Results 1 to 9 of 9
  1. #1

    I keep seeing spam emails in my mail queue

    I contacted the guys who I pay to watch over my linux Cpanel server and I do not think they know how to fix the problem. When I look in my mail queue manager in WHM I always see these spam type emails. I also see that my site IP gets blacklisted on:

    http://www.kloth.net/services/dnsbl.php

    I delist and then it appears again a couple of days later. My server is only used to send emails such as registrations and user notifications that they have subscribed to. Could anyone please tell me how to get rid of the spam?

  2. #2
    Join Date
    Mar 2003
    Location
    /root
    Posts
    23,991
    Moved > Technical & Security Issues.

    Specially 4 U
    Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
    JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
    Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx

  3. #3
    Just remove spaming users from your server

  4. #4
    Just an update in case I didn't provide enough details. When I login to WHM and view the mail statistics, it shows a list and the ones in all CAPS text appear to be spam. In fact all of them may be spam since I only recognized PayPal and 2CO on the list (which I removed from this post) because none of those domains are mine:

    Top 50 sending hosts by message count

    Messages Bytes Average Sending host
    4154 11MB 2776 local
    23 60KB 2671 xosa.lunarpages.com
    14 33KB 2413 efwd.dnsix.com
    9 30KB 3413 outbound1.den.paypal.com
    6 11KB 1877 (exchange1.linkmarket.net)
    5 36KB 7372 lavalinx.com
    4 11KB 2816 ternlast.com
    3 54KB 18KB (lewescrop.com)
    3 54KB 18KB (HARRINGTONTORY.COM)
    3 54KB 18KB (LEWESATION.COM)
    3 54KB 18KB (LEWESRANGE.COM)
    3 54KB 18KB (LEWESERY.COM)
    3 20KB 6826 (mail.worldweighted.com)
    3 18KB 6144 (mail.advisedaccount.com)
    3 12KB 4096 termsonleft.com
    3 5748 1916 (xserve)
    2 36KB 18KB (LEWESYARD.COM)
    2 36KB 18KB (HARRINGTONAGE.COM)
    2 36KB 18KB (MILFORDCROP.COM)
    2 11KB 5632 mail1.emn-mysavingsnow.net
    2 11KB 5632 web52801.mail.re2.yahoo.com
    2 9539 4769 littleranktall.com
    2 8864 4432 paragraphmaple.com
    2 8295 4147 packfortent.com
    2 6836 3418 eth0.voyager.ecore.net
    2 6593 3296 houselightlevel.com
    2 6483 3241 (sms.globul.bg)
    2 5803 2901 ([89.120.136.25])
    2 4964 2482 lb01nat30.inode.at
    2 2938 1469 host128-111-static.107-82-b.business.telecomitalia.it
    2 2540 1270 (lucky.buzhost.net)
    1 92KB 92KB me24430.mailengine2.com
    1 76KB 76KB (sd2402.sivit.org)
    1 46KB 46KB portal.inoapps.com
    1 32KB 32KB owmta2-2.ientrynetwork.net
    1 32KB 32KB (leadbelly.ipswitch.com)
    1 26KB 26KB mm-retail-out-1104.amazon.com
    1 18KB 18KB (HARRINGTONRANGE.COM)
    1 18KB 18KB (MILFORDRANGE.COM)
    1 17KB 17KB atilla.spangdahlem.af.mil
    1 16KB 16KB pvhkmail3.householdaccount.com
    1 15KB 15KB mm-notify-out-1105.amazon.com
    1 10KB 10KB wpc3324.host7x24.com
    1 9702 9702 smtp.eletters.ziffdavis-announces.com
    1 9665 9665 monobeamback.com
    1 9421 9421 spam.glis.cc
    Could you please tell me how to stop this spam? Thanks.

  5. #5
    Ok it looks like a new spam email appeared in my mail queue since creating this topic. I will copy and paste what it says and I replaced my real domain with "my_domain_here" in this post:

    Here are the headers I think that is what they are called:

    Code:
    1JtjPR-0008SA-0k-H
    mailnull 47 12
    <>
    1210165813 0
    -ident mailnull
    -received_protocol local
    -body_linecount 2777
    -max_received_linelength 163
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1210165813
    -localerror
    XX
    1
    phentremine@HARRINGTONSTEAD.COM
    
    161P Received: from mailnull by family.my_domain_here.com with local (Exim 4.68)
    	id 1JtjPR-0008SA-0k
    	for phentremine@HARRINGTONSTEAD.COM; Wed, 07 May 2008 08:10:13 -0500
    046  X-Failed-Recipients: root@family.my_domain_here.com
    029  Auto-Submitted: auto-replied
    063F From: Mail Delivery System <Mailer-Daemon@family.my_domain_here.com>
    036T To: phentremine@HARRINGTONSTEAD.COM
    059  Subject: Mail delivery failed: returning message to sender
    052I Message-Id: <E1JtjPR-0008SA-0k@family.my_domain_here.com>
    038  Date: Wed, 07 May 2008 08:10:13 -0500
    Then part of the message it is really long so I cut it down:

    1JtjPR-0008SA-0k-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    root@family.my_domain_here.com
    (generated from nobody@family.my_domain_here.com)
    retry timeout exceeded

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <phentremine@HARRINGTONSTEAD.COM>
    Received: from [69.42.63.12] (helo=HARRINGTONRANGE.COM)
    by family.my_domain_here.com with esmtp (Exim 4.68)
    (envelope-from <phentremine@HARRINGTONSTEAD.COM>)
    id 1JtjPN-0008S6-N3
    for nobody@family.my_domain_here.com; Wed, 07 May 2008 08:10:10 -0500
    Received: by HARRINGTONRANGE.COM id h46l300cd90d for <nobody@family.my_domain_here.com>; Wed, 7 May 2008 09:10:06 -0400 (envelope-from <phentremine@HARRINGTONSTEAD.COM>)
    Received: by kilograms.HARRINGTONSTEAD.COM id xhp7kpgywxfa; Wed, 7 May 2008 09:10:06 -0400 (envelope-from phentremine@HARRINGTONSTEAD.COM)
    From: "Phentremine" <phentremine@HARRINGTONSTEAD.COM>
    To: <nobody@family.my_domain_here.com>
    Subject: =?iso-8859-1?B?QW1lcmljYXMgU3Ryb25nZXN0IEFwcGV0aXRlIFN1cHByZXNzYW50IC0gRlJFRSBUUklBTCEg=?=
    Date: Wed, 7 May 2008 09:10:06 -0400
    MIME-Version: 1.0
    Content-Type: text/html;
    Thread-Index: nkskhs3l6zfgsuu276vbao0b8corf9xrcf9hukpe7ze4j
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    Message-Id: <20060905182978.B8C1187172B6B7A44D5A99@HARRINGTONSTEAD.COM>
    Status:
    X-cPanel-MailScanner-Information: Please contact the ISP for more information
    X-cPanel-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details
    X-cPanel-MailScanner-SpamCheck:
    X-cPanel-MailScanner-From: phentremine@harringtonstead.com
    X-Spam-Status: No

    <!--


    inbox <br msg dallasnews irr dutt <br blackberry indexes /> americas />

    compiling <br richiedono <br undrar /> cazzo significa fremden gute cees january identit previews vado />


  6. #6
    Well, you can also try to install the Spamassassin service, which I think it will solve your problems somewhat.

    Another solution is setup a catchall address for all your domains.

    I hope this helps.
    ---=== RoseHosting.com Admin ===---
    Linux Server Management and Outsourced Web Hosting Support - linuxhostsupport.com
    Managed Linux VPS Hosting - rosehosting.com
    High Quality Linux virtual servers with lots of Guaranteed RAM and SSD space, Impeccable Service.

  7. #7
    Spamassassin is already installed on my server and it does a good job of blocking emails to my own account. Not sure what catchall is. Thanks.

  8. #8
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,771
    Quote Originally Posted by lexington View Post
    When I look in my mail queue manager in WHM I always see these spam type emails. I also see that my site IP gets blacklisted on:
    You need to enable extended logging in exim.conf and search exim logs for any spamming script under any account. Log will show cwd entries which will point to a specific directory from where the mails originated

    Code:
    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  9. #9
    This helped me to catch a spammer account.

    http://www.webhostgear.com/118.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •