hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Software and Control Panels : CPANEL - Exim be spammed by mailnull
Reply

Forum Jump

CPANEL - Exim be spammed by mailnull

Reply Post New Thread In Hosting Software and Control Panels Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 10-25-2008, 10:28 AM
jonathan184 jonathan184 is offline
Junior Guru Wannabe
 
Join Date: Feb 2005
Posts: 34
need cpanel fixed in linux from being spammed in exim
Hi the problem is the server is being spammed sending emails. There are exim processes being created by uid 47 and mailnull that are consuming the memory and crashing the system.
I have seen the account in the passwd and groups in shadow.
I tried to comment it out but exim will not run. Only whenthe accounts are uncommented exim will run and start flooding with spam email and spawning new processes until all the memory is consumed.
The spammer accounts are mailnull I am guessing. So i need some help to fix the spamming issue.
The httpd is being run by the nobody account. I might need some help on this to.
Any help would be greatly appreciated.
Its a Linux box
2.6.18-53.1.4.el5 #1 SMP Wed Nov 14 10:37:33 EST 2007 i686 i686 i386 GNU/Linux



Sponsored Links
  #2  
Old 10-25-2008, 10:48 AM
Zishan
Guest
 
Posts: n/a
In WHM > Exim Configuration Editor, click Advanced Editor
Add this in first text area:
log_selector = +address_rewrite +all_parents +arguments +subject
Browse to bottom of page and click Save. Then run the following command and you will get a detailed log that from where the spam emails are being sent:
tail -f /var/log/exim_mainlog

  #3  
Old 10-25-2008, 12:26 PM
jonathan184 jonathan184 is offline
Junior Guru Wannabe
 
Join Date: Feb 2005
Posts: 34
The log did not really help much in locating the source these are the processes spawning and they keep increasing.
mailnull 12487 0.3 0.0 10136 964 ? Ss 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12493 0.0 0.0 10136 912 ? Ss 09:13 0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465
mailnull 12521 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12522 0.3 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12532 0.5 0.2 11228 4580 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12537 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12538 0.4 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12541 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12546 0.3 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12550 0.0 0.0 10192 1920 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12565 0.4 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12566 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12571 0.4 0.1 11228 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12576 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12586 0.3 0.1 11228 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12596 0.4 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12613 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12621 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12630 0.4 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12662 0.5 0.1 11228 3836 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12665 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12666 0.4 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12675 0.3 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12698 0.5 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12699 0.6 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12702 0.6 0.2 11232 4596 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12707 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12740 0.6 0.2 11228 4608 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12742 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12755 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12758 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12762 0.5 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
mailnull 12767 0.5 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m

Sponsored Links
  #4  
Old 10-25-2008, 12:28 PM
jonathan184 jonathan184 is offline
Junior Guru Wannabe
 
Join Date: Feb 2005
Posts: 34
This is in the log you told me to look at:
/var/log/exim_mainlog
2008-10-25 10:03:20 1Ktkfe-0004So-Uf SMTP connection from mail.marionareachamber.org (marionareachamber.org) [66.219.135.169] closed after SIGTERM
2008-10-25 10:03:20 1Ktkfb-0004Sj-Q3 SMTP connection from (mail.0incondotta.com) [66.232.118.190] closed after SIGTERM
2008-10-25 10:03:20 1Ktkfb-0004SZ-3j SMTP connection from mx1.aball.de [212.76.144.42] closed after SIGTERM
2008-10-25 10:03:20 1Ktkfb-0004SU-RT SMTP connection from (mail2.fransmaas.com) [212.72.49.204] closed after SIGTERM
2008-10-25 10:03:20 1KtkfZ-0004SM-Vz SMTP connection from (gw.ecro.ro) [82.76.46.16] closed after SIGTERM
2008-10-25 10:03:20 1KtkfY-0004SK-IP SMTP connection from mail.finn.pl [194.24.181.150] closed after SIGTERM
2008-10-25 10:03:20 1KtkfX-0004SD-Au SMTP connection from mx1.aball.de [212.76.144.42] closed after SIGTERM
2008-10-25 10:03:20 1KtkfU-0004SA-UH SMTP connection from ks354294.kimsufi.com [91.121.101.119] closed after SIGTERM
2008-10-25 10:03:20 1KtkfR-0004S1-40 SMTP connection from (main.digital-thought.net) [212.57.233.62] closed after SIGTERM
2008-10-25 10:03:20 1KtkfP-0004Rw-VD SMTP connection from (mwz-cpa.com) [68.250.28.105] closed after SIGTERM
2008-10-25 10:03:20 1KtkfQ-0004Rt-RJ SMTP connection from dwhs125.dwhs.net [66.249.137.125] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Rm-Fi SMTP connection from ks354294.kimsufi.com [91.121.101.119] closed after SIGTERM
2008-10-25 10:03:20 1KtkfO-0004Ro-6n SMTP connection from dvorak.siteprotect.com [64.26.0.12] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Rf-Ot SMTP connection from enm36.neoplus.adsl.tpnet.pl [83.20.2.36] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Rd-PB SMTP connection from mail1.zimmermann-vital.de [212.77.180.140] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Ra-B9 SMTP connection from mail.mass2one.com (mass2onedc.mass2one.local) [209.181.208.98] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004Rc-Q9 SMTP connection from poplar.kiosk.ws (poplar.ghshosting.com) [209.47.167.138] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Re-SW SMTP connection from (server.MILMAR.COM.EG) [82.201.208.165] closed after SIGTERM
2008-10-25 10:03:20 1KtkfO-0004Rn-IV SMTP connection from hanari1.nims.go.jp [144.213.2.20] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RZ-NC SMTP connection from smtp-vbr13.xs4all.nl [194.109.24.33] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004Rb-3q SMTP connection from mail.mass2one.com (mass2onedc.mass2one.local) [209.181.208.98] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004RY-Py SMTP connection from mail.microstarkegs.com [64.1.8.50] closed after SIGTERM
2008-10-25 10:03:20 1KtkfO-0004RX-AY SMTP connection from (npamail.svpnpa.gov.in) [218.248.1.76] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004RO-My SMTP connection from rrcs-24-172-185-210.central.biz.rr.com (ts-llc.com) [24.172.185.210] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004RP-3S SMTP connection from mail.alumniprogram.com [208.45.131.34] closed after SIGTERM
2008-10-25 10:03:20 1KtkfP-0004RS-Bc SMTP connection from (mailserver.hib.local) [124.82.128.149] closed after SIGTERM
2008-10-25 10:03:20 1KtkfO-0004RM-0B SMTP connection from host136-230-149-62.serverdedicati.aruba.it (mail.globalinfosystem.it) [62.149.230.136] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004RN-HH SMTP connection from bsmtp9.xs4all.nl [194.109.127.146] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RL-97 SMTP connection from fwvip.nel.co.jp (mailhub.nel.co.jp) [143.125.54.3] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RK-Db SMTP connection from h166.n068.nhk.or.jp (sender02.tokyo.nhk.or.jp) [133.127.68.166] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RI-Ho SMTP connection from mail.piramide.ind.br [200.206.168.136] closed after SIGTERM
2008-10-25 10:03:20 1KtkfJ-0004RD-TZ SMTP connection from fwvip.nel.co.jp (mailhub.nel.co.jp) [143.125.54.3] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004R6-OW SMTP connection from mail.estcanudas.com.ar (cabas101.canudassuc1.com.ar) [200.127.112.147] closed after SIGTERM
2008-10-25 10:03:20 1KtkfL-0004RG-Rw SMTP connection from ks354294.kimsufi.com [91.121.101.119] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RH-Ma SMTP connection from gd1.gameduell.de [83.220.152.131] closed after SIGTERM
2008-10-25 10:03:20 1KtkfJ-0004R9-2H SMTP connection from (d7018.hostcentric.net) [216.65.63.51] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004RF-UR SMTP connection from smtp-01.sil.at [78.142.186.24] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RB-HP SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004R8-BS SMTP connection from mxdrop153.xs4all.nl [194.109.24.119] closed after SIGTERM
2008-10-25 10:03:20 1KtkfK-0004R7-Ii SMTP connection from (mwt02.mwt.com.au) [210.23.128.40] closed after SIGTERM
2008-10-25 10:03:20 1KtkfJ-0004Ql-BN SMTP connection from exchange.ilink-systems.com (exchange.ilink.mail) [216.176.189.234] closed after SIGTERM
2008-10-25 10:03:20 1KtkfL-0004R1-SC SMTP connection from (cpanel.ev1servers.net) [66.98.174.6] closed after SIGTERM
2008-10-25 10:03:20 1KtkfN-0004RA-Q9 SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004R0-L1 SMTP connection from jamestaylor.com (as.jamestaylor.com) [72.10.46.53] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004Qk-6n SMTP connection from bsmtp6.xs4all.nl [194.109.127.149] closed after SIGTERM
2008-10-25 10:03:20 1KtkfH-0004Qp-6X SMTP connection from bsmtp7.xs4all.nl [194.109.127.148] closed after SIGTERM
2008-10-25 10:03:20 1KtkfH-0004Qo-2l SMTP connection from dewsmtp.intellicentre.net.au (dewsmtp001.intellicentre.net.au) [210.193.179.136] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Qi-Mu SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004Qh-6K SMTP connection from bsmtp5.xs4all.nl [194.109.127.150] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004Qj-5w SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004Qg-18 SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Qf-Qn SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Qd-Mr SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QV-HV SMTP connection from cpe-76-83-103-246.bak.res.rr.com [76.83.103.246] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004QW-KT SMTP connection from dpc674728058.direcpc.com (mail.searchmont.com) [67.47.28.58] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004Qe-6I SMTP connection from 89.140.90.198.static.user.ono.com (macmail01.mac-mutua.org) [89.140.90.198] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QS-Cy SMTP connection from smtp.svp.sk [195.146.147.73] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QT-AO SMTP connection from smtp.svp.sk [195.146.147.73] closed after SIGTERM
2008-10-25 10:03:20 1KtkfH-0004QU-0P SMTP connection from (mail.megacorp.co.kr) [211.234.93.151] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QJ-Ti SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
2008-10-25 10:03:20 1KtkfE-0004QQ-2a SMTP connection from www.netgear-forum.com [193.25.197.191] closed after SIGTERM
2008-10-25 10:03:20 1KtkfH-0004QL-HJ SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
2008-10-25 10:03:20 1KtkfJ-0004QN-VI SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QI-Tc SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004Qc-Jp SMTP connection from vcmail04.nttdatacenter.com [61.208.135.5] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QR-EG SMTP connection from smtp.duhosting.ae (HMCERI03.DuVAS.local) [80.227.220.134] closed after SIGTERM
2008-10-25 10:03:20 1KtkfM-0004QH-Kw SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QX-Sd SMTP connection from mail.tizacademy.com (mail.tizaacademy.com) [75.146.181.89] closed after SIGTERM
2008-10-25 10:03:20 1KtkfE-0004QE-Qq SMTP connection from s198-166-46-251.ab.hsia.telus.net (dmzworkhorse.bridgesolutions.ca) [198.166.46.251] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Q9-PO SMTP connection from smtp.duhosting.ae (HMCERO03.DuVAS.local) [80.227.220.134] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QF-7k SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004QG-19 SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004QA-Jh SMTP connection from eterna.binary.net [216.229.0.25] closed after SIGTERM
2008-10-25 10:03:20 1KtkfE-0004Q8-Lf SMTP connection from exchange.cre-eight.com [207.200.20.115] closed after SIGTERM
2008-10-25 10:03:20 1KtkfD-0004Q5-4z SMTP connection from (serv13.mihosnet.nl) [83.149.74.207] closed after SIGTERM
2008-10-25 10:03:20 1KtkfD-0004Pb-Lf SMTP connection from (dsl85-102-46665.ttnet.net.tr) [85.102.182.73] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004PO-FK SMTP connection from (vdns.miniespacio.com) [67.19.157.34] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004PY-BC SMTP connection from pop.ttcl.co.tz [196.43.78.55] closed after SIGTERM
2008-10-25 10:03:20 1KtkfE-0004Q6-QZ SMTP connection from mail.ecs.kyoto-u.ac.jp [130.54.13.161] closed after SIGTERM
2008-10-25 10:03:20 1KtkfE-0004Pe-79 SMTP connection from boe246.neoplus.adsl.tpnet.pl [83.29.20.246] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004PM-6L SMTP connection from h-67-103-44-123.snfccasy.covad.net (PC04.PLCLAW.NET) [67.103.44.123] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004PW-Bu SMTP connection from www.dns02.de [195.226.112.52] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Q3-40 SMTP connection from mail.lett.dk [86.48.41.226] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004Pq-Tl SMTP connection from mailrelay1.kpn.net [194.151.226.98] closed after SIGTERM
2008-10-25 10:03:20 1KtkfD-0004Pg-SY SMTP connection from tcgp.dundee.ac.uk (corvus.tcgp.dundee.ac.uk) [134.36.204.2] closed after SIGTERM
2008-10-25 10:03:20 1KtkfG-0004PB-8u SMTP connection from zeus.dafp.gov.co (zeus.dafp.local) [200.31.77.243] closed after SIGTERM
2008-10-25 10:03:20 1KtkfP-0004Ph-MX SMTP connection from ([85.110.159.82]) [85.110.159.82] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004Q7-Jg SMTP connection from fb05-04.mta.terra.com.br [200.154.152.93] closed after SIGTERM
2008-10-25 10:03:20 1KtkfF-0004Oo-JF SMTP connection from hcm-ms-185.vnn.vn [203.162.4.185] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004Pa-B9 SMTP connection from exchange.strategicsol.com [63.231.43.49] closed after SIGTERM
2008-10-25 10:03:20 1KtkfC-0004Oy-Ek SMTP connection from trinity.nschile.cl [200.55.216.73] closed after SIGTERM

  #5  
Old 10-28-2008, 03:33 PM
DaveDark DaveDark is offline
WHT Addict
 
Join Date: Mar 2002
Location: Austin, TX
Posts: 112
You can set a limit in WHM's Tweak Settings for the max # of emails per our that a domain can send:
'The maximum each domain can send out per hour (0 is unlimited)'
This may help cut down some of the traffic. After check 'View Mail Statistics' in WHM to see which domains are sending tons of mail.
It's interesting that all those SIGTERMS are getting sent to exim. Try connecting to the server and sending mail through a domain, there may be a deeper issue here.
You're welcome to submit a support ticket to have our analysts take a look at the server. See my signature for the link.

  #6  
Old 10-28-2008, 04:22 PM
sabarishks sabarishks is offline
Junior Guru Wannabe
 
Join Date: Sep 2008
Location: Bangalore
Posts: 77
ps -C exim -fH eww | grep home
Execute this command, when there is high spamming. It will show the user who spams.
Also, just set the max mail perhour to 10 or like that. So, when the 11th mail sent, it will start bouncing back.

  #7  
Old 10-28-2008, 04:23 PM
sabarishks sabarishks is offline
Junior Guru Wannabe
 
Join Date: Sep 2008
Location: Bangalore
Posts: 77
So, from that bounce back messages, you can get the real identity of the spammer.

  #8  
Old 04-08-2013, 10:24 AM
justin-eus justin-eus is offline
Disabled
 
Join Date: Oct 2012
Location: Sweden
Posts: 39
ps -C exim -fH eww | grep home

Very useful to discover spamming accounts.

Thanks sabarishks!

Reply

Related posts from TheWhir.com
Title Type Date Posted


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?