Results 1 to 18 of 18

Thread: spammers help

  1. #1
    Join Date
    Nov 2006
    Posts
    185

    spammers help

    Hi,

    It looks like someone spammng from our server. I have checked exim_mainlog and got the this info.


    2007-01-23 03:12:32 1H99Fz-0004wl-RV => [email protected] R=lookuphost T=remote_smtp H=mail.erio.com [217.220.27.241]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV => [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
    2007-01-23 03:12:40 1H99Fz-0004wl-RV -> [email protected] R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]


    In the log file is showing like this.

    2007-01-22 19:11:24 1H99Fz-0004wm-Vp <= <> R=1H99Fz-0004wl-RV U=mailnull P=local S=605030
    2007-01-22 19:11:24 1H99Fz-0004wl-RV <= [email protected] U=churchre P=local S=3558 id=23894.217.194.149.171.1169511083....[email protected]

    I couldn't find who is sending. Any help would be appreciated.

    thanks

  2. #2
    Join Date
    Apr 2005
    Location
    San Francisco, CA
    Posts
    1,029
    check Rack911.com - he has good expirience with situations like this one.

  3. #3
    Join Date
    Nov 2006
    Posts
    185
    I would like to resolve by my self. If you have any suggestions let me know.

  4. #4

  5. #5
    Join Date
    Nov 2006
    Posts
    185
    Thanks guys,

    I have blocked the IP using IP tables, but this the information on header. This is the header for the spam mail. Can we find how they sent from this info? Can we debug using Message-ID?

    169P Received: from cpanel by xxx.*********** with local (Exim 4.63)
    (envelope-from <[email protected]>)
    id 1HAfI5-00030L-0T; Fri, 26 Jan 2007 23:35:49 -0500
    130P Received: from 217.194.149.171 ([217.194.149.171]) by xx.xx.xx.xx (Horde
    MIME library) with HTTP; Fri, 26 Jan 2007 23:35:47 -0500
    057I Message-ID: [email protected]
    038 Date: Fri, 26 Jan 2007 23:35:47 -0500
    046F From: MRS RUTH JAWAD <[email protected]>
    029T To: undisclosed-recipients:;
    031 Subject: SEEKING FOR YOUR HELP
    018 MIME-Version: 1.0
    078 Content-Type: text/plain;
    charset=ISO-8859-1;
    DelSp="Yes";
    format="flowed"
    028 Content-Disposition: inline
    044 Content-Transfer-Encoding: quoted-printable
    056 User-Agent: Internet Messaging Program (IMP) H3 (4.1.3)


    Thank You
    Koppan
    Last edited by koppan; 01-28-2007 at 10:35 AM.

  6. #6
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    793
    Edit: Are they using Horde to send it out? I would def debug using ID and grep your access logs in apache for that IP to see where they are coming in..

  7. #7
    Join Date
    Feb 2005
    Location
    Toronto, Canada
    Posts
    5,158
    Try configserver security & firewall and ban the ips with that.. its very simple to install and use.

  8. #8
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    In all honesty you need to find the root cause. I don't see how blocking ips will stop outgoing spam. All you are doing is delaying fixing the problem, and contributing to the spam problem on the internet and risking your ips being blacklisted and your service provider being very upset.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  9. #9
    banning ip is the best solution

  10. #10
    Join Date
    Jul 2004
    Location
    Texas
    Posts
    687
    Quote Originally Posted by Steven
    In all honesty you need to find the root cause. I don't see how blocking ips will stop outgoing spam. All you are doing is delaying fixing the problem, and contributing to the spam problem on the internet and risking your ips being blacklisted and your service provider being very upset.
    This is the best thing you can do. Please, do us a favor by not sending spam and fix it ASAP.
    Hello

  11. #11
    Join Date
    Nov 2006
    Posts
    185
    Thank you for your reply guys. There guys are changing the IP address and blocking the IP address in not a good solution. If they are sending them using horde. How can we debug? Any help would be appreciated/

  12. #12
    Join Date
    Nov 2006
    Posts
    185
    I finally found this from checking throug cpanel log file. Thank you for all of your help. If anyone spamming from webmail we can easily track it down since cpanel is logging their information.

    Thanks Again.
    Koppan

  13. #13
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    793
    You need to stop exim, stop chkservd and find the problem by grep'ing your logs and figuring out what they are using to send the spam. A weak php script? Exim itself? Horde (I see horde in the headers)? But stopping them is first priority.

  14. #14
    Join Date
    Nov 2006
    Posts
    185
    Hi Serversphere,

    Thanks again for your input. I know they spammed throuh webmail. Do I still need to check php script? I already suspended the account. I am not sure how they send them using horde.

  15. #15
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    793
    Horde mail would be through the web. Since suspending have your troubles gone away?

  16. #16
    Join Date
    Nov 2006
    Posts
    185
    Yes, it is gone after 1 . 5 days. I normally find pid id and go to /proc/xxxx and
    find out the script this time took long.

    Are there any standar guide to find spammers?

    Thank you for your input an help.

  17. #17
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    793
    Do a search over on the cpanel forum at cpanel.net, there are a couple threads about finding spammers on your cpanel box there. Glad you got em off there.

  18. #18
    Join Date
    Nov 2006
    Posts
    185
    Yes, after I have suspnded the account everything seems to be fine, but I am not sure how it was done.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •