The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

spam from nobody

Discussion in 'E-mail Discussions' started by mister raven, Jul 6, 2010.

  1. mister raven

    mister raven Registered

    Joined:
    Jul 6, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I've had tonnes of bounceback from exim trying to mail people from the nobody account. I've used the tweak setting to disable any of the emails from getting out of the server, but I am having a heck of a time figuring out where the spam is being sent from on my server.

    I have followed a few different tutorials (Catching Spammers on cPanel Servers | Web Hosting Tutorials | Linux Windows Server information | PHP MySQL help , http://forums.cpanel.net/f5/help-fix-spam-nobody-56331.html )

    My exim logs are as follows.

    2010-07-06 22:35:42 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1OWGYe-0002ER-70
    2010-07-06 22:35:42 1OWKUA-0002Jz-Iq <= <> R=1OWGYe-0002ER-70 U=mailnull P=local S=2906 T="Mail delivery failed: returning message to sender"
    2010-07-06 22:35:42 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1OWKUA-0002Jz-Iq
    2010-07-06 22:35:42 1OWGYe-0002ER-70 Completed
    2010-07-06 22:35:43 1OWKUA-0002Jz-Iq => email@email.ca <nobody@blahblah.com> R=lookuphost T=remote_smtp H=idcmail.shaw.ca [64.59.134.8]
    2010-07-06 22:35:43 1OWKUA-0002Jz-Iq Completed
    2010-07-06 22:35:43 1OWGYY-00025V-F8 ** tfx5@yahoo.com R=checkspam2: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
    2010-07-06 22:35:43 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1OWGYY-00025V-F8
    2010-07-06 22:35:43 1OWKUB-0002KB-1a <= <> R=1OWGYY-00025V-F8 U=mailnull P=local S=2894 T="Mail delivery failed: returning message to sender"
    2010-07-06 22:35:43 1OWGYY-00025V-F8 Completed
    2010-07-06 22:35:43 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1OWKUB-0002KB-1a
    2010-07-06 22:35:43 1OWKUB-0002KB-1a => email@email.ca <nobody@blahblah.com> R=lookuphost T=remote_smtp H=idcmail.shaw.ca [64.59.134.8]
    2010-07-06 22:35:43 1OWKUB-0002KB-1a Completed
    2010-07-06 22:35:43 1OWGYY-00025z-Lb ** tg_142@yahoo.com R=checkspam2: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
    2010-07-06 22:35:43 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1OWGYY-00025z-Lb
    2010-07-06 22:35:43 1OWKUB-0002KF-GH <= <> R=1OWGYY-00025z-Lb U=mailnull P=local S=2902 T="Mail delivery failed: returning message to sender"
    2010-07-06 22:35:43 1OWGYY-00025z-Lb Completed
    2010-07-06 22:35:43 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1OWKUB-0002KF-GH
    2010-07-06 22:35:43 1OWKUB-0002KF-GH => email@email.ca <nobody@blahblah.com> R=lookuphost T=remote_smtp H=idcmail.shaw.ca [64.59.134.8]
    2010-07-06 22:35:43 1OWKUB-0002KF-GH Completed
    2010-07-06 22:35:43 1OWGYY-00026I-PJ ** tg_consulting@yahoo.com R=checkspam2: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings

    The cwd is /var/spool/exim - I can't seem to find anything in the directory out of normal.

    directory list:

    drwxr-x--- 6 mailnull mail 4096 Apr 9 02:22 ./
    drwxr-xr-x 15 root root 4096 Jan 26 16:43 ../
    drwxr-x--- 2 mailnull mail 4096 Mar 31 04:02 db/
    -rw-r--r-- 1 mailnull mail 6 Jul 6 22:21 exim-daemon.pid
    drwxr-x--- 64 mailnull mail 4096 Apr 13 03:00 input/
    drwxr-x--- 64 mailnull mail 4096 Apr 13 03:00 msglog/
    drwxr-x--- 4 mailnull mail 4096 Jul 6 23:10 scan/


    Any ideas or directions you can recommend for me to pursue?

    Thanks very much for your help!

    Darren
     
  2. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    First of all, have you enabled full logging in WHM > Exim Configuration Editor > Advanced Editor area in the topmost field with this line:

    Code:
    log_selector = +all
    If not, I highly suggest doing it. I don't see the email subject lines in what you've posted and knowing the subject is a big help. Next, do you have any of the bounces still in Mail Queue Manager? The full header on a bounce can help to track down the abusive account.

    Next, if you do have the times these are being sent and it's a script doing it, you can grep the domlogs for emails sent using POST around that time:

    Code:
    cd /usr/local/apache/domlogs
    grep -i post * | grep 22:35
    This will look in the domlogs for any POST entries that also have 22:35 for the time based on the emails you've provided in the logs being sent around that time.
     
    #2 Miraenda, Jul 6, 2010
    Last edited: Jul 6, 2010
Loading...

Share This Page