The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam issue, trying to understand exim log

Discussion in 'E-mail Discussions' started by fernandomm, Nov 26, 2009.

  1. fernandomm

    fernandomm Active Member

    Joined:
    Nov 25, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I am having some issues with spam on my server. I have received a report from aol and, using the from header, got the message IDs. Here it is one of them:

    Code:
    2009-11-24 23:00:10 [25870] 1ND3Qg-0006jG-8y <= medsex1@yahoo.com H=localhost (myhostname.com) [127.0.0.1]:44846 I=[127.0.0.1]:25 P=smtp S=1084 id=003d01c45ea6$231c589f$b2b07d80@ljfvbxnv T="SEX NO PROBLEMS!" from <medsex1@yahoo.com> for mbayguy@comcas.net
    2009-11-24 23:00:10 [25873] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ND3Qg-0006jG-8y
    2009-11-24 23:00:10 [25873] 1ND3Qg-0006jG-8y ** mbayguy@comcas.net F=<medsex1@yahoo.com> R=fail_remote_domains: The mail server could not deliver mail to mbayguy@comcas.net.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2009-11-24 23:00:10 [25878] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1ND3Qg-0006jG-8y
    2009-11-24 23:00:10 [25878] 1ND3Qg-0006jO-K9 <= <> R=1ND3Qg-0006jG-8y U=mailnull P=local S=2025 T="Mail delivery failed: returning message to sender" from <> for medsex1@yahoo.com
    2009-11-24 23:00:10 [25873] 1ND3Qg-0006jG-8y Completed QT=0s
    
    I can't identify how the spam is being send and who is sending it. According to this logs the user is using a script, right?

    Shouldn't the username appear at U=mailnull? Because mailnull is the user that exim runs, right?

    Thanks!
     
  2. thewebhostingdi

    thewebhostingdi Well-Known Member

    Joined:
    Jan 10, 2008
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    You can check the mail logs if you have an access to the server by firing the below command:

    cat /var/log/exim_mainlog | grep 1ND3Qg-0006jG-8y

    By firing the above command you might get the domain name from which SMTP authentication the spam mail was sent.
     
  3. Denis Mischenko

    Denis Mischenko Registered

    Joined:
    Apr 17, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I've found this issue too.
    With the default cPanel configuration(setup) you are able to connect to localhost port 25 and send the messages without authentification.
    Usually it's used along with server hostname in the from field.

    Code:
    [18:04] [server1 etc] # telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    220-server1.xxx.tld ESMTP Exim 4.69 #1 Wed, 02 Dec 2009 18:04:35 -0500
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    helo server1.xxx.tld
    250 server1.xxx.tld Hello localhost [127.0.0.1]
    mail from: <support@server1.xxx.tld>
    250 OK
    rcpt to: <ard@xyy.tld>
    250 Accepted
    data
    354 Enter message, ending with "." on a line by itself
    Subject: Testing spam!!!
    SPAMMED.
    .
    250 OK id=1NFyG5-0006t1-BZ
    quit
    221 server1.xxx.tld closing connection
    Connection closed by foreign host.
    And such messages are accepted and set to external addresses. This can be stopped by removing main domain from /etc/localdomains or by adding deny acl for the following conditions:

    Code:
    hosts = 127.0.0.1
    condition = ${if match_domain{$sender_address_domain}{${primary_hostname}}{yes}{no}}
    
    However this does not protect from use of the other domains owned by the other users. So anyone who will find what domains are hosted on the server will be able to send spam on behalf of that users.

    Enable authentification on localhost? Changes in the /etc/exim.conf are not persistent. Also can authentification create issues for the other services?
     
  4. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    There is not enough detail in the provided log data to know for certain what generated the initial SMTP connection from localhost.

    To help with future occurrences, please consider adjusting the Exim configuration via the Exim Configuration Editor in WHM.

    WHM, Main >> Service Configuration >> Exim Configuration Editor:
    "Set the Sender: Header when the mail sender changes the sender (-f flag passed to sendmail)."
    Set to Enabled by ensuring the checkbox is ticked.
    The above option will ensure the e-mail sender header is properly set as the true sender, such as "nobody" or whichever user ran the script if using SuPHP or which e-mail account the script used for authentication; this also helps with tracking Spam that slipped by and is later reported back to you by way of receiving a copy of the full e-mail headers.

    WHM, Main >> Service Configuration >> Exim Configuration Editor >> Advanced Editor
    In the first text box on the above page add the following line:
    Code:
    log_selector = +all -ident_timeout -pid
    This step will help generate more detailed Exim logging data.
     
  5. tiolalu

    tiolalu Registered

    Joined:
    May 30, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I'm sorry that I rescued this post like an archaeologist, but I'm having the same problem and I can't find the solution after looking for it hardly.

    Can enyone, please, tell me how to make all smtp connections to authenticate?
    So when anyone insert the "rcpt to" the system answer: "550 authentication required"

    Thanks in advance,
    Best regards.

    PD: I forgot it. I'm running an VPS with cPanel 11.25.0-STABLE S45750
     
    #5 tiolalu, May 30, 2010
    Last edited: May 30, 2010
  6. tiolalu

    tiolalu Registered

    Joined:
    May 30, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Ok I found the "problem". If you logged in the last 30 min. you are able to send mails without authenticate.

    Now I'll look closely the access log.
     
  7. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    To avoid that behavior simply disable Antirelayd via the Service Manager in WHM at the following menu path (with linked documentation): WHM: Main >> Service Configuration >> Service Manager
     
Loading...

Share This Page