Spam Injection, generated on fake emails

[tangowebs]

Hi, my server is being injected with spam, originated in fake @yahoo.com emails that seem to be hosted into server, but ofc they are not.
Ive been trying to look for the script that is injecting, enabled headers, monitored queue but im not able to determine where those emails are being injected from.

In common, all the spam is being created like @yahoo.com adress.
How can i determine where is this being injected from?
Apreciate ur help, im becoming crazy!

 

[m4rc3]

You need to enable extended logging on exim so you can check where those emails are coming from.

Add this to exim.conf and restart it.

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

then you can use something like this to check where the emails are coming from.
This will list the folder that sends mails and how many has sent.

grep cwd= /var/log/exim_mainlog| awk '{print $3}' | cut -d= -f2 | sort | uniq -c | sort -n