Results 1 to 7 of 7
  1. #1
    Join Date
    Aug 2002

    Where is spam source?


    A nobody user a lot of mail sending through at my server to one email address.A email message header is;

    nobody 99 99

    1034177149 0
    -ident nobody
    -received_protocol local
    -body_linecount 1
    -auth_id nobody
    -auth_sender [email protected]*******
    [email protected]

    157P Received: from nobody by server1.******** with local (Exim 3.36 #1)
    id 17zIib-00070W-00
    for [email protected]; Wed, 09 Oct 2002 11:25:49 -0400
    032T To: [email protected]
    016 Subject: 268515
    028F From: [email protected]
    051I Message-Id:
    038 Date: Wed, 09 Oct 2002 11:25:49 -0400

    Tien su cha nha may he he


    Where are this messages sending from address/ip/location?


  2. #2
    If the user that spawned the mail process is nobody, then it was a CGI or PHP script (depending on your server set up) and you need to find out what file was being accessed by what Ip at what domain in the web server logs at the time of the email.
    Robert McGregor
    Email: robertm@(nospam)

  3. #3
    how can i find that out?
    can someone please elaborate further on this please.

  4. #4
    Join Date
    Dec 2001
    Toronto, Ontario, Canada
    ive been having problems of a similar nature.

    Often we have gotten insecure formmail.cgi's on our servers by unsuspecting webhosts (formmail < 1.9), but the last attack wasn't through a formmail cgi, and i cant find anything in the apache logs for any of the domains during the time of attack.

    Anyone know how to disable mail sending from the user [email protected], because exim doesen't log enough information to track it down. Personally i dont see why nobody is a privaledged user whatsoever.

    Anyone know how to make exim 3 not route emails from [email protected]? or at least track down where they're coming from (remember apache domlogs have been scanned, and turned up nada).

  5. #5
    Join Date
    Jun 2002
    long beach

  6. #6
    Join Date
    Jul 2002

    FormMail 1.9s & 1.92

    Hope this is part of the same thread Charlie. All with ours
    works well, except the form sender is being sent an empty
    email. That email shows a From: my_reseller_username @ . Does this with FormMail 1.9s & 1.92

    How to stop that jeopardizing email?

  7. #7
    Join Date
    Oct 2002
    You could have a proxy installed on your machine, and that may be where the email is originating from. Someone might have been smart enough to restrict connections to the local machine, but that if there is a mail server on the local machine then anyone connecting can use it to send spam.

    But as far as exim goes, here is a quick fix for preventing the user nobody (or any other accounts you don't want to be able to send mail off the box) from sending mail to a non-local address. You will want to modify the lookuphost router in the exim conf file.

    driver = lookuphost
    transport = smtp
    senders = "!@@lsearch;/usr/local/exim/local/nullsenders"

    You can then add this to the file "/usr/local/exim/local/nullsenders":

    hostname: user1 : user2 : user3 : user4 : nobody : [...]
    I can't take credit for this, it was posted to the exim users mailing list.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts