Ok here's the deal someone is spamming through my server. I am running cpanel with exim. I called burst net and they assured me that there is no way I am acting as an open relay and that someone must have written a cgi script to spam on my machine. I need help with this I have the headers from the spam and I have my logs but I have no idea how to go about finding out who or what is happening and how to stop them. I know this is a little general but please help me. Any advice would be great.


Thanks

There was a post acouple of days ago about something like this. I think the log you are looking for is sendmail.log look at it and you should find repeating mail sents(should be a lot in a small amount of time) and those logs should give you a clue on who is doing it.

Sendmail is not on this machine. It uses exim i have been looking in /var/log/exim_mainlog

I really do not know cpanel, but most cgi's use a sendmail binary to work with. For example qmail has a senmail binary so scripts can be used with it. If your sure its not, then I would suggest blocking port 25 for the time being.

Please excuse my ignorance but how do I block a specific port

Darkedge, you do have sendmail on your server with cpanel. Exim is your mail server... sendmail makes your mail scripts work, like form mail, and others.

I haven't looked it up yet, for the exact location, but you do want to look at the sendmail log if this is a script driven mail spammer...

I will pop back in a few with the sendmail log location.

Tim L :cool:

Ok, in our cpanel servers, the sendmail log is with teh rest of the logs... :
/var/log/sendmail.log

go to /var/log and see if it is there... I bet it is.

Good luck finding the spammer... that log can get huge.

Tim L :cool:

Ok I found two spammers.
One was using his own userid to access the sendmail binary easy enough to fix. But the other was doing it as user nobody uid 99
Is there a way to block uid 99 from being able to access sendmail binary.

Also will this cause any problems???


Thanks,
Darkedge