The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Troubleshooting E-amil issues with Exim??

Discussion in 'General Discussion' started by carock, Mar 30, 2004.

  1. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    Troubleshooting E-mail issues with Exim??

    I know how to tell a lot of things that happen to messages with Sendmail, but I have no clue how to figure out what happens to mail with Exim.

    I'm looking for some pointers...

    I have a LOT of stupid E-mails sitting in my queue stating they are from security@paypal.com.

    I have not been able to find out where they are coming from by looking at my exim_mainlog. I opened the header for one, and there's no IP info from the sending host...

    Where do I find out how these messages came to my box?

    exim_paniclog............
    2004-03-30 22:47:23 1B8XdL-000467-RF Rewrite of nobody@cpanel1.betterbox.net yielded unparseable address: malformed address: <security@paypal.com> may not follow security@paypal.com in address security@paypal.com <security@paypal.com>

    exim_mainlog.....
    2004-03-30 22:47:23 1B8XdL-000467-RF Rewrite of nobody@cpanel1.betterbox.net yielded unparseable address: malformed address: <security@paypal.com> may not follow security@paypal.com in address security@paypal.com <security@paypal.com>
    2004-03-30 22:47:25 1B8XdL-000467-RF <= nobody@cpanel1.betterbox.net U=nobody P=local S=2571
    2004-03-30 22:47:26 1B8XdL-000467-RF => peedy99@hotmail.com R=lookuphost T=remote_smtp H=mx4.hotmail.com [65.54.190.230]
    2004-03-30 22:47:27 1B8XdL-000467-RF Completed

    The yahoo stuff appears to be the destination, not the origination.

    This is whats in a header file from /var/spool/exim/input

    1B7aNr-0007eJ-PW-H
    nobody 99 99
    <nobody@cpanel1.betterbox.net>
    1080480687 0
    -ident nobody
    -received_protocol local
    -body_linecount 65
    -auth_id nobody
    -auth_sender nobody@cpanel1.betterbox.net
    -local
    XX
    1
    checkmate1@unitedstates.com

    157P Received: from nobody by cpanel1.betterbox.net with local (Exim 4.24)
    id 1B7aNr-0007eJ-PW
    for checkmate1@unitedstates.com; Sun, 28 Mar 2004 07:31:27 -0600
    032T To: checkmate1@unitedstates.com
    032 Subject: Paypal account limited
    048F From: security@paypal.com <security@paypal.com>
    030R Reply-To: security@paypal.com
    018 MIME-Version: 1.0
    024 Content-Type: text/html
    032 Content-Transfer-Encoding: 8bit
    054I Message-Id: <E1B7aNr-0007eJ-PW@cpanel1.betterbox.net>
    038 Date: Sun, 28 Mar 2004 07:31:27 -0600

    I got nothing. And it looks like someone has found a way to relay through my box on top of it...

    Any Exim brains out there to help me?

    Thanks,
    Chuck
     
    #1 carock, Mar 30, 2004
    Last edited: Mar 30, 2004
  2. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    Do you guys think this has anything to do with the Cpanel vulnerability posted on Security Focus?

    http://www.securityfocus.com/bid/9965

    I've been looking for ways to send these messages all day through this box, and I can't find it. I've been checking all those cgi mail alerts I get when people post web scripts to send E-mail, and I've found nothing.

    Chuck
    :confused:
     
  3. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    Found them!!!

    I found them. Some jerks used our automated system with hacked Paypal accounts to create a web site, and uploaded their emailer.php file and a text file to send out thousands of those messages.

    Fortunately they weren't using our sites to collect the poor dumb Paypal users that actually clicked on the links in the E-mail.

    We contacted the ISP that hosted the collection site, but they simply asked that we send them an E-mail. Didn't seem very concerned that a web site they were hosting was actively being used for identity theft.... Some people... :confused:

    I would still like some more information on basic message tracking with Exim if anyone can point us to a how to or something better.

    Thanks,
    Chuck
     
  4. cyberwisdom

    cyberwisdom Well-Known Member

    Joined:
    Jun 2, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    We get some guys using the exact script emailer.php a few times a week (idiots :mad: ). They try to do the same exact thing by scamming paypal users. I don't know why they keep coming back they are usually taken down within a few minutes of signing up.

    There are several ways we track them down.

    The quickest and simplest way is to login via ssh and put in the following command:
    Code:
    tail -f /var/log/exim_mainlog
    If you see a lot of emails being sent out constantly with this, then more than likely it's spam. Also, make sure (if possible) that you run phpsuexec so that exim will tell you who is spamming with the php script.

    The more complex way is to install a spam monitor and make some configurations to your exim settings.

    This is a good one we use:
    http://www.home-port.net/Mail-Watch/
    It's opensource and works great. It will alert you if it suspects any spam.
     
  5. woolly

    woolly Active Member

    Joined:
    Dec 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    i have the same problem.

    Some person used a stolen paypal account and sending shitloads of paypal spam emails.
     
  6. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    -How to Stop the Spamming Virus Email?-

    MEE TOO!!!

    I have a serious problem with this issue, always my internal smtp server send email to users and domains (not necesary hosted in my server) with the subject HI, and others, with attachment virus files, I really don't know what to do, inclusive the email's name don't exist in my account/server, I only have 2 emails (info@domain.com and tech@domain.com) and the emails out and in are ussing jeff@domain.com or other names...

    And I have the same problem with the PAYPAL too... uffff...

    WHAT CAN I DO?????

    ANY IDEA?
     
  7. wimp

    wimp Well-Known Member

    Joined:
    Jul 13, 2002
    Messages:
    301
    Likes Received:
    0
    Trophy Points:
    16
    same problem here. However nothing to do with paypal but a spamer are using the SMTP server. Is there any way to disable the SMTP server for one domain or, if necessary, on the whole server?? I already use smtp tweake in WHM but this does not solve the problem.

    Thanks a lot
     
  8. wimp

    wimp Well-Known Member

    Joined:
    Jul 13, 2002
    Messages:
    301
    Likes Received:
    0
    Trophy Points:
    16
    i have also tons of this in my exim_mainlog:
    -----------------
    2004-04-29 17:22:50 H=(domain.com) [193.111.111.111] sender verify fail for <mail-daemon@domain.com>:
    2004-04-29 17:22:50 H=(domain.com) [193.111.111.111] F=<mail-daemon@domain.com> rejected RCPT <mail-daemon@domain.com>: Sender verify failed....
    ----------------

    but what does that do? sendng e-mails or reject incoming e-mails?


    Thanks
     
  9. wimp

    wimp Well-Known Member

    Joined:
    Jul 13, 2002
    Messages:
    301
    Likes Received:
    0
    Trophy Points:
    16
    there is a way to disable exim (SMTP Server) but it seems it disable the POP3 Server to and no e-mails comes in..
     
  10. Edizon

    Edizon Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    AZ
    I am alos getting hammered with tons of piuf file and spam being sent. My server is send an recieving mail at around 5k a day. Is this normal?
     
  11. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Nice!
     

Share This Page