Results 1 to 8 of 8
-
10-25-2008, 10:28 AM #1Junior Guru Wannabe
- Join Date
- Feb 2005
- Posts
- 38
need cpanel fixed in linux from being spammed in exim
Hi the problem is the server is being spammed sending emails. There are exim processes being created by uid 47 and mailnull that are consuming the memory and crashing the system.
I have seen the account in the passwd and groups in shadow.
I tried to comment it out but exim will not run. Only whenthe accounts are uncommented exim will run and start flooding with spam email and spawning new processes until all the memory is consumed.
The spammer accounts are mailnull I am guessing. So i need some help to fix the spamming issue.
The httpd is being run by the nobody account. I might need some help on this to.
Any help would be greatly appreciated.
Its a Linux box
2.6.18-53.1.4.el5 #1 SMP Wed Nov 14 10:37:33 EST 2007 i686 i686 i386 GNU/Linux
-
10-25-2008, 10:48 AM #2Zishan Guest
In WHM > Exim Configuration Editor, click Advanced Editor
Add this in first text area:
log_selector = +address_rewrite +all_parents +arguments +subject
Browse to bottom of page and click Save. Then run the following command and you will get a detailed log that from where the spam emails are being sent:
tail -f /var/log/exim_mainlog
-
10-25-2008, 12:26 PM #3Junior Guru Wannabe
- Join Date
- Feb 2005
- Posts
- 38
The log did not really help much in locating the source these are the processes spawning and they keep increasing.
mailnull 12487 0.3 0.0 10136 964 ? Ss 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12493 0.0 0.0 10136 912 ? Ss 09:13 0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465
mailnull 12521 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12522 0.3 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12532 0.5 0.2 11228 4580 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12537 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12538 0.4 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12541 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12546 0.3 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12550 0.0 0.0 10192 1920 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12565 0.4 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12566 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12571 0.4 0.1 11228 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12576 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12586 0.3 0.1 11228 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12596 0.4 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12613 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12621 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12630 0.4 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12662 0.5 0.1 11228 3836 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12665 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12666 0.4 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12675 0.3 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12698 0.5 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12699 0.6 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12702 0.6 0.2 11232 4596 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12707 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12740 0.6 0.2 11228 4608 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12742 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12755 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12758 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12762 0.5 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12767 0.5 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
-
10-25-2008, 12:28 PM #4Junior Guru Wannabe
- Join Date
- Feb 2005
- Posts
- 38
This is in the log you told me to look at:
/var/log/exim_mainlog
2008-10-25 10:03:20 1Ktkfe-0004So-Uf SMTP connection from mail.marionareachamber.org (marionareachamber.org) [66.219.135.169] closed after SIGTERM
2008-10-25 10:03:20 1Ktkfb-0004Sj-Q3 SMTP connection from (mail.0incondotta.com) [66.232.118.190] closed after SIGTERM
2008-10-25 10:03:20 1Ktkfb-0004SZ-3j SMTP connection from mx1.aball.de [212.76.144.42] closed after SIGTERM
2008-10-25 10:03:20 1Ktkfb-0004SU-RT SMTP connection from (mail2.fransmaas.com) [212.72.49.204] closed after SIGTERM
2008-10-25 10:03:20 1KtkfZ-0004SM-Vz SMTP connection from (gw.ecro.ro) [82.76.46.16] closed after SIGTERM
2008-10-25 10:03:20 1KtkfY-0004SK-IP SMTP connection from mail.finn.pl [194.24.181.150] closed after SIGTERM
2008-10-25 10:03:20 1KtkfX-0004SD-Au SMTP connection from mx1.aball.de [212.76.144.42] closed after SIGTERM
2008-10-25 10:03:20 1KtkfU-0004SA-UH SMTP connection from ks354294.kimsufi.com [91.121.101.119] closed after SIGTERM
2008-10-25 10:03:20 1KtkfR-0004S1-40 SMTP connection from (main.digital-thought.net) [212.57.233.62] closed after SIGTERM
2008-10-25 10:03:20 1KtkfP-0004Rw-VD SMTP connection from (mwz-cpa.com) [68.250.28.105] closed after SIGTERM
2008-10-25 10:03:20 1KtkfQ-0004Rt-RJ SMTP connection from dwhs125.dwhs.net [66.249.137.125] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Rm-Fi SMTP connection from ks354294.kimsufi.com [91.121.101.119] closed after SIGTERM
