The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam sent thru my server

Discussion in 'E-mail Discussions' started by djtommye, Dec 21, 2009.

  1. djtommye

    djtommye Registered

    Joined:
    Dec 21, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I'm running cPanel 11.25.0-R42213 - WHM 11.25.0 - X 3.9

    I have set up SPF, DomainKeys, RBLs, etc. Yet, I'm getting cases where it appears that spammers are sending spam messages through my server. I definitely don't want to get blacklisted, and I'm only running about six domains under this VPS.

    I have contacted my web host, but they say everything looks good on their end. So I'm a bit stumped. Any suggestions would be much appreciated. I've also checked for rootkits, trojans, etc to no avail.

    When I try logging in with telnet to port 25 to send an email, if I enter a bogus MAIL FROM, then I get an authentication failed message.


    Here are two emails I received just this morning:



    And - here's the other:
    (Message included with subject of "New Exclusive XXX video with Nicole Kidman and other celebs!")
     
    #1 djtommye, Dec 21, 2009
    Last edited by a moderator: Dec 21, 2009
  2. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    i looked this logs and your case seems that are other ways to send spam through your server others than your inner security theaks

    for instance someone can simply sit at a computer and manually start to spam messages what is very unprobable as it will be had to type all stuff

    so he can place a trojan, keylogger or similar direct into the user's computer

    and can "stole" his email password or use this outlook express contacts to send this emails

    also he can infect your or more like another dedicated server and use an php script disguised as an external txt file to spam messages as well

    so you need to

    Received: from kbejpxo (240.229.94.2)
    by vps.trinitytechdfw.com; Fri, 11 Dec 2009 09:37:16 -0600
    check this ip as it seems to be either the spammer or the complainer

    if this ip is from the complainer as the header from and to are from the same domain what is always a spammer tecnique to use same headers from and to then you must discover if it is a php nobody message or an acount hacked then you must suspend it

    at your /etc/httpd/domlogs/ try to grep 'txt?' *.com to see if are attempts to run external php scripts through your server

    if your php is configured to suexec this might not be necessary as the identity of the php script will be revelead at the process

    ps -aux

    did you look at your /var/logs/exim_mainlog
    ?

    regards and good luck
    Claudio
     
Loading...

Share This Page