The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Urgent ! How to Block Spaming ?

Discussion in 'General Discussion' started by 4402734, Aug 29, 2006.

  1. 4402734

    4402734 Active Member

    Joined:
    Sep 20, 2005
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Hello,
    one of my clients using my server to send out spam !.
    I don`t know who is that, he is using the user of nobody to send emails.
    How can i find it ? how can block it? any good idea to stop spaming !

    Thank you for respond.
     
  2. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    hi,
    there are lot of threads on this issue on this forum already, do a search it will help you out in finding out the culprit.

    see ya,
    mohit
     
  3. eger

    eger Well-Known Member

    Joined:
    Feb 28, 2003
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    Recently having a spam issue on one of my servers I can offer a couple quick things you can check that can help locate the problem.

    First is run suexec and phpsuexec respectively... though this WILL cause problems if you have a large user base on the server using php scripts already in place and will break scripts with incorrect permisisons, .htaccess files setting php_values, and some other php stuff that is not allowed in phpsuexec.

    Second is grepping through the logs at /usr/local/apache/domlogs for domains (or the single domain if using suexec) lines with 'POST' instead of 'GET'. Most of my spam related problems are because of insecure cgi or php scripts which are used to HTTP POST information to instead of the usual HTTP GET. Usually because the script does not sanitize the subject or email which allows people to add extra lines (such as BCC: in the header).
     
  4. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
  5. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Quick and easy fix:
    Compile Apache with phpSuExec.
    Go to "Tweak Settings" in WHM and enable this:
    This will stop them from sending out mail as "nobody". Also enable the extended Exim logging, and lock down how many emails per hour can be sent from a domain. With that setting, yuo'll very likely catch one of the mails in the queue, and have a full copy of the headers at your disposal.
     
  6. 4402734

    4402734 Active Member

    Joined:
    Sep 20, 2005
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Where can i find these information ?
    i meant
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - servername Your servers hostname
    X-AntiAbuse: Original Domain - domain The domain sending mail
    X-AntiAbuse: Originator/Caller UID/GID - userid / groupid The User ID and Group ID (In number form)
    X-AntiAbuse: Sender Address Domain - servername Your server hostname again
    X-Source: /usr/bin/php What program was used to send the mail... php, cgi, etc
    X-Source-Args: /usr/bin/php filename.php This is the important part... what file specifically was the mail sent from? This will include the program that sent it
    X-Source-Dir: domain:/public_html/directory The full path to the above filename
     
  7. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    WHM -> Server Configuration -> Tweak Settings
    Scroll down to the mail section. Put a check mark next to
    While you're in there, tick these ones too
    and use this one
    I have mine set to 60. If you are expecting some high valid mail load, you can set it higher... but I found 60 to be a decent ballpark figure. And make sure that this is set to "Fail"
    That should be a good start for you. But make sure you don't forget the extended Exim logging.

    *disclaimer* The above will NOT garuentee that the spam messages will stop. This will simply give you more to work with than what you have now. Your top priority should be to properly secure the server, and tune your php to run under phpSuExec (which can be done by recompiling Apache through WHM), and assure that you have a decent set of mod_security rules in place to help combat php exploits and cross-scripting URL hacks. Might want to also check that you have /tmp secured to prevent a lot of upload-and-hack exploits that run through php and perl. Not all, mind you... but some.
     
    #7 NightStorm, Aug 30, 2006
    Last edited: Aug 30, 2006
  8. 4402734

    4402734 Active Member

    Joined:
    Sep 20, 2005
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    I tried to compile my apache with phpsuexec but got this error
     
  9. 4402734

    4402734 Active Member

    Joined:
    Sep 20, 2005
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.
    Please contact the server administrator, webmaster@mydomain.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.


    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


    --------------------------------------------------------------------------------

    Apache/1.3.37 Server at www.mydomain.com Port 80
     
  10. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    There's a bug in the php 4.4.4 with phpSuExec enabled. Use 4.4.3 instead.
    Also, make sure that all the files are owned properly, and that no folders or files are chmod 777 (use 755 instead, as they will be owned and written to by the same user).
     
  11. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    BLackhole is wrong. There are numerous threads explaining why. See Chirpy's site for the best one at: http://configserver.com/free/fail.html

    Use fail.

    Also look at chirpy's Mailscanner setup.


    (Now it says not to use Blackhole -Last edited by NightStorm : 08-30-2006 at 02:13 AM.)
     
    #11 lloyd_tennison, Sep 2, 2006
    Last edited: Sep 2, 2006
  12. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    No one said to use Blackhole. That was a direct quote from WHM, to show where the setting is for Fail. Read the message immediately above it.
     
  13. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    "Last edited by NightStorm : 08-30-2006 at 02:13 AM."

    Now, it says that.
     
  14. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, and today is 09-02-2006 at 09:30 AM. Now, what was your point again in that regard, other than the fact that I added the disclaimer to my post 15 minutes after I made it, 3 days ago?
    I am guessing you do not log into WHM often? As I said before, what I have posted up there is a DIRECT QUOTE from WHM. And, as I said, if you read right above the DIRECT QUOTE, you will see where I specify to use FAIL.
    Please, if you are going to make an attempt at cutting me down, at least read the entire post, instead of reading something that was written by cPanel and assuming it was me.

    Now, for demonstration. I am EDITING this post. See right above it, the timestamp right above my name? That is when the post was originally made. See the timestamp at the bottom here where it says "Last edited by NightStorm"? That's when it was LAST edited. Now, in the post where you are accusing me of editing my post to follow what you are saying after the fact. Notice the difference of 8 minutes? I'm no timetraveler... so you are simply misreading the entire post and looking to cause a fight. Try harder.
     
    #14 NightStorm, Sep 2, 2006
    Last edited: Sep 2, 2006
  15. 4402734

    4402734 Active Member

    Joined:
    Sep 20, 2005
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    I am using php 4.4.3, but still with the problem, i verified files`s permissions all are in ... 755 & 644 .... and not 777

    Thanks
     
  16. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Go to the domain's cPanel, and click on the "error_log" link. What's it say? Quite often, it will offer enough info to figure it out.
     
  17. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Welcome to the club. This is an ongoing issue that appears to have no resolution yet.
    http://forums.cpanel.net/showthread.php?t=56783


     
Loading...

Share This Page