2008-10-25 10:03:20 1KtkfO-0004Ro-6n SMTP connection from dvorak.siteprotect.com [64.26.0.12] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Rf-Ot SMTP connection from enm36.neoplus.adsl.tpnet.pl [83.20.2.36] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Rd-PB SMTP connection from mail1.zimmermann-vital.de [212.77.180.140] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Ra-B9 SMTP connection from mail.mass2one.com (mass2onedc.mass2one.local) [209.181.208.98] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004Rc-Q9 SMTP connection from poplar.kiosk.ws (poplar.ghshosting.com) [209.47.167.138] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Re-SW SMTP connection from (server.MILMAR.COM.EG) [82.201.208.165] closed after SIGTERM
2008-10-25 10:03:20 1KtkfO-0004Rn-IV SMTP connection from hanari1.nims.go.jp [144.213.2.20] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RZ-NC SMTP connection from smtp-vbr13.xs4all.nl [194.109.24.33] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Rb-3q SMTP connection from mail.mass2one.com (mass2onedc.mass2one.local) [209.181.208.98] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004RY-Py SMTP connection from mail.microstarkegs.com [64.1.8.50] closed after SIGTERM
2008-10-25 10:03:20 1KtkfO-0004RX-AY SMTP connection from (npamail.svpnpa.gov.in) [218.248.1.76] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004RO-My SMTP connection from rrcs-24-172-185-210.central.biz.rr.com (ts-llc.com) [24.172.185.210] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004RP-3S SMTP connection from mail.alumniprogram.com [208.45.131.34] closed after SIGTERM
2008-10-25 10:03:20 1KtkfP-0004RS-Bc SMTP connection from (mailserver.hib.local) [124.82.128.149] closed after SIGTERM
2008-10-25 10:03:20 1KtkfO-0004RM-0B SMTP connection from host136-230-149-62.*************i.aruba.it (mail.globalinfosystem.it) [62.149.230.136] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004RN-HH SMTP connection from bsmtp9.xs4all.nl [194.109.127.146] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RL-97 SMTP connection from fwvip.nel.co.jp (mailhub.nel.co.jp) [143.125.54.3] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RK-Db SMTP connection from h166.n068.nhk.or.jp (sender02.tokyo.nhk.or.jp) [133.127.68.166] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RI-Ho SMTP connection from mail.piramide.ind.br [200.206.168.136] closed after SIGTERM
2008-10-25 10:03:20 1KtkfJ-0004RD-TZ SMTP connection from fwvip.nel.co.jp (mailhub.nel.co.jp) [143.125.54.3] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004R6-OW SMTP connection from mail.estcanudas.com.ar (cabas101.canudassuc1.com.ar) [200.127.112.147] closed after SIGTERM
2008-10-25 10:03:20 1KtkfL-0004RG-Rw SMTP connection from ks354294.kimsufi.com [91.121.101.119] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RH-Ma SMTP connection from gd1.gameduell.de [83.220.152.131] closed after SIGTERM
2008-10-25 10:03:20 1KtkfJ-0004R9-2H SMTP connection from (d7018.hostcentric.net) [216.65.63.51] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004RF-UR SMTP connection from smtp-01.sil.at [78.142.186.24] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RB-HP SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004R8-BS SMTP connection from mxdrop153.xs4all.nl [194.109.24.119] closed after SIGTERM
2008-10-25 10:03:20 1KtkfK-0004R7-Ii SMTP connection from (mwt02.mwt.com.au) [210.23.128.40] closed after SIGTERM
2008-10-25 10:03:20 1KtkfJ-0004Ql-BN SMTP connection from exchange.ilink-systems.com (exchange.ilink.mail) [216.176.189.234] closed after SIGTERM
2008-10-25 10:03:20 1KtkfL-0004R1-SC SMTP connection from (cpanel.ev1servers.net) [66.98.174.6] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RA-Q9 SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004R0-L1 SMTP connection from jamestaylor.com (as.jamestaylor.com) [72.10.46.53] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004Qk-6n SMTP connection from bsmtp6.xs4all.nl [194.109.127.149] closed after SIGTERM
2008-10-25 10:03:20 1KtkfH-0004Qp-6X SMTP connection from bsmtp7.xs4all.nl [194.109.127.148] closed after SIGTERM
2008-10-25 10:03:20 1KtkfH-0004Qo-2l SMTP connection from dewsmtp.intellicentre.net.au (dewsmtp001.intellicentre.net.au) [210.193.179.136] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Qi-Mu SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004Qh-6K SMTP connection from bsmtp5.xs4all.nl [194.109.127.150] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004Qj-5w SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004Qg-18 SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Qf-Qn SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Qd-Mr SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QV-HV SMTP connection from cpe-76-83-103-246.bak.res.rr.com [76.83.103.246] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004QW-KT SMTP connection from dpc674728058.direcpc.com (mail.searchmont.com) [67.47.28.58] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004Qe-6I SMTP connection from 89.140.90.198.static.user.ono.com (macmail01.mac-mutua.org) [89.140.90.198] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QS-Cy SMTP connection from smtp.svp.sk [195.146.147.73] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QT-AO SMTP connection from smtp.svp.sk [195.146.147.73] closed after SIGTERM
