Spam email with php scripts no authentication

[lowhigh]

Hi everybody!

My server is now spaming, i identify that the spammer using PHP scripts with no authentication. I have sent too much time for Googling but no result. This kind of PHP script is as my attachment and now PHP mailer also has the same:
/http://phpmailer.worxware.com/index.php?pg=examplebsmtpna

When check mail log, i see that no valuable info left, even using PHP mailheader, the Authentication Filed is always No
IP address = 127.0.0.1

Anybody has the way to prevent this issue? Many thanks from me!

 

[cPanelMichael]

Hello

Please ensure the following option is enabled in "WHM Home » Server Configuration » Tweak Settings" under the "Mail" tab:

"Track email origin via X-Source email headers"

Also, consider switching to suPHP as your PHP handler and enable "Prevent “nobody” from sending mail". In "WHM Home » Service Configuration » Exim Configuration Manager", under the "Mail" tab, consider enabling the following options:

"Query Apache server status to determine the sender of email sent from processes running as nobody" (if you use DSO)
"EXPERIMENTAL: Rewrite From: header to match actual sender "

These options should provide more information in the mail headers and logs to help you track down the spammer.

Thank you.

 

[lowhigh]

Thanks Michael so much!

I have enable all these option before but now i'm switching to FCGI hander and rarely i can debug in mail header of emails were delayed in queue to find more infomation. They always show:
IP address = 127.0.0.1 and Authentication=No

The key here that i would like to know how to prevent using mail without authentication, it's so dangerous for webhosting admin. Spammer can using this kind of scripts to send out and over time, many mail server consider my email server is the source of spam bots.The admin only knows when the queue become bigger and resolve at that time.
I have restrict the number of out going email per house @ 100emails/hr but still ocassionaly was add to email blacklist such as CBL spamhaus

Does anyone resolve this issue? I'm wait to hear from U!

 

[cPanelMichael]

For PHP scripts, you could add "mail" to the disable_functions line in your PHP configuration file. The following document may also be helpful:

Prevent Email Abuse

Thank you.

 

[lowhigh]

No no Michael!

This kind of scripts is not using mail function, they created the objects and the respective functions to send mail outgoing by PHP object. The important feature here is using the fsockopen or stream_socket_client function to create the socket to mail server. We cannot disable these because many application use them!

It's really dangerous as a vulnerability of PHP

 

[cPanelMichael]

You should consider using suPHP or DSO with Mod_Ruid2 so you can identify the account that is sending out the emails and suspend it if necessary.

Thank you.