hi everybody,

i am stuck with a problem.One of my server is being misused by one of the user( i suppose) to spam.Well the spams leave my server (as in the logs )as from apache@sever.servername.com,so i have no luck tracing who is behind this..I desperately doubt some php script.please need urgent help!!!i have to get rid of this as soon as possible bcos my server is on the verge of getting unplugged

Always at ur service

Tonja:bawling:

Well tell us more:
What control panel are you using?
OS?
Mail server?

CPanel/WHM
Redhat 9
Exim

please need urgent help!!

Tonja

First, I suggest you enable suexec. Second, disable "nobody" from sending mail. Enable headers. Hope this helps you.

Okay well this is what I do.

in exim.conf search for

hostlist auth_relay_hosts = *

#########################
Runtime configuration file for Exim #
#########################


and then below add:

log_selector =

+address_rewrite

+all_parents

+arguments

+connection_reject

+delay_delivery

+delivery_size

+dnslist_defer

+incoming_interface

+incoming_port

+lost_incoming_connection

+queue_run

+received_sender

+received_recipients

+retry_defer

+sender_on_delivery

+size_reject

+skip_delivery

+smtp_confirmation

+smtp_connection

+smtp_protocol_error

+smtp_syntax_error

+subject

+tls_cipher

+tls_peerdn




and then just restart exim. MAKE SURE YOU CREATE A BACKUP OF THE CONF FIRST

this will give you the location of the files eg:

2003-06-27 14:06:18 cwd=/home/tris/public_html/forums 3 args: /usr/sbin/sendmail -t -i
2003-06-27 14:06:18 19W0QE-0001Nr-1b nobody@gibbs.hostsaints.com from env-from rewritten as ""seeksadmin.com" <minx@seeksadmin.com>" by rule 1

thanx for that dude
that was really helpful

Tonja

No problem. It was pleasure

Just want to follow up on what we found in regards to adding the Exim (Ver 4.34) directives. We were able to add them as Tris-SA mentions but only in WHM in the Exim advanced mode editor in the first text box. In order to add them directly to /etc/exim.conf as stated, we had to add trailing back slashes to each line. Otherwise Exim complained on restart. Hope that helps someone else.

For cpanel users add this lines to your exim.conf instead:


log_selector = \
+address_rewrite \
+all_parents \
+arguments \
+connection_reject \
+delay_delivery \
+delivery_size \
+dnslist_defer \
+incoming_interface \
+incoming_port \
+lost_incoming_connection \
+queue_run \
+received_sender \
+received_recipients \
+retry_defer \
+sender_on_delivery \
+size_reject \
+skip_delivery \
+smtp_confirmation \
+smtp_connection \
+smtp_protocol_error \
+smtp_syntax_error \
+subject \
+tls_cipher \
+tls_peerdn \



Best regards,
Gil.

This is a decent thread!

Originally posted by WebMate
This is a decent thread!


Looks like someone is trying to get their post count up :rolleyes:

Yeh. This code can be found in loads of places. I am not sure who wrote the origonal version, not even sure where I got it from. All I remember is that I now have it on my HD and save it. It is a good code to have.

Originally posted by Tris-SA
Yeh. This code can be found in loads of places. I am not sure who wrote the origonal version, not even sure where I got it from. All I remember is that I now have it on my HD and save it. It is a good code to have.

Indeed,
Thought in some cases it doesn't help :(

Hey!
Worth the try ;),
Gil.

A simpler way to accomplish the same thing, which adds a couple of directives not listed above, is to use "log_selector = +all \" . The additional logging parameters are not that significant except perhaps for the "rejected header".
http://exim.work.de/exim-html-4.20/doc/html/spec_44.html

hey guys

thanx a lot for the suggestions but no guys that didint help
my logs did not give me anything usefull and t hat idiot is still spamming from my server ,and i want to get rid of him,anybody else with some other suggestions?????????????????????????????????????????

Tonja

Would be helpful if you posted what has been tried so far. For instance have you set in WHM the parameters that limit emails per hour, SMTP authentication, etc? Also Mail Watch might be of some help. http://home-port.net/Mail-Watch/

I too am having the exact same issue, same setup:

redhat 9
whm/cpanel
exim

I think its more that someone is using our mail server as a relay. I'm somewhat new to exim as before we had a windows machine handle our mail, ya ya I know, don't worry its gone now :P Anyway, I guess what would help, is knowing how to disable 'nobody' from using the mail server... does making sure they are not part of the 'mail' group mean they cannot send? Or is it one of the settings inside the exim.conf?

Failing either those 2, the best way would be for me to make sure is to limit outgoing mail access to the localhost. I'm not exactly sure how to do that but if someone could post here I would greatly appreciate it.

In WHM>>Server Setup>>TweakSettings you will find options to limit emails per hour and user nobody sending mail. Also under Service Configuration>>Exim Config Editor is the option for verifying email senders.
HTH

Make sure u dont have a demo account..they can be used to send spam.

Well... with whm/cpanel, it changes relay_hosts to search a file to which it adds and removes hosts from time to time and I just changed it to be only localhost. Not sure the downside of this... may have broken webmail programs dunno. but it has stopped our mail queue from growing to 3500+ and straining system resources in the process at least for the time being I may still need to go in and change the 'nobody' account options as mentioned. I will keep an eye on it in the next day and see.

I would stay away from Mail-Watch it makes your loads go up massivly

Will say the same thing as before - Mail Watch is a tool to be used when trying to trouble shoot a spam problem.

Hey once you get it sorted out can I get a URL to sign up? I like to see people take a stand against spam.