SPAM sent to bogus emails, 1000's of bouncebacks

Hello,

you should enable this option in whm

Main >> Server Setup >> Tweak Settings >> Mail

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

It will help to solve your problem. If it willn't solve your problem please go to this link.

JONATHAN Did a great replay there.

http://forums.cpanel.net/showthread.php?t=28024&page=2&pp=15&highlight=chirpy
or go to
http://www.webumake.com/free/eximdeny.htm

It is very effective to block spamming

Also Did you enable suexec?. If it is a mail scripts you can find out it after enabling suexe.

Then run the following command

tail -f /usr/local/apache/logs/suexec_log

Also you can check the apache usage in WHM.

May be it will help you to find out the problem.

Let me know the status.

 

You must secure your server to stop spammers and hackers from accessing your server. It is not only enabling suexec, or Phpsuexec, but also securing and uprading all vunerable scripts including PhpBB and PhpNuke.

 

first use the tweak settings to prevent nobody from sending mail, this will stop ALL mail from php scripts unless you have phpsuexec installed

Disable the webmail module in the customers php nuke or delete it.

Empty the mail queue in whm

go back to tweak settings and allow nobody to send mail again unless you have phpsuexec installed, then you should leave it ticked.

Now watch the mail queue, if the spammer is still sending it will fill up again quickly and you will need to find the source.

Also watch your mail logs in ssh tail -f /var/log/exim_mainlog

Be prepared to be blacklisted for a few days and to also explain to your server provider that you are aware of the problem and have corrected it.

I use a bash script to check the mail queue every 10 mins, if more than 100 messages are in the queue then a warning email is sent to the server admin, if more than 200 are in the queue them it sends a text message to my mobile phone. large mail queues usually indicate a spammer or some sort of problem.

If you want the script see below

Mailqueue warnings.
The script below will check exims mail queue every 9 mins, if the number of mails is above the number defined by you then an alert will be sent.
An high volume of mail in the queue can mean 2 things, either there is a problem with exim or you have a spammer, either way you want to know about it.


1:
# cd /root
2:

# pico queuecheck.sh

3:
paste the following, replace your email with the email you wish alerts to be sent to, replace mobile with your mobile numer/email such as 1234567@sms2email.com, replace the values 200 & 100 with your desired alert level. If you dont want messages to your mobile then set mobile to a normal email address too.



#!/bin/bash

EMAIL="admin@xxxxxxxxxxxx.com"
MOBILE="4423424234@sms2email.com"

MQUEUE=`find /var/spool/exim/input -name '*-H' | wc -l | sed -e "s/ //g"`

if [ $MQUEUE -gt 200 ]; then
echo "Mail queue at `hostname` has $MQUEUE messages!!!" | mail -s "CRITICAL ALERT: Mail queue" $MOBILE | mail -s "ALERT: Mail queue"
else
if [ $MQUEUE -gt 80 ]; then
echo "Mail queue at `hostname` has $MQUEUE messages!" | mail -s "ALERT: Mail queue" $EMAIL
fi
fi


4;
press ctrl & x to save and exit

5:

# chmod 755 queuecheck.sh


6:
# pico /etc/crontab

add the line */9 * * * * root /root/queuecheck.sh > /dev/null 2>&1

you can adjust the time to suit you

7:
press ctrl & x to save and exit

Thats it your done, try setting the numbers low to test maybe set them to 1 & 2
once you have tested increase the values to what you think is above normal for your server.

 

It sounds like the user had Webmail enable in his PHP Nuke installation. You may want to read the advisory posted by PHP-Nuke:

http://phpnuke.org/modules.php?name=News&file=article&sid=7081