2008-10-25 10:03:20 1KtkfH-0004QU-0P SMTP connection from (mail.megacorp.co.kr) [211.234.93.151] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QJ-Ti SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
2008-10-25 10:03:20 1KtkfE-0004QQ-2a SMTP connection from www.netgear-forum.com [193.25.197.191] closed after SIGTERM
2008-10-25 10:03:20 1KtkfH-0004QL-HJ SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
2008-10-25 10:03:20 1KtkfJ-0004QN-VI SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QI-Tc SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004Qc-Jp SMTP connection from vcmail04.nttdatacenter.com [61.208.135.5] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QR-EG SMTP connection from smtp.duhosting.ae (HMCERI03.DuVAS.local) [80.227.220.134] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004QH-Kw SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QX-Sd SMTP connection from mail.tizacademy.com (mail.tizaacademy.com) [75.146.181.89] closed after SIGTERM
2008-10-25 10:03:20 1KtkfE-0004QE-Qq SMTP connection from s198-166-46-251.ab.hsia.telus.net (dmzworkhorse.bridgesolutions.ca) [198.166.46.251] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Q9-PO SMTP connection from smtp.duhosting.ae (HMCERO03.DuVAS.local) [80.227.220.134] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QF-7k SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QG-19 SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004QA-Jh SMTP connection from eterna.binary.net [216.229.0.25] closed after SIGTERM
2008-10-25 10:03:20 1KtkfE-0004Q8-Lf SMTP connection from exchange.cre-eight.com [207.200.20.115] closed after SIGTERM
2008-10-25 10:03:20 1KtkfD-0004Q5-4z SMTP connection from (serv13.mihosnet.nl) [83.149.74.207] closed after SIGTERM
2008-10-25 10:03:20 1KtkfD-0004Pb-Lf SMTP connection from (dsl85-102-46665.ttnet.net.tr) [85.102.182.73] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004PO-FK SMTP connection from (vdns.miniespacio.com) [67.19.157.34] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004PY-BC SMTP connection from pop.ttcl.co.tz [196.43.78.55] closed after SIGTERM
2008-10-25 10:03:20 1KtkfE-0004Q6-QZ SMTP connection from mail.ecs.kyoto-u.ac.jp [130.54.13.161] closed after SIGTERM
2008-10-25 10:03:20 1KtkfE-0004Pe-79 SMTP connection from boe246.neoplus.adsl.tpnet.pl [83.29.20.246] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004PM-6L SMTP connection from h-67-103-44-123.snfccasy.covad.net (PC04.PLCLAW.NET) [67.103.44.123] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004PW-Bu SMTP connection from www.dns02.de [195.226.112.52] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Q3-40 SMTP connection from mail.lett.dk [86.48.41.226] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004Pq-Tl SMTP connection from mailrelay1.kpn.net [194.151.226.98] closed after SIGTERM
2008-10-25 10:03:20 1KtkfD-0004Pg-SY SMTP connection from tcgp.dundee.ac.uk (corvus.tcgp.dundee.ac.uk) [134.36.204.2] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004PB-8u SMTP connection from zeus.dafp.gov.co (zeus.dafp.local) [200.31.77.243] closed after SIGTERM
2008-10-25 10:03:20 1KtkfP-0004Ph-MX SMTP connection from ([85.110.159.82]) [85.110.159.82] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004Q7-Jg SMTP connection from fb05-04.mta.terra.com.br [200.154.152.93] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Oo-JF SMTP connection from hcm-ms-185.vnn.vn [203.162.4.185] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004Pa-B9 SMTP connection from exchange.strategicsol.com [63.231.43.49] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004Oy-Ek SMTP connection from trinity.nschile.cl [200.55.216.73] closed after SIGTERM
-
10-28-2008, 03:33 PM #5WHT Addict
- Join Date
- Mar 2002
- Location
- Austin, TX
- Posts
- 112
You can set a limit in WHM's Tweak Settings for the max # of emails per our that a domain can send:
'The maximum each domain can send out per hour (0 is unlimited)'
This may help cut down some of the traffic. After check 'View Mail Statistics' in WHM to see which domains are sending tons of mail.
It's interesting that all those SIGTERMS are getting sent to exim. Try connecting to the server and sending mail through a domain, there may be a deeper issue here.
You're welcome to submit a support ticket to have our analysts take a look at the server. See my signature for the link.
-
10-28-2008, 04:22 PM #6Junior Guru Wannabe
- Join Date
- Sep 2008
- Location
- Bangalore
- Posts
- 77
ps -C exim -fH eww | grep home
Execute this command, when there is high spamming. It will show the user who spams.
Also, just set the max mail perhour to 10 or like that. So, when the 11th mail sent, it will start bouncing back.
-
10-28-2008, 04:23 PM #7Junior Guru Wannabe
- Join Date
- Sep 2008
- Location
- Bangalore
- Posts
- 77
So, from that bounce back messages, you can get the real identity of the spammer.
-
04-08-2013, 10:24 AM #8Disabled
- Join Date
- Oct 2012
- Location
- Sweden
- Posts
- 43
ps -C exim -fH eww | grep home
Very useful to discover spamming accounts.
Thanks sabarishks!