Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

This spam has me stumped

Discussion in 'General Discussion' started by nurseryboy, Nov 11, 2005.

  1. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,906
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    my fisrt question would be was the spam being sent off your server in the last two days??

    not sure what else to tell you if you cant find them through your logs & files you may have to hire someone to sniff them out
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. te2586

    te2586 Member

    Joined:
    Dec 19, 2003
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    151
    also getting spam sent by mailnull

    I have a good set of mod_sec rules, prevent nobody from sending, +all in exim.conf for log selector and i've compiled phpsuexec. i still can't track this guy down. The netstat command referred to several times reveals nothing and nothing in the exim_maillog either (including the grep on the message id).

    i really need some help here...any thoughts or solutions that i'm overlooking?

    Thanks!

    EDIT

    Here's the output of the grep on the message id of one of the spam messages:

    EDIT

    Am I just dumb, or does that log entry tell me who authenticated to send the mail? A=fixed_plain:user@domain ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #22 te2586, Nov 28, 2005
    Last edited: Nov 28, 2005
  3. chirpy

    chirpy Well-Known Member Verifed Vendor

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    It does indeed tell you that ;) fixed_plain is SMTP AUTH using the PLAIN method (i.e. password send in the clear) using the account amycarnes@stevecarnes.com. That suggests either that user is doing it deliberately; someone has guess their login password; or perhaps most likely, their PC is infected with a virus.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice