wimp

Well-Known Member
Jul 13, 2002
301
0
166
hello,
i have a spamer that use my server to send e-mails. Twice a day he send hundereds of mails using my server. What i can see is that he is using sendmail as nobody (99) I already disable the the sendmail fro nobody in WHM but he is sending still e-mails. Also when this happens the server load goes un to 250. Also i will be soon in the blacklist around the world.
Going to look at the maillog i see somethig very ver strange:
The host that connects to those pop3 account is in some way related to MY own IP address!
The IP: 000.000.000.000 Is my IP address from my PC i am curently working.
I never connect to those account (this are accounts from my resellers.. i didnt know they e-mail address exists on the server!
Alos if i going to see the CPUsage in WHM i can see this:
/usr/bin/perl -w /etc/log.d/scripts/shared/multiservice sendmail,sm-mta

is there anyone who can give me some tips to fix this spamer abuse?


Thanks!!!


Mar 19 00:34:39 servername cpanelpop[27960]: Login host=11.11.11.11 ip=000.000.000.000 [email protected] re$
Mar 19 00:34:39 servername cpanelpop[27960]: Login host=11.11.11.11 ip=000.000.000.000 [email protected] re$
Mar 19 00:34:39 servername cpanelpop[27960]: Login host=11.11.11.11 ip=000.000.000.000 [email protected] re$
Mar 19 00:34:39 servername cpanelpop[27960]: Login host=11.11.11.11 ip=000.000.000.000 [email protected] re$
Mar 19 00:34:42 servername cpanelpop[27958]: Session Closed host=555.555.555.555 ip=000.000.000.000 [email protected] realuser=$
Mar 19 00:34:42 servername cpanelpop[27958]: Session Closed host=555.555.555.555 ip=000.000.000.000 [email protected] realuser=$
Mar 19 00:34:42 servername cpanelpop[27958]: Session Closed host=555.555.555.555 ip=000.000.000.000 [email protected] realuser=$
Mar 19 00:34:42 servername cpanelpop[27958]: Session Closed host=555.555.555.555 ip=000.000.000.000 [email protected] realuser=$
Mar 19 00:34:43 servername cpanelpop[27960]: Session Closed host=11.11.11.11 ip=000.000.000.000 [email protected]$
Mar 19 00:34:43 servername cpanelpop[27960]: Session Closed host=11.11.11.11 ip=000.000.000.000 [email protected]$
Mar 19 00:34:43 servername cpanelpop[27960]: Session Closed host=11.11.11.11 ip=000.000.000.000 [email protected]$
Mar 19 00:34:43 servername cpanelpop[27960]: Session Closed host=11.11.11.11 ip=000.000.000.000 [email protected]$
 
Last edited:

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
wimp said:
i have a spamer that use my server to send e-mails. Twice a day he send hundereds of mails using my server. What i can see is that he is using sendmail as nobody (99) I already disable the the sendmail fro nobody in WHM but he is sending still e-mails. Also when this happens the server load goes un to 250. Also i will be soon in the blacklist around the world.

is there anyone who can give me some tips to fix this spamer abuse?
You can search these forum since many people have had the same problem with SPAM originated from their own servers. The only possible way to stop this SPAM is finding the script used to deliver thier messages.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess