SPAM sent to bogus emails, 1000's of bouncebacks

[mangohead]

Within the last few days, one of our users has been sending outgoing emails to bogus email accounts. The result has been over 6000 emails bouncing back. This isnt very friendly as im sure my server has been blacklisted.

Does anyone know how to stop this? emails are sent from [email protected]<myhostname.com>. I didnt know who it was at first, but after reading the attachment, i see that each mail has this at the bottom:

Mail sent from WebMail service at <website name>
- http://www.<domain>.com

At first i thought the customer was sending out spams intentially, but he denies that. Could this be a virus or trojan on his computer?

It's strange that the emails are being sent from [email protected]<hostname.com> but his website name appears at the bottom of each email.

Is there any prevention against users sending spam through the SMTP server and also to prevent the bouncebacks?

I'm in desperate need of help, as 6000+ emails is a pain and my customer is clueless as to what has happened.

Your help is greatly appreciated!

Randy

 

[bijo]

Hello,

you should enable this option in whm

Main >> Server Setup >> Tweak Settings >> Mail

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

It will help to solve your problem. If it willn't solve your problem please go to this link.

JONATHAN Did a great replay there.

http://forums.cpanel.net/showthread.php?t=28024&page=2&pp=15&highlight=chirpy
or go to
http://www.webumake.com/free/eximdeny.htm

It is very effective to block spamming

Also Did you enable suexec?. If it is a mail scripts you can find out it after enabling suexe.

Then run the following command

tail -f /usr/local/apache/logs/suexec_log

Also you can check the apache usage in WHM.

May be it will help you to find out the problem.

Let me know the status.

 

[mangohead]

Thanks for your reply, bijo.

by suexec, does this mean php suexec? Is this the same thing?

I emailed my client and he says that he has php-nuke installed, and it could have been a vulnerability within the script. Have you heard of this before?

thanks, again, for your help. I'm going to apply the changes that you mentioned and see where it goes from there.

randy

 

[mangohead]

With all these bounceback messages, over 6000+, how can i empy out my inbox manually in shell? Doing it in webmail would be a pain ..

thanks for your help! its much appreciated!

 

[AndyReed]

You must secure your server to stop spammers and hackers from accessing your server. It is not only enabling suexec, or Phpsuexec, but also securing and uprading all vunerable scripts including PhpBB and PhpNuke.

 

[simplybe]

With all these bounceback messages, over 6000+, how can i empy out my inbox manually in shell? Doing it in webmail would be a pain ..

thanks for your help! its much appreciated!

first use the tweak settings to prevent nobody from sending mail, this will stop ALL mail from php scripts unless you have phpsuexec installed

Disable the webmail module in the customers php nuke or delete it.

Empty the mail queue in whm

go back to tweak settings and allow nobody to send mail again unless you have phpsuexec installed, then you should leave it ticked.

Now watch the mail queue, if the spammer is still sending it will fill up again quickly and you will need to find the source.

Also watch your mail logs in ssh tail -f /var/log/exim_mainlog

Be prepared to be blacklisted for a few days and to also explain to your server provider that you are aware of the problem and have corrected it.

I use a bash script to check the mail queue every 10 mins, if more than 100 messages are in the queue then a warning email is sent to the server admin, if more than 200 are in the queue them it sends a text message to my mobile phone. large mail queues usually indicate a spammer or some sort of problem.

If you want the script see below

Mailqueue warnings.
The script below will check exims mail queue every 9 mins, if the number of mails is above the number defined by you then an alert will be sent.
An high volume of mail in the queue can mean 2 things, either there is a problem with exim or you have a spammer, either way you want to know about it.


1:
# cd /root
2:

# pico queuecheck.sh

3:
paste the following, replace your email with the email you wish alerts to be sent to, replace mobile with your mobile numer/email such as [email protected], replace the values 200 & 100 with your desired alert level. If you dont want messages to your mobile then set mobile to a normal email address too.



#!/bin/bash

EMAIL="[email protected]"
MOBILE="[email protected]"

MQUEUE=`find /var/spool/exim/input -name '*-H' | wc -l | sed -e "s/ //g"`

if [ $MQUEUE -gt 200 ]; then
echo "Mail queue at `hostname` has $MQUEUE messages!!!" | mail -s "CRITICAL ALERT: Mail queue" $MOBILE | mail -s "ALERT: Mail queue"
else
if [ $MQUEUE -gt 80 ]; then
echo "Mail queue at `hostname` has $MQUEUE messages!" | mail -s "ALERT: Mail queue" $EMAIL
fi
fi


4;
press ctrl & x to save and exit

5:

# chmod 755 queuecheck.sh


6:
# pico /etc/crontab

add the line */9 * * * * root /root/queuecheck.sh > /dev/null 2>&1

you can adjust the time to suit you

7:
press ctrl & x to save and exit

Thats it your done, try setting the numbers low to test maybe set them to 1 & 2
once you have tested increase the values to what you think is above normal for your server.

 

[mangohead]

thank you, simplybe,

That was really informative. i've applied the settings and i'll monitor it over the next few days to see how it goes. How can i empty the inbox, where all these bouncebacks are going to? I dont want to delete them manually in webmail, and i dont think my POP3 retrieval is set to delete emails after retrieval.

thanks again!

 

[sparek-3]

It sounds like the user had Webmail enable in his PHP Nuke installation. You may want to read the advisory posted by PHP-Nuke:

http://phpnuke.org/modules.php?name=News&file=article&sid=7081