Results 1 to 9 of 9
  1. #1

    How to see if a user is sending spam

    Running Cpanel/WHM with exim. How/what logs would be checked to see if a user is sending spam? well not for content, but for volume. i have WHM setup with a max of 200 emails per domain per hour, but I dunno how solid that restriction is, and if it's surpassable
    Joe
    www.DollarWebHosting.Biz
    |:| Shared |:| Reseller |:| Dedicated |:|

  2. #2
    /var/log/exim_mainlog
    Datums Internet Solutions, LLC
    Systems Engineering & Managed Hosting Services
    Complex Hosting Consultants

  3. #3
    Join Date
    Aug 2003
    Posts
    95
    i have try, but
    "-bash: /var/log/exim_mainlog: Permission denied"
    y?

  4. #4
    Join Date
    Apr 2004
    Posts
    96
    are you logges in as root?

    when you are in SSH type su -

  5. #5
    Join Date
    Aug 2003
    Posts
    95
    yes, i am root...

    just type # /var/log/exim_mainlog ?
    or...

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    tail -f /var/log/exim_mainlog

    will show you a running list
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,510
    Code:
    [email protected] [/usr/sbin]# more /usr/sbin/sendmail
    #!/usr/local/bin/perl
    
    # use strict;
     use Env;
     my $date = `date`;
     chomp $date;
     open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
     my $uid = $>;
     my @info = getpwuid($uid);
     if($REMOTE_ADDR) {
             print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
     }
     else {
    
            print INFO "$date - $PWD -  @info\n";
    
     }
     my $mailprog = '/usr/sbin/sendmail.real';
     foreach  (@ARGV) {
             $arg="$arg" . " $_";
     }
    
     open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
     while (<STDIN> ) {
             print MAIL;
     }
     close (INFO);
     close (MAIL);
    Someone posted some code similar to above, I made a few modifications after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody!
    MattF - Since the start..

  8. #8
    Originally posted by MattF
    Code:
    [email protected] [/usr/sbin]# more /usr/sbin/sendmail
    #!/usr/local/bin/perl
    
    # use strict;
     use Env;
     my $date = `date`;
     chomp $date;
     open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
     my $uid = $>;
     my @info = getpwuid($uid);
     if($REMOTE_ADDR) {
             print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
     }
     else {
    
            print INFO "$date - $PWD -  @info\n";
    
     }
     my $mailprog = '/usr/sbin/sendmail.real';
     foreach  (@ARGV) {
             $arg="$arg" . " $_";
     }
    
     open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
     while (<STDIN> ) {
             print MAIL;
     }
     close (INFO);
     close (MAIL);
    Someone posted some code similar to above, I made a few modifications after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody!
    That's a pretty nifty script there - I think I might consider implementing that.

    In addition to formmail, you can run some kind of parser on your outbound mail logs, this is what we do. We have a script that runs every 6 hours and tallies ALL outgoing mail per domain on the machines, it saves it all to a database and we can easily see who's doing what. It keeps track daily, weekly, monthly and total. If someone's pushing a lot of outbound messages, we know which domain/user to investigate.

  9. #9
    Join Date
    Jul 2002
    Location
    Italy
    Posts
    344
    Originally posted by MattF
    Code:
    [email protected] [/usr/sbin]# more /usr/sbin/sendmail
    #!/usr/local/bin/perl
    
    # use strict;
     use Env;
     my $date = `date`;
     chomp $date;
     open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
     my $uid = $>;
     my @info = getpwuid($uid);
     if($REMOTE_ADDR) {
             print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
     }
     else {
    
            print INFO "$date - $PWD -  @info\n";
    
     }
     my $mailprog = '/usr/sbin/sendmail.real';
     foreach  (@ARGV) {
             $arg="$arg" . " $_";
     }
    
     open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
     while (<STDIN> ) {
             print MAIL;
     }
     close (INFO);
     close (MAIL);
    I find this script very nice.

    To use it I should:
    1) rename "sendmail" as "sendmail.real";
    2) save this script as "sendmail";
    3) give it execute permissions.

    Are these steps correct?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •