Results 1 to 6 of 6

Thread: SMTP Spamming?

  1. #1
    Join Date
    Oct 2004
    In my imagination

    SMTP Spamming?

    Hey guys,
    I'm having a bit of confusion tracking down a spammer on the server. It seems that they are using SMTP for their spamming activities, but the weird thing is that I cant get a username or an ip because when they spam its showing it from localhost I have some snippets from the WHM Manage Mail Queue:

    mailnull 47 12
    1122787933 0
    -ident mailnull
    -received_protocol local
    -body_linecount 72
    -frozen 1122847770
    [email protected]

    153P Received: from mailnull by with local (Exim 4.50)
    id 1Dz6Qn-0007Pf-HD
    for [email protected]; Sun, 31 Jul 2005 01:32:13 -0400
    047 X-Failed-Recipients: [email protected]
    031 Auto-Submitted: auto-generated
    064F From: Mail Delivery System <[email protected]>
    027T To: [email protected]
    059 Subject: Mail delivery failed: returning message to sender
    053I Message-Id: <[email protected]>
    038 Date: Sun, 31 Jul 2005 01:32:13 -0400

    Then the BOUNCEBACK:

    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    [email protected]
    SMTP error from remote mailer after RCPT TO:<[email protected]>:
    host []: 550 [email protected]...User unknown

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <[email protected]>
    Received: from localhost ([]:45198
    by with esmtp (Exim 4.50)
    id 1Dz6Qj-0007PJ-87
    for [email protected]; Sun, 31 Jul 2005 01:32:09 -0400
    Message-Id: <[email protected]>
    X-Delivered-To: [email protected]
    Date: Sun, 31 Jul 2005 04:32:09 -0100
    Received: (from [email protected]) by localhost ( id 2343242 Sun, 31 Jul 2005 04:32:09 -0100
    X-Sender: <[email protected]>
    Mime-Version: 1.0
    From: <[email protected]>
    To: "patrisia chavez" <[email protected]>
    Subject: Insanity!
    Reply-To: <[email protected]>
    Message-ID: <sid=44048736&rid=28915&seq=2&[email protected]>
    Content-Type: text/plain; charset="iso-8859-1"

    Hi patrisia,

    A short time ago, a friend shared the following thought....

    The definition of INSANITY is.....doing the same things over and over, and expecting different results......

    When you think about it, it\'s absolutely true. If you are not happy with your situation for any reason....whether you desire more time....more money....more freedom in general....
    You must change from the way you have always done things.

    I\'m really not trying to sell you anything.....but I will share with you information that can help you accomplish all of your lifes goals.....and take control of your financial destiny....

    Take the next 5 minutes and watch my short movie....Just click on the link, and you will start down the path so many others have followed to achieving their dreams....

    Contact me anytime by phone or email, and I will show you just how easy it is to get started.

    I look forward to hearing from you soon!!!

    John J Evans
    [email protected]

    Stop! Claim your 50 exclusive tryout leads before they go stale.
    Plus get 30 day autoresponder trial - No Cost, No Exceptions! [ For Limited Time Only ]

    Sender's Address:
    John Evans
    5071 S 4600 W
    Samaria ID 83252
    United States
    Sender's Email: [email protected]

    To unsubscribe or change subscriber options visit:

    and something from ssh would look like:

    2005-07-31 19:12:21 SMTP connection from localhost ( [127.0.0
    .1]:39879 I=[]:25 closed by QUIT
    2005-07-31 19:12:21 1DzMyj-0001nT-87 <= [email protected] H=localhost (the []:39881 I=[]:25 P=esmtp S=1636 id=93875628444.
    [email protected] T="Remember that part-time gig?" from <monica@> for [email protected]
    2005-07-31 19:12:21 SMTP connection from []:39884 I=[]:25 (TCP
    /IP connection count = 2)
    2005-07-31 19:12:21 SMTP connection from localhost ( [
    ]:39881 I=[]:25 closed by QUIT

    I'm usually able to fix things like this but this is something else to me. I've tailed the logs as well as installed phpsuexec and a sendmail mod that helps with tracking, added the choon mod for php script mail tracking.

    The above domains arent hosted on our servers either. Any and all help will be greatly appreciated.

  2. #2
    Join Date
    May 2002
    recompile your php with this patch
    should be help you with searching spammer which use php for sending email.
    also check your server for open relay.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  3. #3
    Join Date
    Oct 2004
    In my imagination
    Yeh I've installed that patch and its working now but I guess it isnt a PHP script that they are using since it isnt in there (the X-PHP-Script in the header)

    I've also ran several open relay tests such as the ORDB test and all of them have came back negative.

    Any other ideas?

  4. #4
    Join Date
    Oct 2004
    I have simillar problem, do you have any idea?

  5. #5
    Join Date
    Feb 2005
    It need not be a php script. check for things like formmail scripts, or any other script that tries to send mail.

  6. #6
    Join Date
    Aug 2004
    Great thanks to Odhinn from who caught the guy and gives the solution !

    We just tracked him down on one of our servers...
    Marie - Co-Owner
    Need Further Assistance ? Here you go !
    English, french and spanish support

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts