The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

spam sent from my server, but not in exim logs and without my headers...

Discussion in 'General Discussion' started by mpierre, Feb 6, 2004.

  1. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    My server is getting reported to Spamcop for spam every 3 to 4 days for the past 2 weeks, which means I am almost always listed.

    The last one lists me like this :

    Received: from [MY IP] by web40122.mail.yahoo.com via HTTP;









    Spamcop reports :

    host web40122.mail.yahoo.com (checking ip) ip not found ; web40122.mail.yahoo.com discarded as fake.
    cannot find an mx for web40122.mail.yahoo.com
    cannot find an mx for mail.yahoo.com
    Chain test failed



    But in the other cases it was different, it was thru hotmail.com.

    Does anyone have an idea on how the spammer is able to send ?

    I have PHPSuxec installed.

    I checked my exim logs and nothing is in there.

    Is it possible the spammer is making an external connection via SMTP ? Is there a firewall I can install to block him ?

    Is it possible the spammer is forging my IP ?




    More details :

    ( replaced my IP and my hostname )
    --------------------------------------------------------

    From klpvsbmdmy@yahoo.com Thu Feb 5 16:40:18 2004
    Return-Path: <klpvsbmdmy@yahoo.com>
    Delivered-To: spamcop-net-x
    Received: (qmail 14084 invoked from network); 5 Feb 2004 13:54:03 -0000
    Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)
    by blade1.cesmail.net with SMTP; 5 Feb 2004 13:54:03 -0000
    Received: (qmail 354 invoked from network); 5 Feb 2004 13:54:03 -0000
    Received: from MYHOSTNAME (HELO web40195.mail.yahoo.com)
    (MY IP)
    by mailgate.cesmail.net with SMTP; 5 Feb 2004 13:54:03 -0000
    From: klpvsbmdmy yahoocom <klpvsbmdmy@yahoo.com>
    Return-Path: <klpvsbmdmy@yahoo.com>
    Message-ID: <2004__________________mail@web40122.mail.yahoo.com>
    Received: from [MY IP] by web40122.mail.yahoo.com via HTTP;
    Thu, 05 Feb 2004 08:54:02 EST
    Date: Thu, 5 Feb 2004 08:54:02 EST
    Reply-To: klpvsbmdmy yahoocom <klpvsbmdmy@yahoo.com>
    Subject: Unusual family pleasures
    To: x spamcopnet <x>
    Mime-Version: 1.0
    Content-Type: multipart/mixed; boundary="----------07814923CB91A4"
    X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1
    X-Spam-Level: *
    X-Spam-Status: hits=1.6
    tests=HTML_50_60,HTML_IMAGE_ONLY_08,HTML_MESSAGE,
    HTML_TITLE_EMPTY version=2.63
    X-SpamCop-Checked: 192.168.1.101 MY IP MY IP
     
  2. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Somethings probably making a direct connection to the remote server via port 25 (bypassing exim). Try the "SMTP Tweak" under "Tweak Security" and see if that helps.
     
  3. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Gee thanks !!!

    I didn't know about this one....

    I hope it will work !
     
  4. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Is there anyway to see a log of SMTP connections that were in the past allowed, but are now prevented by this tweak ?

    I wanna know if I stopped him !
     
  5. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16

    Doesn't help at all.... all mail() from PHP is blocked. Any other options ???

    I want to block the spammer from bypassing the log, not from bypassing mail()
     
  6. peope

    peope Registered

    Joined:
    Nov 28, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    AFAIK it is not possible to block easily.

    One could theoretically use iptables and mark packages depending on UID and then disallow all outbound traffic to port 25 except for those UID:s you like (mailservers UID).
     
  7. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    If you've gotten to the bottom of this, please let me know. I have the same situation on one server, and can't figure it out.
     
  8. jonmar

    jonmar Member

    Joined:
    Sep 13, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I'm interested to know too. I'm having the same problem, and don't know how to stop it.
     
  9. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    I finally figured it out on my server.

    It was an account we were hosting. They had uploaded a proxy server named httpd.cgi into their /cgi-bin which was being used to send out spam whose headers said it came from our server but which was not recorded in the exim mail logs.

    Anybody still having this problem should look through your accounts for proxy servers. I went to SpamCop to check the date of the first spam report, and then started by looking at accounts opened shortly before that. This narrowed down the search and let me find him quickly.
     
  10. jonmar

    jonmar Member

    Joined:
    Sep 13, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Thanks Pete,

    I was just coming over to post this very thing. While I will not put the users personal details here, I will make them available to anyone who makes a request by emailing me. Anything that can be done to stop these clowns, I'm willing to do. I just got it figured out a couple of hours ago, and the spammer has long since been deleted.
     
  11. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    Great news! Hopefully this thread will help the next host who runs into this.

    By the way, SpamCop showed me the headers on the spam. There were a few distinctive things, like a server name of localhost.localhost and the same return address at yahoo.it. Turns out he had a template e-mail in the same directory with this information in it. So another quick way to locate the offending account would have been:

    grep -r localhost.localhost /home/*

    or

    grep -r xyz@yahoo.it /home/*

    Just thought I'd add this in case it helps the next guy.
     
  12. adjkhost

    adjkhost Member

    Joined:
    Apr 23, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I am having this same problem too... :S
     
Loading...

Share This Page