The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Viewing Exim X-Source information in mail queue

Discussion in 'E-mail Discussions' started by porcupine, Feb 14, 2006.

  1. porcupine

    porcupine Well-Known Member
    PartnerNOC

    Joined:
    Apr 18, 2002
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Toronto, Ontario
    cPanel Access Level:
    DataCenter Provider
    Does anybody know where you'd locate the exim X-Source information that is normally appended to the message headers, before the email leaves the server?

    I've dug around the eximstats mysql db (hasn't been updated since Jan though?!), grep'd my way through all of /var/lib/spool, etc. without much luck. Purpose here should be pretty clear (someones abusing a vulnerable script, I'm catching the load related issues days down the road (at which point apache logfiles have long since cycled) yet we're not receiving any complaints (.... yet). Short of using phpsuexec, this seems like the most obvious method to locate abuse thats gotten past the other filters, short of waiting for the complaints to stream in with the x-source information in the forwarded headers.

    Does anyone know how this can be retrieved before the email leaves the server?
     
  2. networxhosting

    networxhosting Well-Known Member
    PartnerNOC

    Joined:
    Apr 22, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hamilton, Ontario, CANADA
    I've had the same issue before in the past and what i ended up doing (after substantial digging all over the place to no avail) was temporarily turning on phpsuexec, and then commenting it back out quickly after i found who's site/scripts were being abused.

    But besides that never really found a better way to do it, as any research would end with just user "nobody". I suppose if you saw a trend of addresses being spammed you could alway try temporarily hijacking/forwarding one of those addresses being emailed to an account that you check in order to investigate the headers, otherwise its a wait-until-complaint comes in kind of thing without phpsuexec enabled
     
  3. porcupine

    porcupine Well-Known Member
    PartnerNOC

    Joined:
    Apr 18, 2002
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Toronto, Ontario
    cPanel Access Level:
    DataCenter Provider
    Perhaps one of the moderators or CPanel staff know something we do not however (at least I'm hoping).
     
  4. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    disable your log rotate for 24 hours?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's suggest enabling limited extra exim logging by adding this to the first textarea in the exim configuration editor:

    log_selector = +arguments

    This will add the context for the scripts that send out email into /var/log/exim_mainlog, i.e. you will usually get the directory within which the php that is sending out the email lives and you can then track it down from there.

    I'd also suggest the BCC mod_security secfilters to help indicate problem scripts too.
     
Loading...

Share This Page