The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam email with php scripts no authentication

Discussion in 'E-mail Discussions' started by lowhigh, Feb 27, 2014.

  1. lowhigh

    lowhigh Active Member

    Joined:
    Jun 25, 2011
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Hi everybody!

    My server is now spaming, i identify that the spammer using PHP scripts with no authentication. I have sent too much time for Googling but no result. This kind of PHP script is as my attachment and now PHP mailer also has the same:
    /http://phpmailer.worxware.com/index.php?pg=examplebsmtpna

    When check mail log, i see that no valuable info left, even using PHP mailheader, the Authentication Filed is always No
    IP address = 127.0.0.1

    Anybody has the way to prevent this issue? Many thanks from me!
     

    Attached Files:

  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please ensure the following option is enabled in "WHM Home » Server Configuration » Tweak Settings" under the "Mail" tab:

    "Track email origin via X-Source email headers"

    Also, consider switching to suPHP as your PHP handler and enable "Prevent “nobody” from sending mail". In "WHM Home » Service Configuration » Exim Configuration Manager", under the "Mail" tab, consider enabling the following options:

    "Query Apache server status to determine the sender of email sent from processes running as nobody" (if you use DSO)
    "EXPERIMENTAL: Rewrite From: header to match actual sender "

    These options should provide more information in the mail headers and logs to help you track down the spammer.

    Thank you.
     
  3. lowhigh

    lowhigh Active Member

    Joined:
    Jun 25, 2011
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Thanks Michael so much!

    I have enable all these option before but now i'm switching to FCGI hander and rarely i can debug in mail header of emails were delayed in queue to find more infomation. They always show:
    IP address = 127.0.0.1 and Authentication=No

    The key here that i would like to know how to prevent using mail without authentication, it's so dangerous for webhosting admin. Spammer can using this kind of scripts to send out and over time, many mail server consider my email server is the source of spam bots.The admin only knows when the queue become bigger and resolve at that time.
    I have restrict the number of out going email per house @ 100emails/hr but still ocassionaly was add to email blacklist such as CBL spamhaus

    Does anyone resolve this issue? I'm wait to hear from U!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    For PHP scripts, you could add "mail" to the disable_functions line in your PHP configuration file. The following document may also be helpful:

    Prevent Email Abuse

    Thank you.
     
  5. lowhigh

    lowhigh Active Member

    Joined:
    Jun 25, 2011
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    No no Michael!

    This kind of scripts is not using mail function, they created the objects and the respective functions to send mail outgoing by PHP object. The important feature here is using the fsockopen or stream_socket_client function to create the socket to mail server. We cannot disable these because many application use them!

    It's really dangerous as a vulnerability of PHP
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You should consider using suPHP or DSO with Mod_Ruid2 so you can identify the account that is sending out the emails and suspend it if necessary.

    Thank you.
     
Loading...

Share This Page