The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam

Discussion in 'General Discussion' started by discountdomains, Feb 27, 2007.

  1. discountdomains

    Joined:
    Feb 25, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    I am trying to locate which account is sending large quantities of spam out from the server.

    The email addresses are fakes so can't trace that way.

    The subject lines are also not showing up in the logs.

    Can anyone help?

    Thanks
     
  2. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    If they are sending through exim:
    netstat -nee | grep "\:25" | awk ' { print $5 }' | awk -F: '{ print $1 }' | sort|uniq -c will show you what IPs are connected to exim and how many connections, then grep "IP" /var/log/exim_mainlog will show you log lines associated with those IPs which will help determine an account they are sending through (if you are using phpsuexec)

    If they are sending through a script:
    Unless you have phpsuexec running, their processes will show up as nobody most likely. Do watch "ps auxf | grep nobody" to monitor if thats the case and grab a process ID. You might be able to get some info out of that using lsof. If you are running phpsuexec, when you do "top c" you should see the user the mail is being sent out under. Hit "s" and then "1" to make it refresh every second. Gives you a better view of what user is running what at any given second.

    Hope that helps...
     
  3. discountdomains

    Joined:
    Feb 25, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    HI,

    The first command works, but the second grep "IP" /var/log/exim_mainlog does not show anything.

    Also is there any way of seeing which accounts are sending lots of mail?

    Thanks again
     
  4. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    you need to replace "IP" with a real IP address, then it should work ;)

    Mike
     
  5. discountdomains

    Joined:
    Feb 25, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
  6. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
    Another way to find the script that send spams is to patch the PHP module with this:
    http://choon.net/php-mail-header.php

    That means you have to compile the PHP again. They also have a script that integrate the patch with easyapache from cPanel (I've never tried this way but it should be easy way) or you can apply the patch directly to PHP source code and compile it again (have to pay attention to options).

    After that, each mail sent from PHP script will contain a header that show you the domain, path and IP address of attacker.

    Another option: replace sendmail file with a custom made script that log the headers then send the mail. http://gregmaclellan.com/blog/sendmail-wrapper/ (or search for "php sendmail wrapper")

    See also:
    http://ilia.ws/archives/149-mail-logging-for-PHP.html
     
Loading...

Share This Page