Results 1 to 8 of 8
  1. #1
    Join Date
    Feb 2005
    Posts
    34
    need cpanel fixed in linux from being spammed in exim
    Hi the problem is the server is being spammed sending emails. There are exim processes being created by uid 47 and mailnull that are consuming the memory and crashing the system.
    I have seen the account in the passwd and groups in shadow.
    I tried to comment it out but exim will not run. Only whenthe accounts are uncommented exim will run and start flooding with spam email and spawning new processes until all the memory is consumed.
    The spammer accounts are mailnull I am guessing. So i need some help to fix the spamming issue.
    The httpd is being run by the nobody account. I might need some help on this to.
    Any help would be greatly appreciated.
    Its a Linux box
    2.6.18-53.1.4.el5 #1 SMP Wed Nov 14 10:37:33 EST 2007 i686 i686 i386 GNU/Linux

  2. #2
    Zishan Guest
    In WHM > Exim Configuration Editor, click Advanced Editor
    Add this in first text area:
    log_selector = +address_rewrite +all_parents +arguments +subject
    Browse to bottom of page and click Save. Then run the following command and you will get a detailed log that from where the spam emails are being sent:
    tail -f /var/log/exim_mainlog

  3. #3
    Join Date
    Feb 2005
    Posts
    34
    The log did not really help much in locating the source these are the processes spawning and they keep increasing.
    mailnull 12487 0.3 0.0 10136 964 ? Ss 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12493 0.0 0.0 10136 912 ? Ss 09:13 0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465
    mailnull 12521 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12522 0.3 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12532 0.5 0.2 11228 4580 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12537 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12538 0.4 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12541 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12546 0.3 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12550 0.0 0.0 10192 1920 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12565 0.4 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12566 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12571 0.4 0.1 11228 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12576 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12586 0.3 0.1 11228 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12596 0.4 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12613 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12621 0.4 0.1 11224 3908 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12630 0.4 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12662 0.5 0.1 11228 3836 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12665 0.4 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12666 0.4 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12675 0.3 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12698 0.5 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12699 0.6 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12702 0.6 0.2 11232 4596 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12707 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12740 0.6 0.2 11228 4608 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12742 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12755 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12758 0.5 0.1 11224 3900 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12762 0.5 0.1 11224 3876 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m
    mailnull 12767 0.5 0.1 11224 3884 ? S 09:13 0:00 /usr/sbin/exim -bd -q60m

