The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SPAM sent to bogus emails, 1000's of bouncebacks

Discussion in 'E-mail Discussions' started by mangohead, Jun 8, 2005.

  1. mangohead

    mangohead Member

    Joined:
    Aug 4, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Within the last few days, one of our users has been sending outgoing emails to bogus email accounts. The result has been over 6000 emails bouncing back. This isnt very friendly as im sure my server has been blacklisted.

    Does anyone know how to stop this? emails are sent from nobody@<myhostname.com>. I didnt know who it was at first, but after reading the attachment, i see that each mail has this at the bottom:

    Mail sent from WebMail service at <website name>
    - http://www.<domain>.com

    At first i thought the customer was sending out spams intentially, but he denies that. Could this be a virus or trojan on his computer?

    It's strange that the emails are being sent from nobody@<hostname.com> but his website name appears at the bottom of each email.

    Is there any prevention against users sending spam through the SMTP server and also to prevent the bouncebacks?

    I'm in desperate need of help, as 6000+ emails is a pain and my customer is clueless as to what has happened.

    Your help is greatly appreciated!

    Randy
     
  2. bijo

    bijo Well-Known Member

    Joined:
    Aug 21, 2004
    Messages:
    475
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Hello,

    you should enable this option in whm

    Main >> Server Setup >> Tweak Settings >> Mail

    Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

    It will help to solve your problem. If it willn't solve your problem please go to this link.

    JONATHAN Did a great replay there.

    http://forums.cpanel.net/showthread.php?t=28024&page=2&pp=15&highlight=chirpy
    or go to
    http://www.webumake.com/free/eximdeny.htm

    It is very effective to block spamming

    Also Did you enable suexec?. If it is a mail scripts you can find out it after enabling suexe.

    Then run the following command

    tail -f /usr/local/apache/logs/suexec_log

    Also you can check the apache usage in WHM.

    May be it will help you to find out the problem.

    Let me know the status.
     
  3. mangohead

    mangohead Member

    Joined:
    Aug 4, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for your reply, bijo.

    by suexec, does this mean php suexec? Is this the same thing?

    I emailed my client and he says that he has php-nuke installed, and it could have been a vulnerability within the script. Have you heard of this before?

    thanks, again, for your help. I'm going to apply the changes that you mentioned and see where it goes from there.

    randy
     
  4. mangohead

    mangohead Member

    Joined:
    Aug 4, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    With all these bounceback messages, over 6000+, how can i empy out my inbox manually in shell? Doing it in webmail would be a pain ..

    thanks for your help! its much appreciated!
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You must secure your server to stop spammers and hackers from accessing your server. It is not only enabling suexec, or Phpsuexec, but also securing and uprading all vunerable scripts including PhpBB and PhpNuke.
     
  6. simplybe

    simplybe Well-Known Member

    Joined:
    Nov 29, 2002
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    16
    first use the tweak settings to prevent nobody from sending mail, this will stop ALL mail from php scripts unless you have phpsuexec installed

    Disable the webmail module in the customers php nuke or delete it.

    Empty the mail queue in whm

    go back to tweak settings and allow nobody to send mail again unless you have phpsuexec installed, then you should leave it ticked.

    Now watch the mail queue, if the spammer is still sending it will fill up again quickly and you will need to find the source.

    Also watch your mail logs in ssh tail -f /var/log/exim_mainlog

    Be prepared to be blacklisted for a few days and to also explain to your server provider that you are aware of the problem and have corrected it.

    I use a bash script to check the mail queue every 10 mins, if more than 100 messages are in the queue then a warning email is sent to the server admin, if more than 200 are in the queue them it sends a text message to my mobile phone. large mail queues usually indicate a spammer or some sort of problem.

    If you want the script see below

    Mailqueue warnings.
    The script below will check exims mail queue every 9 mins, if the number of mails is above the number defined by you then an alert will be sent.
    An high volume of mail in the queue can mean 2 things, either there is a problem with exim or you have a spammer, either way you want to know about it.


    1:
    # cd /root
    2:

    # pico queuecheck.sh

    3:
    paste the following, replace your email with the email you wish alerts to be sent to, replace mobile with your mobile numer/email such as 1234567@sms2email.com, replace the values 200 & 100 with your desired alert level. If you dont want messages to your mobile then set mobile to a normal email address too.



    #!/bin/bash

    EMAIL="admin@xxxxxxxxxxxx.com"
    MOBILE="4423424234@sms2email.com"

    MQUEUE=`find /var/spool/exim/input -name '*-H' | wc -l | sed -e "s/ //g"`

    if [ $MQUEUE -gt 200 ]; then
    echo "Mail queue at `hostname` has $MQUEUE messages!!!" | mail -s "CRITICAL ALERT: Mail queue" $MOBILE | mail -s "ALERT: Mail queue"
    else
    if [ $MQUEUE -gt 80 ]; then
    echo "Mail queue at `hostname` has $MQUEUE messages!" | mail -s "ALERT: Mail queue" $EMAIL
    fi
    fi


    4;
    press ctrl & x to save and exit

    5:

    # chmod 755 queuecheck.sh


    6:
    # pico /etc/crontab

    add the line */9 * * * * root /root/queuecheck.sh > /dev/null 2>&1

    you can adjust the time to suit you

    7:
    press ctrl & x to save and exit

    Thats it your done, try setting the numbers low to test maybe set them to 1 & 2
    once you have tested increase the values to what you think is above normal for your server.
     
    #6 simplybe, Jun 9, 2005
    Last edited: Jun 9, 2005
  7. mangohead

    mangohead Member

    Joined:
    Aug 4, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    thank you, simplybe,

    That was really informative. i've applied the settings and i'll monitor it over the next few days to see how it goes. How can i empty the inbox, where all these bouncebacks are going to? I dont want to delete them manually in webmail, and i dont think my POP3 retrieval is set to delete emails after retrieval.

    thanks again!
     
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,383
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page