The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trace a mail from Queue Manager

Discussion in 'E-mail Discussions' started by sysmanz, Oct 23, 2011.

  1. sysmanz

    sysmanz Member

    Joined:
    Jul 20, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hello,
    Our IP blocked few times by CBL (spamhaus) we did many things but problem is not gone...
    and there are many users sending spam with script and im sure hackers doing this bu finding a bug and uploading a script into the host.
    We Prevent nobody to send mail and also we limit hourly email to 50 per domain.
    We want to trace a mail and find out from which file they send...

    Here is a example from queue that show spammer targeted my user and using that host to send spam, We want to know from which file ?
    I think the only to stop them is to trace them and fix the bug....
    Also let me know if there is anything i can do to stop these ... ?!

    Code:
    1RHemj-0003qB-1R-H
    mailnull 47 12
    <admin@advertise-bz.net>
    1319302261 0
    -helo_name advertise-bz.net
    -host_address 111.224.250.247.1584
    -interface_address xx.xx.xx.xx.25
    -received_protocol smtp
    -body_linecount 60
    -max_received_linelength 176
    -host_lookup_failed
    YY xxx@yahoo.com
    YN info@xxxx/virtual_userdelivery
    NN info@xxxxx/virtual_aliases_nostar
    NN xxxxx@gmail.com
    1
    info@xxxxx
    
    226P Received: from [111.224.250.247] (helo=advertise-bz.net)
    by xxxxx with smtp (Exim 4.69)
    (envelope-from <admin@advertise-bz.net>)
    id 1RHemj-0003qB-1R
    for info@xxxxx; Sat, 22 Oct 2011 20:21:01 +0330
    346 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
    s=good; d=advertise-bz.net;
    h=Message-IDate:From:User-Agent:X-Accept-Language:MIME-Version:To:Subject:Content-Type;
    b=ZFHd0WW7kSisOkYfsOpxtdO7ip0bw11P980YbWxeHEUSTx0V+iChCB+WkpSb62kSlSZWaerXyPG7UDU9t3yubRGikc/dZ0jyvMA2XMKxwnodaIbbpirKZZGweG6MfH1s+e5zgI5c28Blud6BtwyYral1n+AuXiH7Ns2LgDW5RZI=;
    049I Message-ID: <23E46740.3F980FF8@advertise-bz.net>
    038 Date: Sat, 22 Oct 2011 09:50:59 -0700
    046F From: "CashCreation" <admin@advertise-bz.net>
    106 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.21) Gecko/20090302 Thunderbird/2.0.0.21
    025 X-Accept-Language: en-us
    018 MIME-Version: 1.0
    025T To: <info@xxxxx>
    045 Subject: Make $15 in 15 minutes with surveys
    080 Content-Type: multipart/mixed;
    boundary="------------376280318410511801027461"
    
    1RHemj-0003qB-1R-D
    This is a multi-part message in MIME format.
    
    --------------376280318410511801027461
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit
    
    How would you like to make 15 - 25 
    every single day just for clicking your mouse?
    
    Start earning Minutes from now!
    
    Don't believe any hyped promises - you won't 
    be making thousands of dollars every day and 
    you won't be a millionaire by next year but 
    my System is a surefire method for everyone 
    who wants to start earning online.
    
    
    For Full Details please read the attached .html file 
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    So to clarify, the email address and domain admin@advertise-bz.net do not exist on the machine in question?

    The best way to try to find anyone sending via a script would be to check the domlogs for POST entries for domains. Anytime a form is used to submit an email or exploit it for data, you'd get a POST entry in the Apache logs showing. Those logs are at /usr/local/apache/domlogs and sorted by domain name.
     
  3. minosjl

    minosjl Well-Known Member

    Joined:
    Jun 4, 2011
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Also please check if the sender and receiving mails are not hosted in your machine ,open relay is allowed by your cpanel exim SMTP server.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Open relay is not allowed by cPanel exim SMTP server at all only via localhost sending and receiving on the machine. POP3 before SMTP login allows relaying, which requires logging into POP3 prior to sending an SMTP message, which then can be relayed.

    Please do not spread false information.
     
  5. minosjl

    minosjl Well-Known Member

    Joined:
    Jun 4, 2011
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
  6. minosjl

    minosjl Well-Known Member

    Joined:
    Jun 4, 2011
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    in the above comment i mean that the relaying is supported by cpanel using antirelayd daemon .Not by default.Sorry for the confusion :)
     
Loading...

Share This Page