The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam attack - help!

Discussion in 'General Discussion' started by Mat-d-rat, Jul 11, 2005.

  1. Mat-d-rat

    Mat-d-rat Well-Known Member

    Joined:
    Jul 30, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Grrr, only 4 weeks ago one of my users Nuke instlals got hacked and I had spam going out left right and centre. Managed to nail that one pretty quick. Come down this mornign and wham, loads of email (spam) being sent via my server. I've had a look aorund on here and enabled phpsuexec (recompile apache) to stop nobody@... emails as that is where it was coming from.

    But They still seems to be attempting to come through :-

    Code:
    root@host [/var/log]# tail exim_mainlog -n 30
    
    2005-07-11 08:49:13 1DriF0-0000u0-TS failed to expand condition "${perl{checkspam}}" for literal router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 08:49:13 1DriF0-0000u0-TS ** d.p.costa@unicap.br R=fail_remote_domains: unrouteable mail domain "unicap.br"
    2005-07-11 08:49:13 1DrtyT-00038h-4V ** nobody@host.planetdps.co.uk R=virtual_aliases:
    2005-07-11 08:49:13 1DrtyT-00038h-4V Frozen (delivery error message)
    2005-07-11 08:49:13 1DrtyT-00038u-JQ <= <> R=1DriF0-0000u0-TS U=mailnull P=local S=4612
    2005-07-11 08:49:13 1DriF0-0000u0-TS Completed
    2005-07-11 08:49:13 1DriG0-0001Fk-C3 failed to expand condition "${perl{checkspam}}" for lookuphost router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 08:49:13 1DriG0-0001Fk-C3 failed to expand condition "${perl{checkspam}}" for literal router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 08:49:13 1DriG0-0001Fk-C3 ** danflash@unicap.br R=fail_remote_domains: unrouteable mail domain "unicap.br"
    2005-07-11 08:49:13 1DrtyT-00038n-CF ** nobody@host.planetdps.co.uk R=virtual_aliases:
    2005-07-11 08:49:13 1DrtyT-00038n-CF Frozen (delivery error message)
    2005-07-11 08:49:13 1DrtyT-000390-RG <= <> R=1DriG0-0001Fk-C3 U=mailnull P=local S=4608
    2005-07-11 08:49:14 1DriG0-0001Fk-C3 Completed
    2005-07-11 08:49:14 1DriG0-0001Fx-UQ failed to expand condition "${perl{checkspam}}" for lookuphost router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 08:49:14 1DriG0-0001Fx-UQ failed to expand condition "${perl{checkspam}}" for literal router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 08:49:14 1DriG0-0001Fx-UQ ** daniel.bento@unicap.br R=fail_remote_domains: unrouteable mail domain "unicap.br"
    2005-07-11 08:49:14 1DrtyT-00038u-JQ ** nobody@host.planetdps.co.uk R=virtual_aliases:
    2005-07-11 08:49:14 1DrtyT-00038u-JQ Frozen (delivery error message)
    2005-07-11 08:49:14 1DrtyU-000396-2A <= <> R=1DriG0-0001Fx-UQ U=mailnull P=local S=4624
    2005-07-11 08:49:14 1DriG0-0001Fx-UQ Completed
    2005-07-11 08:49:14 1DrtyT-000390-RG ** nobody@host.planetdps.co.uk R=virtual_aliases:
    2005-07-11 08:49:14 1DrtyT-000390-RG Frozen (delivery error message)
    2005-07-11 08:49:14 1DrtyU-000396-2A ** nobody@host.planetdps.co.uk R=virtual_aliases:
    2005-07-11 08:49:14 1DrtyU-000396-2A Frozen (delivery error message)
    root@host [/var/log]#
    
    Looking in the mail queue it's generating 1000's of emails an hour :(

    Code:
    1DruBg-0006eV-PC-H
    mailnull 47 12
    <>
    1121072572 0
    -ident mailnull
    -received_protocol local
    -body_linecount 98
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1121072573
    -localerror
    XX
    1
    nobody@host.planetdps.co.uk
    
    158P Received: from mailnull by host.planetdps.co.uk with local (Exim 4.50)
    	id 1DruBg-0006eV-PC
    	for nobody@host.planetdps.co.uk; Mon, 11 Jul 2005 09:02:52 +0000
    042  X-Failed-Recipients: daniaraujo@oi.com.br
    031  Auto-Submitted: auto-generated
    064F From: Mail Delivery System <Mailer-Daemon@host.planetdps.co.uk>
    032T To: nobody@host.planetdps.co.uk
    059  Subject: Mail delivery failed: returning message to sender
    053I Message-Id: <E1DruBg-0006eV-PC@host.planetdps.co.uk>
    038  Date: Mon, 11 Jul 2005 09:02:52 +0000
    
     
    1DruBg-0006eV-PC-D
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
      daniaraujo@oi.com.br
        unrouteable mail domain "oi.com.br"
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <nobody@host.planetdps.co.uk>
    Received: from nobody by host.planetdps.co.uk with local (Exim 4.50)
    	id 1DrhtV-00022f-Mh
    	for daniaraujo@oi.com.br; Sun, 10 Jul 2005 19:55:17 +0000
    To: daniaraujo@oi.com.br
    Subject: Te Achei, q bom!!
    From: Aninha <aninha@univ.br>
    MIME-Version: 1.0
    Content-type: text/html; charset=iso-8859-1
    Content-Transfer-encoding: 8bit
    Reply-To: Aninha <aninha@univ.br>
    Message-ID: <8cf106bc11e3589fc82ce0edd497b2a8@univ.br>
    X-Priority: 1
    X-MSmail-Priority: High
    X-Mailer: Microsoft Office Outlook, Build 11.0.5510
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    Date: Sun, 10 Jul 2005 19:55:17 +0000
    X-DataProductServicesLtd-MailScanner-Information: Please contact the ISP for more information
    X-DataProductServicesLtd-MailScanner: Found to be clean
    X-DataProductServicesLtd-MailScanner-SpamCheck: 
    X-DataProductServicesLtd-MailScanner-From: nobody@host.planetdps.co.uk
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <!-- saved from url=(0036)http://loschuzos.net/db/rafael2.html -->
    <HTML><HEAD><TITLE>rdante@unicamp.br</TITLE>
    <META http-equiv=Content-Type content=text/html;charset=iso-8859-1>
    <META content="Microsoft FrontPage 4.0" name=GENERATOR></HEAD>
    <BODY bgColor=#ffffff>
    <P><B><FONT face=Tahoma size=2>Olá! Sabe quem é né?</FONT></B></P>
    <P style="MARGIN: 0px; WORD-SPACING: 0px; LINE-HEIGHT: 100%"><FONT
    face=Tahoma 
    size=2>    Agora que eu consegui seu email, sempre
    manderei 
    notícias! Espero que não percamos o contato... </FONT></P>
    <P style="MARGIN: 0px; WORD-SPACING: 0px; LINE-HEIGHT: 100%"><FONT
    face=Tahoma 
    size=2>Bom, eu consegui a foto da turma reunida da época do colegial!
    
    Impressionante como o tempo passou! eehehe</FONT></P>
    <P style="MARGIN: 0px; WORD-SPACING: 0px; LINE-HEIGHT:
    100%"> </P>
    <P style="MARGIN: 0px; WORD-SPACING: 0px; LINE-HEIGHT: 100%"><FONT
    face=Tahoma 
    size=2>Quando vi a foto me impressionei... Você precisa ver! Não me
    recordo 
    daquele lugar.. Se você lembrar me avise!</FONT></P>
    <P style="MARGIN: 0px; WORD-SPACING: 0px; LINE-HEIGHT: 100%"><FONT
    face=Tahoma 
    size=2>Pelo que vi, você está no meio encostado na árvore... Vê se
    você recorda 
    de alguém.. Espero que sim.. Estou lá no canto!</FONT></P>
    <P style="MARGIN: 0px; WORD-SPACING: 0px; LINE-HEIGHT:
    100%"> </P>
    <P style="MARGIN: 0px; WORD-SPACING: 0px; LINE-HEIGHT: 100%"><FONT
    face=Tahoma 
    size=2>Passei a foto para o computador para poder estar passando para
    o 
    pessoal.. Para ver ela, só clicar no link que eu salvei:</FONT></P>
    <P style="MARGIN: 0px; WORD-SPACING: 0px; LINE-HEIGHT: 100%"><a
    class="link1" href="http://archives.hongik.ac.kr/archive/foto.scr"
    target="_blank"></FONT><font color="red"><b>MailScanner has detected a possible fraud attempt from "archives.hongik.ac.kr" claiming to be</b></font> <FONT 
    face=Tahoma color=#ff0000 
    size=2>http://uesc.net/docentes/fotos/carlosedu/colegial.jpg</a></P>
    <P style="MARGIN: 0px; WORD-SPACING: 0px; LINE-HEIGHT:
    100%"> </P>
    <P style="MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; WORD-SPACING:
    0px"><FONT 
    face=Tahoma size=2>Estou com mais 3 fotos da época aqui comigo.. Se
    quiser dar 
    uma olhada, só pedir.. Assim que eu tiver um tempo,</FONT></P>
    <P style="MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; WORD-SPACING:
    0px"><FONT 
    face=Tahoma size=2>passarei elas para o computador e também 
    enviarei..</FONT></P>
    <P><FONT face=Tahoma size=2>ah! Me liga pra confirmar da festa porque
    eu perdi 
    seu telefone que o Diego passou. Dê um sinal de vida pelo 
    menos... </FONT></P>
    <P> </P>
    <P><FONT face=Tahoma size=2>Vou ficando por aqui... Depois a gente
    'conversa' 
    mais!<BR>Abraços, Aninha.</FONT></P></BODY></HTML>
    
    <html>
    <img src="MailScannerWebBug" width="1" height="1" alt="Web Bug from http://uv.terra.com.br/UV?c=planeta" />
    </html>
    
    
     
    
    But I can't see where it's being generated - even did a reboot to no avail :( HELP!
     
  2. bijo

    bijo Well-Known Member

    Joined:
    Aug 21, 2004
    Messages:
    475
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
  3. Mat-d-rat

    Mat-d-rat Well-Known Member

    Joined:
    Jul 30, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Already done those, I think I still have a process generating the emails on the server, but I cna't see it.

    Code:
    Pid Owner Priority Cpu % Mem % Command 
    1023 mailnull 0  26.9  0.4 /usr/bin/perl -I/usr/mailscanner/lib /usr/mailscanner/bin/MailScanner /usr/mailscanner/etc/MailScanner.conf  
    16564 root 0  2.9  0.6 /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1Drv8r-0004J4-Bh  
    16562 root 0  2.4  0.6 /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1Drv8r-0004J1-9m  
    16567 root 0  2.4  0.6 /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1Drv8r-0004J9-IH  
    16576 root 0  1.4  0.5 /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1Drv8r-0004JC-PN  
    170 root 0  0.9  0.0 kjournald 
    32230 root 0  0.9  0.2 /usr/local/apache/bin/httpd -DSSL  
    16463 root 0  0.9  0.2 top 
    16424 root 0  0.4  0.3 /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1DrhzB-00049b-5v 1DrhyB-0003lE-L8 1DrhyB-0003lD-JD 1DrhyB-0003lC-Eh 1DrhyB-0003lI-Rb 1DrhzB-00049Z-3J 1DrhyB-0003l7-6Y 1DrhwB-000337-PD 1DrhzB-00049a-4d 1DrhyB-0003lG-OO 1DrhwB-00033B-V2 1DrhyB-0003lB-DG 1DrhzB-00049Y-24 1DrhwB-00031Z-Fv 1DrhyB-0003lF-Mi 1DrhyB-0003l9-Ao 1DrhyB-0003l5-1u 1DrhyB-0003lJ-TL 1DrhwB-000335-L8 1DrhxB-0003Na-VT  
    16579 mailnull 0  0.4  0.3 /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1DrhwB-00033B-V2  
    1 root 0  0.0  0.0 init [3]  
    2 root 0  0.0  0.0 keventd 
    3 root 19  0.0  0.0 ksoftirqd_CPU0 
    4 root 0  0.0  0.0 kswapd 
    5 root 0  0.0  0.0 bdflush 
    6 root 0  0.0  0.0 kupdated 
    9 root 0  0.0  0.0 khubd 
    11 root 0  0.0  0.0 kjournald 
    166 root 0  0.0  0.0 kjournald 
    167 root 0  0.0  0.0 kjournald 
    168 root 0  0.0  0.0 kjournald 
    169 root 0  0.0  0.0 kjournald 
    584 root 0  0.0  0.1 syslogd -m 0  
    588 root 0  0.0  0.0 klogd -x  
    679 root 0  0.0  0.1 /usr/sbin/sshd  
    694 root 0  0.0  0.1 xinetd -stayalive -pidfile /var/run/xinetd.pid  
    712 root 0  0.0  0.5 chkservd  
    960 named 0  0.0  0.5 named -u named  
    1047 root 0  0.0  0.1 crond  
    1232 nobody 0  0.0  0.3 entropychat  
    1236 nobody 0  0.0  0.0 /usr/local/cpanel/bin/startmelange  
    1271 cpanel 0  0.0  0.2 /usr/bin/stunnel-4.04local /usr/local/cpanel/etc/stunnel/default/stunnel.conf  
    1363 root 0  0.0  0.1 pure-ftpd (SERVER)  
    1368 root 0  0.0  0.1 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth  
    1380 root 0  0.0  0.0 /usr/sbin/portsentry -tcp  
    1400 root 0  0.0  0.0 /sbin/mingetty tty1  
    1401 root 0  0.0  0.0 /sbin/mingetty tty2  
    1402 root 0  0.0  0.0 /sbin/mingetty tty3  
    1403 root 0  0.0  0.0 /sbin/mingetty tty4  
    1404 root 0  0.0  0.0 /sbin/mingetty tty5  
    1405 root 0  0.0  0.0 /sbin/mingetty tty6  
    004 19 324  0.0  0.0 logrunner 
    004 19 12  0.0  0.0 webalizer 
    1539 root 0  0.0  0.1 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/host.planetdps.co.uk.pid  
    1565 mysql 0  0.0  1.5 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/host.planetdps.co.uk.pid --skip-locking  
    1579 root 0  0.0  0.2 -bash  
    13843 mailnull 0  0.0  0.4 /usr/bin/perl /usr/local/cpanel/bin/eximstats  
    32216 root 0  0.0  0.2 postsuexecinstall - searching for suexec problems (1513 min remain) 
    32253 root 0  0.0  0.3 /usr/bin/perl /usr/local/cpanel/bin/leechprotect  
    28847 mailnull 0  0.0  0.3 /usr/sbin/exim -bd  
    28856 mailnull 0  0.0  0.3 /usr/sbin/exim -C /etc/exim_outgoing.conf -q60m  
    28860 mailnull 0  0.0  0.3 /usr/sbin/exim -tls-on-connect -bd -oX 465  
    28950 root 0  0.0  0.3 antirelayd  
    14693 mailman 0  0.0  0.4 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start  
    14695 mailman 0  0.0  0.8 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=ArchRunner:0:1 -s  
    14696 mailman 0  0.0  0.8 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=BounceRunner:0:1 -s  
    14697 mailman 0  0.0  0.8 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=CommandRunner:0:1 -s  
    14698 mailman 0  0.0  0.8 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s  
    14699 mailman 0  0.0  0.9 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=NewsRunner:0:1 -s  
    14700 mailman 0  0.0  0.9 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s  
    14701 mailman 0  0.0  0.8 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=VirginRunner:0:1 -s  
    14703 mailman 0  0.0  0.8 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=RetryRunner:0:1 -s  
    14756 root 0  0.0  0.5 cppop - accepting on port 110 
    001 19 7652  0.0  1.2 cpanellogd 
    001 19 324  0.0  0.0 logrunner 
    001 19 12  0.0  0.0 webalizer 
    14803 root 0  0.0  0.9 cpsrvd - waiting for connections 
    16138 mailnull 0  0.0  0.0 MailScanner  
    16139 mailnull 0  0.0  0.0 MailScanner  
    16420 mailnull 0  0.0  0.0 MailScanner  
    16421 mailnull 0  0.0  0.0 MailScanner  
    16427 root 0  0.0  1.1 whostmgrd - serving 127.0.0.1 
    16428 root 0  0.0  3.3 /usr/local/cpanel/whostmgr/bin/whostmgr2 ./top  
    16582 nobody 0  0.0  0.0 exim  
    16583 nobody 0  0.0  0.0 exim  
    16584 nobody 0  0.0  0.0 exim  
    
