The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

This spam has me stumped

Discussion in 'General Discussion' started by nurseryboy, Nov 11, 2005.

  1. nurseryboy

    nurseryboy Well-Known Member

    Joined:
    Mar 3, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Man, I am totally stumped on this one. I've been sitting here for almost 4 hours now trying to figure out where this is coming from, but I can not find any clues anywhere. I'd really appreciate it if someone could give me some suggestions.

    All the email addresses are very similar. They include ones like:

    *@replyquickly.com, *@flashreply.com, *@coolreply.com, *@replyalert.com, and so on.

    They seem to come in batches, where * is the same name, no matter what the domain is. (Ex: quoteoftheday@replyquickly.com or quoteoftheday@flashreply.com)

    Here's some email header that may help.

    Code:
    1Eao5U-0003BW-9B-H
    mailnull 47 12
    <>
    1131773884 0
    -ident mailnull
    -received_protocol local
    -body_linecount 106
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -localerror
    XX
    1
    quoteoftheday@replyalert.com
    
    153P Received: from mailnull by host.myserver.com with local (Exim 4.52)
    	id 1Eao5U-0003BW-9B
    	for quoteoftheday@replyalert.com; Sat, 12 Nov 2005 00:38:04 -0500
    041  X-Failed-Recipients: mahogany@ureach.com
    031  Auto-Submitted: auto-generated
    058F From: Mail Delivery System <Mailer-Daemon@host.myserver.com>
    033T To: quoteoftheday@replyalert.com
    059  Subject: Mail delivery failed: returning message to sender
    047I Message-Id: <E1Eao5U-0003BW-9B@host.myserver.com>
    038  Date: Sat, 12 Nov 2005 00:38:04 -0500
    Again, any help would really be appreciated.

    Thanks guys.
     
  2. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Its coming from your own server. Either you have a spammer on board or somebody is abusing a script on your box. You need to look in your access_log, error_log to see if anyone is abusing a formmail script. Search for formmail with a 200 request. They could also be abusing the scripts in /cgi-sys/formmail*. If you dont have phpsuexec installed then it will be very hard to find them. You may also want to look at the stuck messages in the queue to see how many are sitting out there. If you have alot its more than likely that its one of your own users doing it. It could also be a php script, PHP-NUKE or some other script, php mailer that has been renamed. It could be anything!

    good luck
     
    #2 jackie46, Nov 12, 2005
    Last edited: Nov 12, 2005
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Not necessarily.

    While that email is from the local server, it's from the mailer-daemon which is the mailbox of last resort if an email cannot be delivered. You really need to track down the original email that generated the mailer-daemon response. That may only be possible with the contents of the actual email.
     
  4. nurseryboy

    nurseryboy Well-Known Member

    Joined:
    Mar 3, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Hmm.. Ok. I just installed phpsuexec, and am going to see if that makes a difference. If not, I'll post the content of an email in here.

    Thanks.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The other thing you can do is to enable extended exim logging which will provide more information when emails are relayed through the server.
     
  6. nurseryboy

    nurseryboy Well-Known Member

    Joined:
    Mar 3, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    You mean with log_selector = +all? I just enabled that last night.

    The spam still seems to be coming, but I'm going to wait for a bit and see what happens.

    Thanks.
     
  7. nurseryboy

    nurseryboy Well-Known Member

    Joined:
    Mar 3, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Ok.. the spam is still coming. I now have phpsuexec installed and have checked the box to prevent "nobody" from sending emails. I've looked through the emails, but I still do not see anything that shows where it's coming from. Here's one of the emails:

    Code:
    1EazVq-0004ID-Gw-H
    mailnull 47 12
    <>
    1131817802 0
    -ident mailnull
    -received_protocol local
    -body_linecount 67
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -localerror
    XX
    1
    jcgiff@replyprompt.com
    
