The Spammer Is Still Using My Server!!! HELP LINUX GURUS !!

Not open for further replies.


Well-Known Member
Oct 8, 2004
OK, i resume what i did to avoid this fuc.. spammer .

  1. I read all features and enabled them on whm
  2. I found out that my exim log rejects relays that are not my clients, i think...
  3. I Installed the feature in php to detect if an script is sending though my server, i tested it , it works, but i do not detect any spammer like this
  4. i installed RBL, SBL and all features about detecting ip from spammers, to avoid them to conect to my server
  5. i installed ALL features like dictonary attack, firewall, apm , etc etc etc.

But i keeps receiving emails that were sent by [email protected] , i will copy one here and you will see , that I understand that the original email was sent using my server.

I receive it in my inbox ....I replace MYDOMAINHERE and xx.xx..xx<-- THIS IS MY IP' SERVER

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
(ultimately generated from [email protected])
mailbox is full: retry timeout exceeded

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from ([]:2402)
by with esmtp (Exim 4.52)
id 1Ge8CM-0000bv-Kf
for [email protected]; Sun, 29 Oct 2006 04:47:27 -0600
Received: from XXX.XXX.XXX.XXX(HELO
by with esmtp (HH7I1U8G1 JL487)
id EC7N00-BD83Y1-K1
for [email protected]; Sun, 29 Oct 2006 10:47:34 -0060
From: "Danielle Beal" <[email protected]>
To: <[email protected]>
Subject: Notification
Date: Sun, 29 Oct 2006 10:47:34 -0060
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
Thread-Index: Aca6QMFUDL7VL222RV6EN62GPY2S06==

The accumulation of positions by those in the know has shot
A_U_N_I up 33% in a few short days. We hope you all got in
early like we told you to, and are enjoying your good fortune.
But even if you didn't don't worry because ..........

So, someone is sending though MYIP with [email protected] , but i can not detect them.

I trying putting the domain tha uses to connect to my smtp , in my black list in my server, but he keeps changing it with every email.

When exim sends an email, does not keeps logs about sending if it was ok, it keeps about errors, or only date time on sucessfully sending, right ?

what do you suggest to detect this spammer ?

one thing i detect is that somes of the domains in this server that have catch all feature, is happening the same thing. I suppose that exim that rejects an non existant email, but with catch all , all email is valid right ?


Well-Known Member
Jul 19, 2005
Add rule in antivirus.exim like:

   # Filters all incoming an outgoing mail
logfile  /var/log/filter.log 0644
          # Header Spam
          $header_subject: contains "Pharmaceutical"
 or           $header_subject: contains "Viagra"
 or           $header_subject: contains "Cialis"
 or           $header_subject: is "The Ultimate Online Pharmaceutical"

          # Body Spam
 or         $message_body: contains "Cialis"
 or           $message_body: contains "Viagra"
 or           $message_body: contains "Leavitra"
 or           $message_body: contains "St0ck"
 or           $message_body: contains "Viaagrra"
 or           $message_body: contains "Cia1iis"
 or           $message_body: contains "URGENT BUSINESS PROPOSAL"
 or           $message_body: contains "Del Norte Credit Union"
 or           $message_body: contains "VlArGRA"
 or           $message_body: contains "VALrlUM"
 or           $message_body: contains "VALhlUM"
 or           $message_body: contains "VALilUM"
 or           $message_body: contains "VALjlUM"
 or           $message_body: contains "VALklUM"
 or           $message_body: contains "VlAhGRA"
 or           $message_body: contains "VlAiGRA"
 or           $message_body: contains "VlAjGRA"
 or           $message_body: contains "VlAkGRA"
 or           $message_body: contains "Economize 60%"
 or           $message_body: contains "GRA for less"
 or           $message_body: contains "Lincoln Federal Savings Bank"
 or           $message_body: contains "GOLDMARK INDUSTRIES"
 or           $message_body: contains "Alliance National Bank"
 or           $message_body: contains "de sit-in chair, met gaslift verstelbaar"

          logwrite "$tod_log $message_id from $sender_address contained spam keywords"
          seen finish
          # END
          # Filters all incoming an outgoing mail

So add some own rule to match that spam.
I know these rules are not effective if a same spammer changes subject/body words but if you are fast enough to add the rule (just edit the file, save it, no restart of exim needed) most will be rejected. I always watch a catch-all mailbox where a lot spam is delivered to add more rules.

Not open for further replies.