The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trying to find out a spammer

Discussion in 'General Discussion' started by thewebhosting, Jun 2, 2009.

  1. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    I have received a spam complaint from spamcop and trying to find out an exact domain which is sending spam messages from my server.

    From the logs I have found that the spammer is using remote SMTP authentication to send spam emails. I have tried to find out for exact domain name from exim mainlog located at /var/log/exim_mainlog. But I could not find any.

    It seems that the messages where sent out through PHP script. Can anybody tell me where else I need check to find out logs?

    I have also tried to find out from apache logs but did not find anything there also.

    Thanks!
     
  2. chinmay

    chinmay Well-Known Member

    Joined:
    Jul 22, 2008
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    localhost
    Hi there,

    The logs will be in the file "/var/log/exim_mainlog" itself.. If it is using SMTP authentication the emails will be sent with the from address specified. If it is not using remote SMTP authentication the emails will be sent with the ID cPanel_username@server_hostname.com (which is easier to check)

    Not sure, but if the emails are been sent from the remote server the mail logs will be on the remote server itself which should not block your server's Ip at spamcop. Is it possible to provide with the logs spamcop has provided ?

    Also you can limit the emails sent per domain at Main >> Server Configuration >> Tweak Settings. The maximum each domain can send out per hour (0 is unlimited). You can set the limit here.

    Hope this helps you to investigate further.
     
  3. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    Thanks for the reply!

    As I have mentioned earlier, emails were sent out using remote SMTP authentication. I have already set the limit of sending 60 emails per hour from a domain.

    I have also disabled nobody user to send out emails from my server. My server requires SMTP authentication to send emails. Emails were sent out from a PHP script. It seems that one of the email account from a particular user account on my server has been hacked and used to send spam emails.

    Can you tell me where else I can check the logs to find out an exact domain or user account on my server?
     
  4. chinmay

    chinmay Well-Known Member

    Joined:
    Jul 22, 2008
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    localhost
    If you are sure about the username on the server under which the email account is created, you can grep the username in the /etc/domainusers OR /etc/userdomains file

    root@server [~]# grep cPanel-username /etc/domainusers
    OR
    root@server [~]# grep cPanel-username /etc/userdomains

    Note :: Replace cPanel-username with actual cPanel username

    Let me know if this is what you were looking for...
     
  5. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    That is what exactly, I am trying to figure out. I am trying to find out the user name on server from which the spam messages were sent out.
     
  6. chinmay

    chinmay Well-Known Member

    Joined:
    Jul 22, 2008
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    localhost
    Well, you will need to look at the logs and grep them with the username, check the mail queue and check as to who is spamming from the server.
     
  7. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    You are not getting me. I have already checked in mail logs and could not find anything. The emails were sent out from script. Is there any other place where I should look to track for an exact domain or user doing this?
     
  8. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    find out these scripts using locate hnc.cgi & dm.cgi these are spamming scrips
     
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    You seem to imply in this thread that the spammer sent mails without using your SMTP server. I recommend enabling the SMTP tweak to force users to use your SMTP server when sending mail from your server. This can be enabled in WHM -> Security -> Security Center -> SMTP Tweak. You may also consider enabling other security settings in the Security Center if you feel they are appropriate.
     
  10. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    Thanks. SMTP authentication is already enabled on my server. Can you tell me after how many days mail server logs will be overwritten? how and from where I can change these settings?
     
  11. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I wasn't referring to SMTP authentication - I was referring to the SMTP Tweak. SMTP authentication deals with legitimate users using your SMTP server (Exim). The SMTP Tweak blocks users from using your server to send mail by means of an uploaded script that acts as a mail server to avoid/bypass sending mail through your mail server.

    Let me get back to you on the mail server logs question.
     
  12. acidstudioz

    acidstudioz Active Member

    Joined:
    Feb 13, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Hey im having the same problem and i used a few exim commands and the headers of the message just say coming from 127.0.0.1 which is annoying and like you everyone doesn't understand me but i realized i turned off SMTP Tweak for a day and this happened so i turned it back on .. but i still want to find out who did it so if you get any info on how to find out let me know

    @cPanelDavidG

    Does the tweak stop roundcubemail from working?.

    And this doesn't stop my clients from using Outlook etc correct?
     
    #12 acidstudioz, Jun 5, 2009
    Last edited: Jun 5, 2009
  13. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    SMTP tweak does not affect anything that uses *your* SMTP server such as Roundcube, Horde, Squirrelmail and authenticated POP and SMTP users.

    The SMTP tweak prevents scripts from bypassing your SMTP server to send spam from your server's IP.
     
  14. acidstudioz

    acidstudioz Active Member

    Joined:
    Feb 13, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Ok great thanks.
     
  15. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    SMTP tweak is disabled on our shared server. If I enable it will the legitimate users also not be able to send legitimate emails through their scripts?
     
  16. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Enabling the SMTP Tweak will allow your legitimate users to continue to send legitimate emails through their script sending the mail through your SMTP server.
     
Loading...

Share This Page