The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Where is this mail coming from?

Discussion in 'E-mail Discussions' started by paulm, Apr 15, 2007.

  1. paulm

    paulm Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    I got a complaint today from my provider because some emails supposedly being sent from my server to aol users is spam with a copy. The odd thing is I have dealt with quite a few aol complaints before and have always been able to find the problem user/script.

    The issue with this is the information I am given is very limited, I do not even get an actual message ID and I can't find anything from the complaint in any of my exim logs including to and from addresses or subject (I have extended logging on)

    I have the server setup to not alow relaying and have watched the mail logs for hours with no luck, I can not find where any of this is coming from.
    So to me it looks like the actual message is being sent from another server and not mine, but I have relaying closed, checked for compromise etc with no luck yet.

    Any help would be greatly appreciated.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    This bit:
    Is typical of a forged header from an exploited PHP script sending email out directly to port 25 (i.e. avoiding exim) which is why it doesn't have proper headers if indeed it is coming from your server. The simplest way to prevent emails being sent out that bypass exim is to enable WHM > Tweak Security > SMTP Tweak > Enable.

    However, if you use a separate script to configure iptables that won't be effective. If you run csf, you can simple enable the SMTP_BLOCK option and then restart csf. If you use APF there's a solution to that posted on the forum somewhere.

    You'd then need to track down the offending script, but the above ought to stop the outgoing spam.
     
  3. paulm

    paulm Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    THank you for your reply Chirpy, so by running APF this would also cause an issue correct because I do have SMTP Tweak enabled on my server and I did not know there would be a conflict with the firewall.
     
  4. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    Trying to find a spammer on one of our servers that isn't running phpsuexec who is using the same method as mentioned here.

    What exactly does the SMTP block option do? Will scripts automatically be piped through exim or will every customer on the server have to use an smtp class instead of mail() function in php?
     
  5. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    I had the very same issue on a customer's server a few months back and it happened that the offending script was a php shell (r57 or c99, don't remember). This search may help :

    Code:
    find /home/ \( -name "*.cgi" -o -name "*.php" \) -print | xargs egrep -l 'c99shell|r57shell|WebShell|phpshell' >> /root/report.txt
    Good luck :)
     
  6. AlexV.

    AlexV. Well-Known Member

    Joined:
    Jun 15, 2006
    Messages:
    212
    Likes Received:
    1
    Trophy Points:
    16
  7. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    Thanks - I know how to secure a server but stopping nobody isn't possible on this server right now I'm afraid. So I'll just have to find the script and stop it for now until we have a chance to get every customer prepared for suPHP or phpsuexec.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Other way round. If you enable the SMTP block then clients must use the mail() function and not send email directly out to port 25 (usually using sockets). Users that send email from their PC email clients through your server won't be affected by the block.

    You can also have a read of this in help tracking down outbound spam:
    http://www.configserver.com/free/spammers.html#outbound
     
  9. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    Ah, yeah I've got it now ;) I can't remember that I've used sockets to send email in my php code.. so I'm guessing it isn't that common unless you're trying to send spam.

    Thanks for the documentation as well Chirpy - as always, you come through for us :)

     
Loading...

Share This Page