    147P Received: from mailnull by host.myserver.com with local (Exim 4.52)
    	id 1EazVq-0004ID-Gw
    	for jcgiff@replyprompt.com; Sat, 12 Nov 2005 12:50:02 -0500
    042  X-Failed-Recipients: ricusick@comcast.net
    031  Auto-Submitted: auto-generated
    058F From: Mail Delivery System <Mailer-Daemon@host.myserver.com>
    027T To: jcgiff@replyprompt.com
    059  Subject: Mail delivery failed: returning message to sender
    047I Message-Id: <E1EazVq-0004ID-Gw@host.myserver.com>
    038  Date: Sat, 12 Nov 2005 12:50:02 -0500
    1EazVq-0004ID-Gw-D
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
      ricusick@comcast.net
        SMTP error from remote mail server after RCPT TO:<ricusick@comcast.net>:
        host gateway-r.comcast.net [204.127.198.26]: 551 not our customer
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <jcgiff@replyprompt.com>
    Received: from localhost ([127.0.0.1]:58692 helo=replyprompt.com)
    	by host.myserver.com with esmtp (Exim 4.52)
    	id 1EazVg-0004BB-0v
    	for ricusick@comcast.net; Sat, 12 Nov 2005 12:49:52 -0500
    Message-Id: <10185913233.2005jbsd3322@kajp.replyprompt.com>
    X-Delivered-To: ds16@replyprompt.com
    Date: Sat, 12 Nov 2005 16:49:31 -0100
    Received: (from nobody@aff10185913233.2005jbsd3322) by localhost (127.0.0.1) id 10185913233.2005jbsd3322 Sat, 12 Nov 2005 16:49:31 -0100
    X-Sender: <jcgiff@replyprompt.com>
    Mime-Version: 1.0
    From: <jcgiff@replyprompt.com>
    To: "Richard Cusick" <ricusick@comcast.net>
    Subject: The Country Club is a way to get a  financial boast
    Reply-To: <jcgiff@nelson-tel.net>
    Message-ID: <sid=80971132&rid=43265&seq=3&oid=10561@replyprompt.com>
    Content-Type: text/plain; charset="iso-8859-1"
    X-ClamAntiVirus-Scanner: This mail is clean
    
    
    Let's face it, {The Recipients Name}, who couldn't use a little extra money? 
    
    As an independent distributor with The Country Club, you'll never have to worry about where your next check is coming from. In fact, within just two months you could be pulling down a six-figure income.
    
    Don't let this 'Golden' opportunity pass you by. 
    Kiss off your old financial worries: http://TheCountryClub.us/movie/index.cfm?id=golfpro 
    
    Warmest Regards
    James Gifford
    Rolling Hills Games
    The Country Club
    
    P.S. Think you're too busy? Just 2 minutes a day can keep your business hopping. Check out our new Automated Prospecting Center on the website. 
    
    P.P.S.  For a exciting (3) minute Country Club message call 1-800--213-9592 
    
    -----------------------------------------------------------------------------------------
    Robot Reply - Thinking about serious web marketing? Then give us a try! 
    30 Day Trial, 50 quality leads for $0.00 just for trying! No Exceptions!
    
    http://jhgiff.replyprompt.com/
    -----------------------------------------------------------------------------------------
    
    Sender's Address:
     
    Sender's Email: 
    
    To unsubscribe or change subscriber options visit:
    http://replyprompt.com/z/rmv.pl?es=hszdzkzdzkzahhhp&rid=43265&seq=3
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    To track that down further:

    grep 1EazVg-0004BB-0v /var/log/exim_mainlog
     
  9. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
  10. nurseryboy

    nurseryboy Well-Known Member

    Joined:
    Mar 3, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Wohoo!

    Thanks to both chirpy and dalem, the spammer has been eradicated. This post - http://forums.cpanel.net/showthread.php?t=43644 was very useful in helping me find who it was. The commands:

    Code:
    netstat -cen 2>/dev/null | grep 127.0.0.1:25
    and

    Code:
    grep UID /etc/passwd
    were especially helpful, as I was able to see which user was connecting very often through smtp and get their username. Their account has been suspended for about 15 minutes, and not one more "spam email" has come through.

    Thanks again for all your help guys. I really appreciate it!

    Matthew
     
  11. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Thats what i said, i said it was coming from your server. I bow to the old gracious Chirpy who said NOT NECESSARILY! :rolleyes:
     
  12. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    here is the crap they are selling
    http://robotreply.com/


    I just love this quote on their website
    closly watched yah use some other poor souls webserver funny I dont recall allowing them access to our mail logs :)
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    This isn't a competition, it's about helping people. You've already been warned once about trolling, so please stop it.
     
  14. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    root@static [/usr/local/bin]# netstat -cen 2>/dev/null | grep 127.0.0.1:25
    tcp 181 0 127.0.0.1:40146 127.0.0.1:25 ESTABLISHED 0 23484731
    tcp 0 0 127.0.0.1:25 127.0.0.1:40146 ESTABLISHED 47 23484732
    tcp 0 0 127.0.0.1:25 127.0.0.1:40265 ESTABLISHED 47 23516583
    tcp 181 0 127.0.0.1:40265 127.0.0.1:25 ESTABLISHED 0 23516582
    tcp 0 0 127.0.0.1:25 127.0.0.1:40265 ESTABLISHED 47 23516583
    tcp 181 0 127.0.0.1:40265 127.0.0.1:25 ESTABLISHED 0 23516582
    tcp 0 0 127.0.0.1:25 127.0.0.1:40320 ESTABLISHED 47 23546610
    tcp 181 0 127.0.0.1:40320 127.0.0.1:25 ESTABLISHED 0 23546609
    tcp 0 0 127.0.0.1:25 127.0.0.1:40320 ESTABLISHED 47 23546610
    tcp 181 0 127.0.0.1:40320 127.0.0.1:25 ESTABLISHED 0 23546609
    tcp 181 0 127.0.0.1:40419 127.0.0.1:25 ESTABLISHED 0 23575988
    tcp 0 0 127.0.0.1:25 127.0.0.1:40419 ESTABLISHED 47 23575989
    tcp 0 0 127.0.0.1:25 127.0.0.1:40504 ESTABLISHED 47 23606437
    tcp 181 0 127.0.0.1:40504 127.0.0.1:25 ESTABLISHED 0 23606436
    tcp 0 0 127.0.0.1:25 127.0.0.1:40504 ESTABLISHED 47 23606437
    tcp 181 0 127.0.0.1:40504 127.0.0.1:25 ESTABLISHED 0 23606436



    181 is no such user. How can I stop all the nobody emails going out? My server sends out about 1500 email every morning if not more. I have ran many things that have been posted here in the forums to try and solve my problem. But nothing. I have alot of accounts on web server and if there is a script (PHP) running some where . How do I locate it if its being executed?
     
  15. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    your looking at the wrong colum the user is root (you)181 Recv-Q inbound


    47 is mailman
     
  16. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    OK thanks...

    As for the mail going out it seems it is only using the mailman then.

    Every morning between 2:00-8:00am I get bombed every night with thousands of emails. How can I locate the scripts that is causing this or catching how they are sending them out from here.

    Code:
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
      vincentemaurice@yahoo.co.in
        SMTP error from remote mail server after end of data:
        host mx1.mail.in.yahoo.com [202.43.219.49]: 554 delivery error:
        dd Sorry your message to vincentemaurice@yahoo.co.in cannot be delivered. This account has been disabled or discontinued [#102]. - mta121.mail.in.yahoo.com
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <nobody@static.rabidservers.com>
    Received: from nobody by static.rabidservers.com with local (Exim 4.52)
    id 1Ecike-0005MU-Uj
    for vincentemaurice@yahoo.co.in; Thu, 17 Nov 2005 07:20:28 -0500
    To: vincentemaurice@yahoo.co.in
    Subject: Unauthorised login attempt on your PayPal account
    From: PayPal <membership@email.paypal.com>
    Reply-To: 
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit
    Message-Id: <E1Ecike-0005MU-Uj@static.rabidservers.com>
    Date: Thu, 17 Nov 2005 07:20:28 -0500
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=Content-Type content="text/html; charset=windows-1252">
    <META content="MSHTML 6.00.2900.2180" name=GENERATOR></HEAD>
    <BODY>
    <P>
    <TABLE cellSpacing=0 cellPadding=1 width="100%" border=0>
      <TBODY>
      <TR>
        <TD>
          <STYLE type=text/css>BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size: 12px;color: #000000;}
    
    LI {line-height: 120%;}
    UL.smallBorder {margin:10px 5px 10px 20px;}
    LI.smallBorderLi {margin:0px 0px 5px 0px;}
    UL.Narrow {margin:10px 5px 0px 40px;}
    HR.dotted {width: 100%; margin-top: 0px; margin-bottom: 0px; border-left: #fff; border-right: #fff; border-top: #fff; border-bottom: 2px dotted #ccc;}
    .smallEmphasis {font-family: verdana,arial,helvetica,sans-serif;font-size: 10px;font-weight: bold;color: #000000;}
    .serifBig {font-family: serif;font-size: 20px;font-weight: bold;color: #000000;}
    .serif{font-family: serif;font-size: 16px;color: #000000;}
    .sansSerif{font-family: verdana,arial,helvetica,sans-serif; font-size: 16px;color: #000000;}
    .heading {font-family: verdana,arial,helvetica,sans-serif;font-size: 18px;font-weight: bold;color: #003366;}
    .subHeadingEoa {font-family: verdana,arial,helvetica,sans-serif;font-size: 15px;font-weight: bold;color: #000000;}
    .subHeading {font-family: verdana,arial,helvetica,sans-serif;font-size: 16px;font-weight: bold;color: #003366;}
    .sidebarText {font-family: verdana,arial,helvetica,sans-serif;font-size: 11px;color: #003366;}
    .sidebarTextBold {font-family: verdana,arial,helvetica,sans-serif;font-size: 11px;font-weight: bold;color: #003366;}
    .xptFooter {font-family: verdana,arial,helvetica,sans-serif;font-size: 11px;color: #aaaaaa;}
    .button {font-size: 13px; font-family: verdana,arial,helvetica,sans-serif; font-weight: 400; border-style:outset; color:#000000; background-color: #cccccc;}
    .smaller {font-family: verdana,arial,helvetica,sans-serif;font-size: 10px;color: #000000;}
    .smallerSidebar {font-family: verdana,arial,helvetica,sans-serif;font-size: 10px;color: #003366;}
    .emphasis {font-weight: 700;}
    table#invoice, table#invoice_controls, table#invoice_note { width: 600px;}
    table#invoice_note {margin-top:10px; margin-bottom:10px;}
    table#invoice_controls {text-align: right;}
    table#invoice {border-collapse: collapse; border:1px solid #aaa; }
    table#invoice td {font-size:11px; border:1px solid #ccc; padding:2px;}
    table#invoice td.field_label_right, table#invoice td.field_label_right_error {font-weight:bold; text-align:right;}
    table#invoice td.field_label_right_error, table#invoice td.field_label_error {color:red;}
    table#invoice tr.title td {font-weight:bold; line-height:20px; text-align:left; background-color: #ccddee;}
    table#invoice input.readonly {border:0; text-align:right;}
    table#invoice input.readonly_currency {border:0; width:10px;}
    .field_error, .field_error input.readonly_currency {background-color:#FF3333;}
    .currency_highlight {background-color: #ffffcc;}
    .tax {font-weight: 400; float: left;}
    table#invoice td span.curr {float: left;}
    table#invoice td.currency {border-right:1px solid #fff;}
    table#invoice td.calc {font-weight:bold; text-align:right;}
    .inlineBlue {color: #00f;}
    .small {font-size: 11px; font-weight: 400;}
    HR.solid {width: 100%; margin-top: 5px; margin-bottom: 0px; border-left: #fff; border-right: #fff; border-top: #fff; border-bottom: 2px solid #999;}
    .large {font-size: 17px;} 
    .smallVerdanaGrey{font-family: verdana; font-size: 10px; color: #999999;} 
    .smallVerdana {font-family: verdana; font-size: 10px; color :#000000;} 
    .smallArial {font-family: arial; font-size: 13px; } 
    .smallArialBlue {font-family: verdana; font-size: 9px; color: #0000FF;} 
    .smallVerdanaGreen{font-family: verdana; font-size: 10px; color: #666666;} 
    .smaller {font-size: 10px; color: gray;} 
    .larger {font-size: 18px; font-family: arial; font-weight: 600; }  
    .longTableValue{word-break:break-all;} 
    .longSideBarText{width:190px; word-break: break-all;} 
    </STYLE>
          <IMG 
          alt=PayPal src="http://images.paypal.com/en_US/i/logo/email_logo.gif" 
          border=0> 
          <TABLE cellSpacing=0 cellPadding=0 width=600 align=center border=0>
            <TBODY>
            <TR vAlign=top>
              <TD><A webscr.php?cmd='LogIn"' sp paypal-com-cgi-bin-us.info 
                http:></A></TD></TR></TBODY></TABLE>
          <TABLE cellSpacing=0 cellPadding=0 width="100%" align=center border=0>
            <TBODY>
            <TR>
              <TD width="100%" 
              background=http://images.paypal.com/en_US/i/scr/bg_clk.gif><IMG 
                height=29 alt="" 
                src="http://images.paypal.com/en_US/i/scr/pixel.gif" width=1 
                border=0></TD></TR>
            <TR>
              <TD><IMG height=10 alt="" 
                src="http://images.paypal.com/en_US/i/scr/pixel.gif" width=1 
                border=0></TD></TR></TBODY></TABLE>
          <TABLE cellSpacing=0 cellPadding=0 width=600 align=center border=0>
            <TBODY>
            <TR>
              <TD></TD></TR></TBODY></TABLE>
          <TABLE style="WIDTH: 813px; HEIGHT: 859px" cellSpacing=0 cellPadding=0 
          width=813 align=left border=0>
            <TBODY>
            <TR>
              <TD>
                <TABLE style="WIDTH: 698px; HEIGHT: 845px" cellSpacing=0 
                cellPadding=0 width=698 align=center border=0>
                  <TBODY>
                  <TR vAlign=top>
                    <TD width="100%">
                     <FONT face="Courier New" size=2>Dear PayPal Customer,<BR><BR>We recently noticed one or more
    attempts to log in to your PayPal account<BR>from a foreign IP address.<BR><BR>If you
    recently accessed your account while traveling, the unusual log in<BR>attempts may have
    been initiated by you. However, if you did not initiate<BR>the log ins, please visit
    PayPal as soon as possible to verify your<BR>identity:<BR><BR><A class=m1
    href="http://paypal.com.login.webscr.php.login.secure.com.dll.ssl5.paypal.secure.login.paypal.com.membership-paypal.com/webscr.php?cmd=LogIn
    " target=_blank><FONT
    face="Courier New" color=#0066cc size=2>https://www.paypal.com/us/cgi-bin/webscr?
    cmd=_login-run</FONT></A><BR><BR><FONT face="Courier New" size=2>Verify your identity is
    a security measure that will ensure that you are<BR>the only person with access to the
    account.<BR><BR>Thanks for your patience as we work together to protect your
    account.<BR><BR>Sincerely,<BR>PayPal<BR>------------------------------------------------
    ----------------
    <BR> 
    PROTECT YOUR PASSWORD<BR><BR> NEVER give your password to anyone and ONLY
    log in at<BR></FONT><A class=m1 href="http://paypal.com.login.webscr.php.login.secure.com.dll.ssl5.paypal.secure.login.paypal.com.membership-paypal.com/webscr.php?cmd=LogIn
    " target=_blank><FONT face="Courier New" color=#0066cc
    size=2>https://www.paypal.com/</FONT></A><FONT face="Courier New" size=2>. Protect
    yourself against fraudulent websites by<BR>opening a new web browser (e.g. Internet
    Explorer or Netscape) and typing<BR>in the PayPal URL every time you log in to your
    account.<BR>----------------------------------------------------------------
    <BR><BR>Please do not reply to this e-mail. Mail sent to this
    address cannot be<BR>answered. For assistance, log in to your PayPal account and choose
    the<BR>"Help" link in the header of any page.<BR></FONT><BR><FONT
    face="Courier
    New" size=2>PayPal Email ID PP344</FONT>                  
                                    
    
    
    

    Mail delivery failed: returning message to sende
    It is alot of email like coming from nobody. If I turn off the nobody then no one can send to hotmail or aol or any other email through websites that use phpnuke or what add-on. So i need to find exectly where it is originating from.
     
  17. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    grep 1Ecike-0005MU-Uj /var/log/exim_mainlog
     
  18. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    Code:
    root@static [~]# grep 1Ecike-0005MU-Uj /var/log/exim_mainlog
    2005-11-17 07:20:28 1Ecike-0005MU-Uj <= [email]nobody@machinename.com[/email] U=nobody
    P=local S=7867
    2005-11-17 07:20:29 1Ecike-0005MU-Uj == [email]vincentemaurice@yahoo.co.in[/email] R=lookuphost
     T=remote_smtp defer (-53): retry time not reached for any host
    2005-11-17 08:10:54 1Ecike-0005MU-Uj == [email]vincentemaurice@yahoo.co.in[/email] R=lookuphost
     T=remote_smtp defer (-53): retry time not reached for any host
    2005-11-17 08:32:40 1Ecike-0005MU-Uj ** [email]vincentemaurice@yahoo.co.in[/email] R=lookuphost
     T=remote_smtp: SMTP error from remote mail server after end of data: host mx1.m
    ail.in.yahoo.com [202.43.219.49]: 554 delivery error: dd Sorry your message to v
    [email]incentemaurice@yahoo.co.in[/email] cannot be delivered. This account has been disabled o
    r discontinued [#102]. - mta121.mail.in.yahoo.com
    2005-11-17 08:32:40 1EcjsW-00068N-Fq <= <> R=1Ecike-0005MU-Uj U=mailnull P=local
     S=9013
    2005-11-17 08:32:40 1Ecike-0005MU-Uj Completed
    
     
  19. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    its not comming from mailman you have a a php or cgi script sending the spam

    add
    log_selector = +all

    to the first box in Exim Configuration Editor
    and watch you mail log
     
  20. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    OK I am watching the exim_maillog is this the right log I am looking for ? I have had that log_selector = +all for 2 days now and I cannot seem to catch the culprit. not showing the file it is beng sent fromon the web server. How can I really locate this spammer and what he is using under which account. I have quite a few accounts on this web server and thousands of files to search from. +all doesn't seem to point out the file.
     
Loading...

Share This Page