Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Viewing Exim X-Source information in mail queue

Discussion in 'E-mail Discussion' started by porcupine, Feb 14, 2006.

  1. porcupine

    porcupine Well-Known Member
    PartnerNOC

    Joined:
    Apr 18, 2002
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    306
    Location:
    Toronto, Ontario
    cPanel Access Level:
    DataCenter Provider
    Does anybody know where you'd locate the exim X-Source information that is normally appended to the message headers, before the email leaves the server?

    I've dug around the eximstats mysql db (hasn't been updated since Jan though?!), grep'd my way through all of /var/lib/spool, etc. without much luck. Purpose here should be pretty clear (someones abusing a vulnerable script, I'm catching the load related issues days down the road (at which point apache logfiles have long since cycled) yet we're not receiving any complaints (.... yet). Short of using phpsuexec, this seems like the most obvious method to locate abuse thats gotten past the other filters, short of waiting for the complaints to stream in with the x-source information in the forwarded headers.

    Does anyone know how this can be retrieved before the email leaves the server?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. networxhosting

    networxhosting Well-Known Member
    PartnerNOC

    Joined:
    Apr 22, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Hamilton, Ontario, CANADA
    I've had the same issue before in the past and what i ended up doing (after substantial digging all over the place to no avail) was temporarily turning on phpsuexec, and then commenting it back out quickly after i found who's site/scripts were being abused.

    But besides that never really found a better way to do it, as any research would end with just user "nobody". I suppose if you saw a trend of addresses being spammed you could alway try temporarily hijacking/forwarding one of those addresses being emailed to an account that you check in order to investigate the headers, otherwise its a wait-until-complaint comes in kind of thing without phpsuexec enabled
     
  3. porcupine

    porcupine Well-Known Member
    PartnerNOC

    Joined:
    Apr 18, 2002
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    306
    Location:
    Toronto, Ontario
    cPanel Access Level:
    DataCenter Provider
    Perhaps one of the moderators or CPanel staff know something we do not however (at least I'm hoping).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    166
    disable your log rotate for 24 hours?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    It's suggest enabling limited extra exim logging by adding this to the first textarea in the exim configuration editor:

    log_selector = +arguments

    This will add the context for the scripts that send out email into /var/log/exim_mainlog, i.e. you will usually get the directory within which the php that is sending out the email lives and you can then track it down from there.

    I'd also suggest the BCC mod_security secfilters to help indicate problem scripts too.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice