The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stop sending out spam with word filter in body

Discussion in 'E-mail Discussions' started by idagroup, May 3, 2007.

  1. idagroup

    idagroup Registered
    PartnerNOC

    Joined:
    Mar 9, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hello, I have a very strange spam problem. My server is sending out lot's of spam mails and I get listed on Spamcop for that again and again.
    Nothing I find in the header helped me find the source so far:

    [ Offending message ]
    "From once@emaillotto.com Thu Jan 1 00:00:01 1970
    "
    Received: from X.X.X.X ([X.X.X.X]
    helo=moonlight.sslsecure.com)
    by ursine.ca with esmtp (Exim 4.66)
    (envelope-from <once@emaillotto.com>)
    id 1HjOtj-0004FK-W6
    for baloo@ursine.ca; Wed, 02 May 2007 17:10:16 -0700
    Received: from cpanel by X.X.X.X with local (Exim 4.63)
    (envelope-from <once@emaillotto.com>)
    id 1HjOB0-00010E-N2; Wed, 02 May 2007 19:24:02 -0400
    Received: from 82.158.172.226 ([82.158.172.226]) by 64.18.205.103 (Horde
    MIME library) with HTTP; Wed, 02 May 2007 19:24:00 -0400
    Message-ID: <20070502192400.l0fau5ktrgysss0k@X.X.X.X>
    Date: Wed, 02 May 2007 19:24:00 -0400
    From: Once Espanyol Loteria <once@emaillotto.com>
    Reply-to: cajaespanyol@mixmail.com
    To: undisclosed-recipients:;
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset=ISO-8859-1;
    DelSp="Yes";
    format="flowed"
    Content-Disposition: inline
    Content-Transfer-Encoding: quoted-printable
    User-Agent: Internet Messaging Program (IMP) H3 (4.1.3)
    X-AntiAbuse: This header was added to track abuse, please include it with
    any abuse report
    X-AntiAbuse: Primary Hostname - X.X.X
    X-AntiAbuse: Original Domain - ursine.ca
    X-AntiAbuse: Originator/Caller UID/GID - [32002 32002] / [47 12]
    X-AntiAbuse: Sender Address Domain - emaillotto.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-SA-Exim-Connect-IP: X.X.X.X
    X-SA-Exim-Mail-From: once@emaillotto.com
    X-Spam-Flag: YES
    X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on
    ursa-major.ursine.ca
    X-Spam-Level: ****************
    X-Spam-Status: Yes, score=16.4 required=2.5
    tests=ADVANCE_FEE_1,ADVANCE_FEE_2,
    ADVANCE_FEE_3,ADVANCE_FEE_4,BAYES_99,FORGED_RCVD_HELO,
    RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,
    SUBJ_ALL_CAPS,UNDISC_RECIPS autolearn=no version=3.1.7-deb
    X-Spam-Report:
    * 0.8 UNDISC_RECIPS Valid-looking To "undisclosed-recipients"
    * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
    * 1.0 SUBJ_ALL_CAPS Subject is all capitals
    * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
    * [score: 1.0000]
    * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence
    level
    * above 50%
    * [cf: 56]
    * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
    * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above
    50%
    * [cf: 56]
    * 3.3 ADVANCE_FEE_3 Appears to be advance fee fraud (Nigerian 419)
    * 3.7 ADVANCE_FEE_4 Appears to be advance fee fraud (Nigerian 419)
    * 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419)
    * 1.4 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419)
    Subject: ACKNOWNLEDGE PRIVATE MAIL
    X-SA-Exim-Version: 4.2.1 (built Tue, 03 Apr 2007 15:04:56 +0000)
    X-SA-Exim-Scanned: Yes (on ursine.ca)
    Status: R
    X-Status: NPC
    X-KMail-EncryptionState:
    X-KMail-SignatureState:
    X-KMail-MDN-Sent:


    ..please note, I changed my own host and IP to X.X.X.X, everyting else is the original header.

    I do not host any of the domains listed in this header, nor can I find the IP 82.158.172.226 in any of the logfiles or find any of the words like emaillotto on my server (grep -R emaillotto /home/*)

    To make this go away, I figured that it would be great to have a filter for sendmail/exim in place who checks the body of all outgoing e-mails for "emaillotto" and discards them instead of sending them out.
    I found lots of threads who explain how to setup a such filter for incoming mail, but no for outgoing.

    Any help is much appreciated!! ..either filter solution, or other approaches how to find this spammer on my box.

    Robin
     
  2. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    It won't go away, they'll change the wording and be back in business quickly. The only way to stop them is to lock them out. You should probably hire someone who specializes in cleaning this stuff up like configserver.com, totalserversolutions.com or webhostgear.com
     
  3. idagroup

    idagroup Registered
    PartnerNOC

    Joined:
    Mar 9, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the hint, but they also cook with water, so if they will be able to find the domain/account on this server who sends the mails out, I should be able to do this too.

    My guess is that Horde is involved in this because the user # I see is CPanel and I can not think of another way to use this user for sending mails, so I try to scan the Horde DB to find out more.

    ..but is this not funny? so many bells and whistles in CPanel, but it is not able to tell me what domain uses localhost for sending out stuff :/
     
  4. idagroup

    idagroup Registered
    PartnerNOC

    Joined:
    Mar 9, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Oh, BTW: If somebody knows of a way to check mail-body before sending out and send them to /dev/null when matching word is found, I still think this would help, cause the sender will not realize that I /dev/null'ed the mails, so why should he bother changing the wording. :cool:
     
  5. franklinchef

    franklinchef Registered

    Joined:
    Feb 28, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    (envelope-from <once@emaillotto.com>)
    id 1HjOB0-00010E-N2; Wed, 02 May 2007 19:24:02 -0400
    Received: from 82.158.172.226 ([82.158.172.226]) by 64.18.205.103 (Horde
    MIME library) with HTTP; Wed, 02 May 2007 19:24:00 -0400

    If I follow the order correctly, your user is sending spam via Horde. Either close this domain account and/or warn the user.
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Do you have exim extended logging turned on? You might want to install some of Chirpy's mail tools as well from configserver.com. People use water to cook?? ;)
     
  7. markacadey

    markacadey Registered

    Joined:
    Feb 8, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    How to stop incoming email
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello markacadey,

    I'm not certain I understand the question here on stopping incoming email? You mean you want to stop all incoming emails on your machine?

    Also, for the prior topic discussion, if you see Horde listed in the header, you can do a search on the Horde database in PhpMyAdmin in WHM for the email account sender. If they are spoofing that sender, it will still show up in the Horde database as one of the names they've set for the email account. That is how you track down the abusive account.

    Thanks.
     
Loading...

Share This Page