    SO what's generating the emails - they are coming from nobody (even though suexec and phpexec are started)

    As far as I can tell everything if :fail: with no :blackholes:
     
    #3 Mat-d-rat, Jul 11, 2005
    Last edited: Jul 11, 2005
  4. bijo

    bijo Well-Known Member

    Joined:
    Aug 21, 2004
    Messages:
    475
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
  5. Mat-d-rat

    Mat-d-rat Well-Known Member

    Joined:
    Jul 30, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Thanks - done that, not helped much though :(

    Code:
    2005-07-11 11:10:30 1DriIU-00029C-OE Completed
    2005-07-11 11:10:30 1DriJU-0002WY-So failed to expand condition "${perl{checkspam}}" for lookuphost router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:30 1DriJU-0002WY-So failed to expand condition "${perl{checkspam}}" for literal router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:30 1DriJU-0002WY-So ** mtvh@imagelink.com.br F=<nobody@host.planetdps.co.uk> R=fail_remote_domains: unrouteable mail domain "imagelink.com.br"
    2005-07-11 11:10:30 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1DriJU-0002WY-So
    2005-07-11 11:10:30 cwd=/var/spool/exim 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1DrwBC-00087k-6c
    2005-07-11 11:10:30 1DrwBB-00087V-UG ** nobody@host.planetdps.co.uk F=<> R=virtual_aliases:
    2005-07-11 11:10:30 1DrwBB-00087V-UG Frozen (delivery error message)
    2005-07-11 11:10:30 1DrwBC-000882-Er <= <> R=1DriJU-0002WY-So U=mailnull P=local S=4627 T="Mail delivery failed: returning message to sender" from <> for nobody@host.planetdps.co.uk
    2005-07-11 11:10:30 cwd=/var/spool/exim 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1DrwBC-000882-Er
    2005-07-11 11:10:31 1DriJU-0002WY-So Completed
    2005-07-11 11:10:31 1DriJU-0002WM-1d failed to expand condition "${perl{checkspam}}" for lookuphost router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:31 1DriJU-0002WM-1d failed to expand condition "${perl{checkspam}}" for literal router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:31 1DriJU-0002WM-1d ** mtzacarla@imagelink.com.br F=<nobody@host.planetdps.co.uk> R=fail_remote_domains: unrouteable mail domain "imagelink.com.br"
    2005-07-11 11:10:31 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1DriJU-0002WM-1d
    2005-07-11 11:10:31 1DrwBC-00087k-6c ** nobody@host.planetdps.co.uk F=<> R=virtual_aliases:
    2005-07-11 11:10:31 1DrwBC-00087k-6c Frozen (delivery error message)
    2005-07-11 11:10:31 1DrwBC-000882-Er ** nobody@host.planetdps.co.uk F=<> R=virtual_aliases:
    2005-07-11 11:10:31 1DrwBC-000882-Er Frozen (delivery error message)
    2005-07-11 11:10:31 1DrwBD-00088E-6n <= <> R=1DriJU-0002WM-1d U=mailnull P=local S=4647 T="Mail delivery failed: returning message to sender" from <> for nobody@host.planetdps.co.uk
    2005-07-11 11:10:31 1DriJU-0002WM-1d Completed
    2005-07-11 11:10:31 1DriJU-0002WO-9K failed to expand condition "${perl{checkspam}}" for lookuphost router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:31 1DriJU-0002WO-9K failed to expand condition "${perl{checkspam}}" for literal router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:31 1DriJU-0002WO-9K ** neovaldo@imagelink.com.br F=<nobody@host.planetdps.co.uk> R=fail_remote_domains: unrouteable mail domain "imagelink.com.br"
    2005-07-11 11:10:31 cwd=/var/spool/exim 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1DrwBD-00088E-6n
    2005-07-11 11:10:31 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1DriJU-0002WO-9K
    2005-07-11 11:10:31 1DrwBD-00088K-HQ <= <> R=1DriJU-0002WO-9K U=mailnull P=local S=4643 T="Mail delivery failed: returning message to sender" from <> for nobody@host.planetdps.co.uk
    2005-07-11 11:10:31 1DriJU-0002WO-9K Completed
    2005-07-11 11:10:31 1DriKU-0002tp-8V failed to expand condition "${perl{checkspam}}" for lookuphost router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:31 1DriKU-0002tp-8V failed to expand condition "${perl{checkspam}}" for literal router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:31 1DriKU-0002tp-8V ** nando.fe@imagelink.com.br F=<nobody@host.planetdps.co.uk> R=fail_remote_domains: unrouteable mail domain "imagelink.com.br"
    2005-07-11 11:10:31 1DrwBD-00088E-6n ** nobody@host.planetdps.co.uk F=<> R=virtual_aliases:
    2005-07-11 11:10:31 1DrwBD-00088E-6n Frozen (delivery error message)
    2005-07-11 11:10:31 cwd=/var/spool/exim 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1DrwBD-00088K-HQ
    2005-07-11 11:10:31 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1DriKU-0002tp-8V
    2005-07-11 11:10:31 1DrwBD-00088P-Q8 <= <> R=1DriKU-0002tp-8V U=mailnull P=local S=4643 T="Mail delivery failed: returning message to sender" from <> for nobody@host.planetdps.co.uk
    2005-07-11 11:10:31 cwd=/var/spool/exim 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1DrwBD-00088P-Q8
    2005-07-11 11:10:31 1DriKU-0002tp-8V Completed
    2005-07-11 11:10:32 1DriKU-0002tm-4x failed to expand condition "${perl{checkspam}}" for lookuphost router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:32 1DriKU-0002tm-4x failed to expand condition "${perl{checkspam}}" for literal router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:32 1DriKU-0002tm-4x ** nandita@imagelink.com.br F=<nobody@host.planetdps.co.uk> R=fail_remote_domains: unrouteable mail domain "imagelink.com.br"
    2005-07-11 11:10:32 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1DriKU-0002tm-4x
    2005-07-11 11:10:32 1DrwBD-00088K-HQ ** nobody@host.planetdps.co.uk F=<> R=virtual_aliases:
    2005-07-11 11:10:32 1DrwBD-00088K-HQ Frozen (delivery error message)
    2005-07-11 11:10:32 1DrwBE-00088V-0j <= <> R=1DriKU-0002tm-4x U=mailnull P=local S=4639 T="Mail delivery failed: returning message to sender" from <> for nobody@host.planetdps.co.uk
    2005-07-11 11:10:32 1DriKU-0002tm-4x Completed
    2005-07-11 11:10:32 1DriJU-0002WR-DC failed to expand condition "${perl{checkspam}}" for lookuphost router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:32 1DriJU-0002WR-DC failed to expand condition "${perl{checkspam}}" for literal router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:32 1DriJU-0002WR-DC ** mu.ta@imagelink.com.br F=<nobody@host.planetdps.co.uk> R=fail_remote_domains: unrouteable mail domain "imagelink.com.br"
    2005-07-11 11:10:32 cwd=/var/spool/exim 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1DrwBE-00088V-0j
    2005-07-11 11:10:32 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1DriJU-0002WR-DC
    2005-07-11 11:10:32 1DrwBD-00088P-Q8 ** nobody@host.planetdps.co.uk F=<> R=virtual_aliases:
    2005-07-11 11:10:32 1DrwBD-00088P-Q8 Frozen (delivery error message)
    2005-07-11 11:10:32 1DrwBE-00088a-9o <= <> R=1DriJU-0002WR-DC U=mailnull P=local S=4631 T="Mail delivery failed: returning message to sender" from <> for nobody@host.planetdps.co.uk
    2005-07-11 11:10:32 1DriJU-0002WR-DC Completed
    2005-07-11 11:10:32 1DriIU-000299-N1 failed to expand condition "${perl{checkspam}}" for lookuphost router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:32 1DriIU-000299-N1 failed to expand condition "${perl{checkspam}}" for literal router: Gid 99 is not permitted to relay mail at /etc/exim.pl line 365.
    
    2005-07-11 11:10:32 1DriIU-000299-N1 ** marcelogramari@imagelink.com.br F=<nobody@host.planetdps.co.uk> R=fail_remote_domains: unrouteable mail domain "imagelink.com.br"
    2005-07-11 11:10:32 cwd=/var/spool/exim 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1DrwBE-00088a-9o
    2005-07-11 11:10:32 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1DriIU-000299-N1
    
    root@host [/var/log]#
    
     
  6. Mat-d-rat

    Mat-d-rat Well-Known Member

    Joined:
    Jul 30, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    BTW maillog shows
    Code:
    yY-3l
    Jul 11 11:15:27 host MailScanner[14282]: Content Checks: Detected and have disarmed HTML message in 1DriI3-0001yY-3l from nobody@host.planetdps.co.uk
    Jul 11 11:15:27 host MailScanner[15319]: New Batch: Found 96712 messages waiting
    Jul 11 11:15:27 host MailScanner[15319]: New Batch: Scanning 30 messages, 113187 bytes
    Jul 11 11:15:27 host MailScanner[14282]: Uninfected: Delivered 30 messages
    
    
     
  7. Mat-d-rat

    Mat-d-rat Well-Known Member

    Joined:
    Jul 30, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    How can I clear/delete the mailscanner queue?
     
  8. Mat-d-rat

    Mat-d-rat Well-Known Member

    Joined:
    Jul 30, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Anyone please? still got 60000 emails in the mailscranner queue, can't seem to get hold of Jonathan :(
     
  9. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    Same here I am having same issue and have tried the stuff mentioned above. Stillno solution to stopping this.
     
  10. asmar

    asmar Well-Known Member

    Joined:
    Jul 16, 2004
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    I experienced a similar problem in the past and what I did was to buy a small vps and install qmail. Then I added all the domains to qmail and handled the traffic from that box which was much secured than exim.

    Following the above will give you plenty of time to find how and where the problem is.
    Maybe it’s not ideal for most but it will definitely work or at least it worked to me.

    It's always good to have a smaller vps with qmail as a secondary email server with all your domains there so in case of a disaster you can come back online quickly or troubleshoot the system easier.

    Hope that helps
     
Loading...

Share This Page