The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam problem with mailnull and mailer-daemon

Discussion in 'E-mail Discussions' started by RedFutura, Jan 28, 2006.

  1. RedFutura

    RedFutura Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I've got someone sending out spam from my server and I suspect he is using address like mailnull@hostname to by-pass exim authentication. Is this possible?

    I think addreses like postmaster@hostname, mailer-daemon@hostname, etc are used for this.

    Is it possible to disallow users to use those addresses to send out email?

    Also, I've seen spam coming out from a domain which does not exist in my server, how is this possible? It is always the same domain (AdminRobot@hyipreal.com). Is there any way to block email coming out of that address?

    Thank you
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, it's not possible to bypass authentication. They're either being authenticated explicitly or implicitly, i.e. they're logging into a valid email account and sending spam or they're using a compromised web script on the server.

    First step is to look at the email headers of one of the spam emails.
     
  3. viniwox

    viniwox Registered

    Joined:
    Oct 18, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Having the same problem

    Hello,

    I am having the same problem. My IP is already blacklisted and I just can't find a script where this is being generated.

    look at the emails that are being sent:

    1MzT9E-0007XH-WD-H
    mailnull 47 12
    <gages70@web.de>
    1255862280 0
    -helo_name localhost
    -host_address 127.0.0.1.34894
    -host_name localhost
    -interface_address 127.0.0.1.25
    -received_protocol smtp
    -body_linecount 10
    -max_received_linelength 119
    XX
    3
    assentg@excite.com
    assent_h@excite.com
    assenth@excite.com

    173P Received: from localhost ([127.0.0.1])
    by servidor.myserver.net with smtp (Exim 4.69)
    (envelope-from <gages70@web.de>)
    id 1MzT9E-0007XH-WD; Sun, 18 Oct 2009 05:38:01 -0500
    027R Reply-To: <gages70@web.de>
    038 Date: Sun, 18 Oct 2009 05:29:14 -0400
    023F From: <gages70@web.de>
    086T To: <assentg@excite.com>,
    <assent_h@excite.com>,
    <assenth@excite.com>
    039I Message-ID: <01CA4FDD.43C22626@web.de>
    021 X-Priority: 1 (High)
    058 Subject: Certainly flowers have the easiest time on earth
    018 MIME-Version: 1.0
    044 Content-Type: text/html; charset=iso-8859-1
    032 Content-Transfer-Encoding: 7bit
    1MzT9E-0007XH-WD-D
    <html>
    <head>
    <title> We sent him down at last out of the way. </title>
    </head>

    <body>
    <a href="http://208.109.0.18/3.html">You manhood won't be flaccid after this supplement! Super discounts right now!</a>
    </body>
    </html>
     
  4. bhanuprasad1981

    bhanuprasad1981 Well-Known Member

    Joined:
    Aug 5, 2008
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    same my side too :(

    i get complaints stating spam is sent from server with a user name which doesn't exist :(
     
  5. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Friendly Moderator Note

    I have moved this thread to the Mail forum.
     
  6. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    These issues need to be addresses, it's too easy to spam from a script as nobody with cpanel. There needs to be a easy way to track this and stop spammers.
     
  7. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Securing and hardening servers and monitoring for abuse is the responsibility of the Systems Administration team managing the system. As a starting point, enabling both SuExec and SuPHP will make it easier to track outbound Spam assuming the abuse does not bypass the Exim MTA (Exim mail server). I would also check to ensure your system is configured to take full advantage of the available security and mail features within cPanel/WHM:
    Tweak Settings - Mail
    WhmSecurity < AllDocumentation/WHMDocs < TWiki
    EximConfig < AllDocumentation/WHMDocs < TWiki
     
  8. bhanuprasad1981

    bhanuprasad1981 Well-Known Member

    Joined:
    Aug 5, 2008
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    my server management installed suphp and mod security, disabled "nobody" from sending mails but still spammers made a way out , my DC and server admin were unable to find a single trace of spam , and i was forced to reinstall OS , i would like to ask community help , how is this possible ? mails sent from server and not even one trace ?
     
  9. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Please check with your system administration (server management) team; if you need please create a new thread to ask specific questions regarding the circumstances regarding your situation. There must have been a trace of the Spam or it would not be known there was a Spam issue; I recommend to thoroughly check the symptoms, indications and other evidence of the Spam to determine where the issue might be at, including checking e-mail headers and mail server logs.
     
  10. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    From the mail headers posted, it looks like the owner of that server does not have the SMTP Tweak enabled, either in the Security Center in the WHM or with CSF.

    Note, that if you are using CSF you will have to use it's SMTP Tweak (which is essentially the same thing). Not sure about other iptables based firewalls. If you are using a software firewall (CSF or APF, may be others) then you will need to use their included SMTP Tweak, because it will override the WHM's tweak.
     
Loading...

Share This Page