  4. #4
    Join Date
    Feb 2005
    Posts
    34
    This is in the log you told me to look at:
    /var/log/exim_mainlog
    2008-10-25 10:03:20 1Ktkfe-0004So-Uf SMTP connection from mail.marionareachamber.org (marionareachamber.org) [66.219.135.169] closed after SIGTERM
    2008-10-25 10:03:20 1Ktkfb-0004Sj-Q3 SMTP connection from (mail.0incondotta.com) [66.232.118.190] closed after SIGTERM
    2008-10-25 10:03:20 1Ktkfb-0004SZ-3j SMTP connection from mx1.aball.de [212.76.144.42] closed after SIGTERM
    2008-10-25 10:03:20 1Ktkfb-0004SU-RT SMTP connection from (mail2.fransmaas.com) [212.72.49.204] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfZ-0004SM-Vz SMTP connection from (gw.ecro.ro) [82.76.46.16] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfY-0004SK-IP SMTP connection from mail.finn.pl [194.24.181.150] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfX-0004SD-Au SMTP connection from mx1.aball.de [212.76.144.42] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfU-0004SA-UH SMTP connection from ks354294.kimsufi.com [91.121.101.119] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfR-0004S1-40 SMTP connection from (main.digital-thought.net) [212.57.233.62] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfP-0004Rw-VD SMTP connection from (mwz-cpa.com) [68.250.28.105] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfQ-0004Rt-RJ SMTP connection from dwhs125.dwhs.net [66.249.137.125] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004Rm-Fi SMTP connection from ks354294.kimsufi.com [91.121.101.119] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfO-0004Ro-6n SMTP connection from dvorak.siteprotect.com [64.26.0.12] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004Rf-Ot SMTP connection from enm36.neoplus.adsl.tpnet.pl [83.20.2.36] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004Rd-PB SMTP connection from mail1.zimmermann-vital.de [212.77.180.140] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004Ra-B9 SMTP connection from mail.mass2one.com (mass2onedc.mass2one.local) [209.181.208.98] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfM-0004Rc-Q9 SMTP connection from poplar.kiosk.ws (poplar.ghshosting.com) [209.47.167.138] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004Re-SW SMTP connection from (server.MILMAR.COM.EG) [82.201.208.165] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfO-0004Rn-IV SMTP connection from hanari1.nims.go.jp [144.213.2.20] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004RZ-NC SMTP connection from smtp-vbr13.xs4all.nl [194.109.24.33] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004Rb-3q SMTP connection from mail.mass2one.com (mass2onedc.mass2one.local) [209.181.208.98] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfM-0004RY-Py SMTP connection from mail.microstarkegs.com [64.1.8.50] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfO-0004RX-AY SMTP connection from (npamail.svpnpa.gov.in) [218.248.1.76] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfM-0004RO-My SMTP connection from rrcs-24-172-185-210.central.biz.rr.com (ts-llc.com) [24.172.185.210] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfM-0004RP-3S SMTP connection from mail.alumniprogram.com [208.45.131.34] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfP-0004RS-Bc SMTP connection from (mailserver.hib.local) [124.82.128.149] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfO-0004RM-0B SMTP connection from host136-230-149-62.serverdedicati.aruba.it (mail.globalinfosystem.it) [62.149.230.136] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfM-0004RN-HH SMTP connection from bsmtp9.xs4all.nl [194.109.127.146] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004RL-97 SMTP connection from fwvip.nel.co.jp (mailhub.nel.co.jp) [143.125.54.3] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004RK-Db SMTP connection from h166.n068.nhk.or.jp (sender02.tokyo.nhk.or.jp) [133.127.68.166] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004RI-Ho SMTP connection from mail.piramide.ind.br [200.206.168.136] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfJ-0004RD-TZ SMTP connection from fwvip.nel.co.jp (mailhub.nel.co.jp) [143.125.54.3] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004R6-OW SMTP connection from mail.estcanudas.com.ar (cabas101.canudassuc1.com.ar) [200.127.112.147] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfL-0004RG-Rw SMTP connection from ks354294.kimsufi.com [91.121.101.119] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004RH-Ma SMTP connection from gd1.gameduell.de [83.220.152.131] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfJ-0004R9-2H SMTP connection from (d7018.hostcentric.net) [216.65.63.51] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfM-0004RF-UR SMTP connection from smtp-01.sil.at [78.142.186.24] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004RB-HP SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfM-0004R8-BS SMTP connection from mxdrop153.xs4all.nl [194.109.24.119] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfK-0004R7-Ii SMTP connection from (mwt02.mwt.com.au) [210.23.128.40] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfJ-0004Ql-BN SMTP connection from exchange.ilink-systems.com (exchange.ilink.mail) [216.176.189.234] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfL-0004R1-SC SMTP connection from (cpanel.ev1servers.net) [66.98.174.6] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfN-0004RA-Q9 SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004R0-L1 SMTP connection from jamestaylor.com (as.jamestaylor.com) [72.10.46.53] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004Qk-6n SMTP connection from bsmtp6.xs4all.nl [194.109.127.149] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfH-0004Qp-6X SMTP connection from bsmtp7.xs4all.nl [194.109.127.148] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfH-0004Qo-2l SMTP connection from dewsmtp.intellicentre.net.au (dewsmtp001.intellicentre.net.au) [210.193.179.136] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfF-0004Qi-Mu SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004Qh-6K SMTP connection from bsmtp5.xs4all.nl [194.109.127.150] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004Qj-5w SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004Qg-18 SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfF-0004Qf-Qn SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfF-0004Qd-Mr SMTP connection from 194.11.254.125.static.comindico.com.au (imagepoint.com.au) [125.254.11.194] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004QV-HV SMTP connection from cpe-76-83-103-246.bak.res.rr.com [76.83.103.246] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfM-0004QW-KT SMTP connection from dpc674728058.direcpc.com (mail.searchmont.com) [67.47.28.58] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfM-0004Qe-6I SMTP connection from 89.140.90.198.static.user.ono.com (macmail01.mac-mutua.org) [89.140.90.198] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004QS-Cy SMTP connection from smtp.svp.sk [195.146.147.73] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004QT-AO SMTP connection from smtp.svp.sk [195.146.147.73] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfH-0004QU-0P SMTP connection from (mail.megacorp.co.kr) [211.234.93.151] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004QJ-Ti SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfE-0004QQ-2a SMTP connection from www.netgear-forum.com [193.25.197.191] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfH-0004QL-HJ SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfJ-0004QN-VI SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004QI-Tc SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004Qc-Jp SMTP connection from vcmail04.nttdatacenter.com [61.208.135.5] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004QR-EG SMTP connection from smtp.duhosting.ae (HMCERI03.DuVAS.local) [80.227.220.134] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfM-0004QH-Kw SMTP connection from mail1.kyukyo-u.ac.jp (triton.kyukyo-u.ac.jp) [218.44.255.43] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004QX-Sd SMTP connection from mail.tizacademy.com (mail.tizaacademy.com) [75.146.181.89] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfE-0004QE-Qq SMTP connection from s198-166-46-251.ab.hsia.telus.net (dmzworkhorse.bridgesolutions.ca) [198.166.46.251] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfF-0004Q9-PO SMTP connection from smtp.duhosting.ae (HMCERO03.DuVAS.local) [80.227.220.134] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004QF-7k SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004QG-19 SMTP connection from mail.lavras.mg.gov.br [200.195.28.157] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfC-0004QA-Jh SMTP connection from eterna.binary.net [216.229.0.25] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfE-0004Q8-Lf SMTP connection from exchange.cre-eight.com [207.200.20.115] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfD-0004Q5-4z SMTP connection from (serv13.mihosnet.nl) [83.149.74.207] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfD-0004Pb-Lf SMTP connection from (dsl85-102-46665.ttnet.net.tr) [85.102.182.73] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfC-0004PO-FK SMTP connection from (vdns.miniespacio.com) [67.19.157.34] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfF-0004PY-BC SMTP connection from pop.ttcl.co.tz [196.43.78.55] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfE-0004Q6-QZ SMTP connection from mail.ecs.kyoto-u.ac.jp [130.54.13.161] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfE-0004Pe-79 SMTP connection from boe246.neoplus.adsl.tpnet.pl [83.29.20.246] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004PM-6L SMTP connection from h-67-103-44-123.snfccasy.covad.net (PC04.PLCLAW.NET) [67.103.44.123] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfC-0004PW-Bu SMTP connection from www.dns02.de [195.226.112.52] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfF-0004Q3-40 SMTP connection from mail.lett.dk [86.48.41.226] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfC-0004Pq-Tl SMTP connection from mailrelay1.kpn.net [194.151.226.98] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfD-0004Pg-SY SMTP connection from tcgp.dundee.ac.uk (corvus.tcgp.dundee.ac.uk) [134.36.204.2] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfG-0004PB-8u SMTP connection from zeus.dafp.gov.co (zeus.dafp.local) [200.31.77.243] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfP-0004Ph-MX SMTP connection from ([85.110.159.82]) [85.110.159.82] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfC-0004Q7-Jg SMTP connection from fb05-04.mta.terra.com.br [200.154.152.93] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfF-0004Oo-JF SMTP connection from hcm-ms-185.vnn.vn [203.162.4.185] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfC-0004Pa-B9 SMTP connection from exchange.strategicsol.com [63.231.43.49] closed after SIGTERM
    2008-10-25 10:03:20 1KtkfC-0004Oy-Ek SMTP connection from trinity.nschile.cl [200.55.216.73] closed after SIGTERM

  5. #5
    Join Date
    Mar 2002
    Location
    Austin, TX
    Posts
    112
    You can set a limit in WHM's Tweak Settings for the max # of emails per our that a domain can send:
    'The maximum each domain can send out per hour (0 is unlimited)'
    This may help cut down some of the traffic. After check 'View Mail Statistics' in WHM to see which domains are sending tons of mail.
    It's interesting that all those SIGTERMS are getting sent to exim. Try connecting to the server and sending mail through a domain, there may be a deeper issue here.
    You're welcome to submit a support ticket to have our analysts take a look at the server. See my signature for the link.

  6. #6
    Join Date
    Sep 2008
    Location
    Bangalore
    Posts
    77
    ps -C exim -fH eww | grep home
    Execute this command, when there is high spamming. It will show the user who spams.
    Also, just set the max mail perhour to 10 or like that. So, when the 11th mail sent, it will start bouncing back.

  7. #7
    Join Date
    Sep 2008
    Location
    Bangalore
    Posts
    77
    So, from that bounce back messages, you can get the real identity of the spammer.

  8. #8
    ps -C exim -fH eww | grep home

    Very useful to discover spamming accounts.

    Thanks sabarishks!

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •