3D14 FAMILY=3D"=
    SANSSERIF" FACE=3D"Arial" LANG=3D"0"><A HREF=3D"http://www.pillscentral.bi=
    z"><br>MEDS_HERE</A></FONT><FONT COLOR=3D"#000000" BACK=3D"#ffffff"
    style=3D=
    "BACKGROUND-COLOR: #ffffff" SIZE=3D2 PTSIZE=3D10 FAMILY=3D"SANSSERIF" FACE=
    =3D"Arial" LANG=3D"0"><BR> <BR> </FONT></p></div></HTML>rilchv cboixsligbujmszia xqdj ie gmzusin rv ktkcrdxx
    nglyio s bse trc tpcdbh

    --_ACE.49DCEBFF_F__.0--


    Thanks for the help!

    cPanel.net Support Ticket Number:
     
    #1 php-dawg, Oct 15, 2003
    Last edited: Oct 15, 2003
  2. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    I do believe someone is just using your Domain name(s) as a forged From address. When sending to a non-working eMail address, their Server is kicking it back (to the From) which is why it gets delivered to you.

    Unfortunately there is nothing one can doing about the forging. They can however, setup Filters to delete these types of kick-backed eMails.

    cPanel.net Support Ticket Number:
     
  3. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    How to setup these filters ?? Can i have a example please ??

    cPanel.net Support Ticket Number:
     
  4. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Cpanel > E-Mail > E-mail Filtering

    Some testing due to the same problem with my own Domain name being forged to AOL eMail, showed that finding the actual Subject used -- in the returned eMail -- should be used and takes awhile to kick in. I think upcp has to run, but only guessing.

    cPanel.net Support Ticket Number:
     
  5. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    I thought more on the grounds of kicking the mails from exim itself. Basically using exim filters. I have seen a lot of mails like these on my 2 boxes, forged addresses, but every now and then the forger changed the address.

    cPanel.net Support Ticket Number:
     
  6. php-dawg

    php-dawg Active Member

    Joined:
    Jul 9, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Atlanta, GA
    I had decided the same thing, but wanted to make sure I was not crazy. I could not find in the mail log where any of these emails went thru our server. The oddest part of it all is that they are using several of our customer's domain names to do this.
     
  7. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    same is the case with my box. mail bounces getting delivered to various customer domains on the box.
     
  8. markie

    markie BANNED

    Joined:
    Oct 5, 2003
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    0
    You probably want to install http://webhosting-tools.com/view.cgi/MailMon then. We purchased this a while back and it has identified the source of the spammer from our box on at least 3 occasions. Evertime i see some strange mail leaving our servers we turn this on. It tells us the path to the script that sending the msgs so we can identify the user. I know in the past i have asked this company a number of questions and they did not reply. Their support seems hopeless but the scripts work well.
     
  9. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Originally the mails are actually being forged and then the returns are being fired to his server. This can't be stopped actually. If someone forges your from address and sends mails, if any mail is bounced by any mail server, the bounce wil automatically find way to your server / mailbox instead of the forger.

    As for using MailMon, i don't say there is anything wrong with the software, its good. But you may want to try the Mail Relayers inside WHM which stores who all is relaying from the server, all logs everything is present.
     
Loading...

Share This Page