The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spamming?

Discussion in 'General Discussion' started by jmc67, May 19, 2003.

  1. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    I'm a bit confused. I found this in the exim_mainlog file. What does this tell me? Did someone spam from my server or is this incoming mail? If this was infact sent out from my server, how can I pin point the source?



    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrexp1@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrexplore@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.$
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnreyn@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrfalcon@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.2$
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrfan@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrfive@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrflores2@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.$
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrford@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrfrk@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrfrog100@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.$
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrg3223@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]

    cPanel.net Support Ticket Number:
     
  2. howard

    howard Well-Known Member

    Joined:
    Apr 20, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    I would say it is based on the fact it looks rather like a dictionary attack and that it was sent to many addresses also looks like it was just part of spam run, you would need to go further up in the log to find out the where it orignated from, outgoing mails start off with <= then the first recipent will have a => then each additonal one will be marked by a ->

    cPanel.net Support Ticket Number:
     
  3. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    I just realized it was sent from one of my own domains. I have about 130+ returned emails and some with somethinghere@somedomain.com@mydomain.com.

    I don't have any scripts running on this domain. I don't think formail was used but is there a way to check?


    cPanel.net Support Ticket Number:
     
    #3 jmc67, May 19, 2003
    Last edited: May 19, 2003
  4. craven de kere

    Joined:
    May 19, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Quick question:

    How did you pull up exim's logs?

    cPanel.net Support Ticket Number:
     
  5. howard

    howard Well-Known Member

    Joined:
    Apr 20, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Try looking in

    /usr/local/apache/logs/access_log (the location may differ try locate access_log if its not at the above location) or or the various logs in /usr/local/apache/domlogs/

    cPanel.net Support Ticket Number:
     
  6. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    I logged under root and cd /var/log I got the above info from exim_mainlog

    howard, what should I be looking for in access_log?

    Below this is the beginning of the spam sending: (mydomainusername is my username and server1.servername.com is the server name)

    2003-05-19 00:26:56 19HcEi-0005VV-00 <= mydomainusername@server1.servername.com U=mydomainusername P=local S=1782
    2003-05-19 00:26:57 19HcEi-0005VV-00 ** mnreminem@aol.com: unrouteable mail domain "aol.com"
    2003-05-19 00:26:57 19HcEi-0005VV-00 ** mnrelyea@aol.com: unrouteable mail domain "aol.com"
    2003-05-19 00:26:57 19HcEi-0005VV-00 ** mnreliz@aol.com: unrouteable mail domain "aol.com"
    2003-05-19 00:26:57 19HcEi-0005VV-00 ** mnreis@aol.com: unrouteable mail domain "aol.com"
    2003-05-19 00:26:57 19HcEi-0005VV-00 ** mnreinh@aol.com: unrouteable mail domain "aol.com"
    2003-05-19 00:26:57 19HcEi-0005VV-00 ** mnreiner@aol.com: unrouteable mail domain "aol.com"
    2003-05-19 00:26:57 19HcEi-0005VV-00 ** mnreil@aol.com: unrouteable mail domain "aol.com"
    2003-05-19 00:26:57 19HcEi-0005VV-00 ** mnreid1@aol.com: unrouteable mail domain "aol.com"
    2003-05-19 00:26:57 19HcEi-0005VV-00 => mydomainusername <nbf@mydomain.com> D=localuser T=local_delivery
    2003-05-19 00:26:57 19HcEi-0005VV-00 => mnrenner@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnrenterprises@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224$
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnreo@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnreport@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnreporter@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnreric@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
    2003-05-19 00:26:57 19HcEi-0005VV-00 -> mnresident@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [152.163.224.26]
     
    #6 jmc67, May 19, 2003
    Last edited: May 19, 2003
  7. freakysid

    freakysid Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
  8. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    I upgraded to the lastest cpanel version yesterday and this happened early today. I also searched on all the logs I know of in regards to formmail. There is no indication of it. I am completely puzzled.
     
  9. howard

    howard Well-Known Member

    Joined:
    Apr 20, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Look for some access around 00:26:56 or a few seconds either side e.g. grep -i 19/May/2003:00:26 /path/to/access_log showing filenames like one of the following (not necessary be these names) e.g. formmail.pl filename.cgi (or pl / php) or somenumber.cgi / pl / php (or some other extension)

    Could also repeat the same for the logs in the domlogs/ dir if there's nothing in access_log

    cPanel.net Support Ticket Number:
     
  10. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    No formmail, cgi, pl, php in access_log. I even checked the link freakysid provided. I think I will disable these formmail and then monitor the situation and see if its infact formmail. At this time I see no indications of it on any of the logs.

    Update: After checking all the returned emails, formmail was infact used. Well, all formmail scripts are now disabled.
     
    #10 jmc67, May 19, 2003
    Last edited: May 19, 2003
  11. xp2u

    xp2u Active Member

    Joined:
    Jan 27, 2003
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    jmc67,

    I faced the same problem too. I couldn't find out which domain is sending thosed unrouted mails.

    If you know, please let me know too.

    Highly appreciate.

    Thank you.

    cPanel.net Support Ticket Number:
     
  12. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Formmail was the problem. I had returned emails on one of my domains which showed formmail was used.

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page