The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

The Spammer Is Still Using My Server!!! HELP LINUX GURUS !!

Discussion in 'General Discussion' started by altomarketing2, Oct 29, 2006.

Thread Status:
Not open for further replies.
  1. altomarketing2

    altomarketing2 Well-Known Member

    Oct 8, 2004
    Likes Received:
    Trophy Points:
    OK, i resume what i did to avoid this fuc.. spammer .

    1. I read all features and enabled them on whm
    2. I found out that my exim log rejects relays that are not my clients, i think...
    3. I Installed the feature in php to detect if an script is sending though my server, i tested it , it works, but i do not detect any spammer like this
    4. i installed RBL, SBL and all features about detecting ip from spammers, to avoid them to conect to my server
    5. i installed ALL features like dictonary attack, firewall, apm , etc etc etc.

    But i keeps receiving emails that were sent by , i will copy one here and you will see , that I understand that the original email was sent using my server.

    I receive it in my inbox ....I replace MYDOMAINHERE and xx.xx..xx<-- THIS IS MY IP' SERVER

    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    (ultimately generated from
    mailbox is full: retry timeout exceeded

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <>
    Received: from ([]:2402)
    by with esmtp (Exim 4.52)
    id 1Ge8CM-0000bv-Kf
    for; Sun, 29 Oct 2006 04:47:27 -0600
    Received: from XXX.XXX.XXX.XXX(HELO
    by with esmtp (HH7I1U8G1 JL487)
    id EC7N00-BD83Y1-K1
    for; Sun, 29 Oct 2006 10:47:34 -0060
    From: "Danielle Beal" <>
    To: <>
    Subject: Notification
    Date: Sun, 29 Oct 2006 10:47:34 -0060
    Message-ID: <01c6fb47$a4646310$6c822ecf@gnr>
    MIME-Version: 1.0
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7bit
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Office Outlook, Build 11.0.6353
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
    Thread-Index: Aca6QMFUDL7VL222RV6EN62GPY2S06==

    The accumulation of positions by those in the know has shot
    A_U_N_I up 33% in a few short days. We hope you all got in
    early like we told you to, and are enjoying your good fortune.
    But even if you didn't don't worry because ..........

    So, someone is sending though MYIP with noexist@MYDOMAINHERE.COM , but i can not detect them.

    I trying putting the domain tha uses to connect to my smtp , in my black list in my server, but he keeps changing it with every email.

    When exim sends an email, does not keeps logs about sending if it was ok, it keeps about errors, or only date time on sucessfully sending, right ?

    what do you suggest to detect this spammer ?

    one thing i detect is that somes of the domains in this server that have catch all feature, is happening the same thing. I suppose that exim that rejects an non existant email, but with catch all , all email is valid right ?
  2. Danny_T

    Danny_T Well-Known Member

    Jul 19, 2005
    Likes Received:
    Trophy Points:
    Add rule in antivirus.exim like:

       # Filters all incoming an outgoing mail
    logfile  /var/log/filter.log 0644
              # Header Spam
              $header_subject: contains "Pharmaceutical"
     or           $header_subject: contains "Viagra"
     or           $header_subject: contains "Cialis"
     or           $header_subject: is "The Ultimate Online Pharmaceutical"
              # Body Spam
     or         $message_body: contains "Cialis"
     or           $message_body: contains "Viagra"
     or           $message_body: contains "Leavitra"
     or           $message_body: contains "St0ck"
     or           $message_body: contains "Viaagrra"
     or           $message_body: contains "Cia1iis"
     or           $message_body: contains "URGENT BUSINESS PROPOSAL"
     or           $message_body: contains "Del Norte Credit Union"
     or           $message_body: contains "VlArGRA"
     or           $message_body: contains "VALrlUM"
     or           $message_body: contains "VALhlUM"
     or           $message_body: contains "VALilUM"
     or           $message_body: contains "VALjlUM"
     or           $message_body: contains "VALklUM"
     or           $message_body: contains "VlAhGRA"
     or           $message_body: contains "VlAiGRA"
     or           $message_body: contains "VlAjGRA"
     or           $message_body: contains "VlAkGRA"
     or           $message_body: contains "Economize 60%"
     or           $message_body: contains "GRA for less"
     or           $message_body: contains "Lincoln Federal Savings Bank"
     or           $message_body: contains "GOLDMARK INDUSTRIES"
     or           $message_body: contains "Alliance National Bank"
     or           $message_body: contains "de sit-in chair, met gaslift verstelbaar"
              logwrite "$tod_log $message_id from $sender_address contained spam keywords"
              seen finish
              # END
              # Filters all incoming an outgoing mail

    So add some own rule to match that spam.
    I know these rules are not effective if a same spammer changes subject/body words but if you are fast enough to add the rule (just edit the file, save it, no restart of exim needed) most will be rejected. I always watch a catch-all mailbox where a lot spam is delivered to add more rules.

  3. chirpy

    chirpy Well-Known Member

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
    Please don't cross-post on the forums.
Thread Status:
Not open for further replies.

Share This Page