Results 1 to 7 of 7
  1. #1
    Join Date
    Oct 2007
    Posts
    62

    Looking for spam script in server (The Bat!)

    I got an email today and it says that my server is sending spams.

    However I am not able to trace down the scripts or where is the script hosted, neither I can find any clue inside my WHM > Mail Queue

    my.serverhostname.com is my host name and xx.xx.xx.xx is my IP address.

    The X-Mailer: The Bat! (v2.01) - How do I simply find the script name? I'm sure there's a unique file name which makes it easy to search.

    ======== Original Headers ========

    Delivery-date: Wed, 01 Jul 2009 15:43:51 -0700
    Received: from my.serverhostname.com ([XX.XX.XX.XX])
    by pascal.junkemailfilter.com with smtp (Exim 4.69)
    id 1MM8Ws-00019x-UP on interface=65.49.42.60
    for [email protected]; Wed, 01 Jul 2009 15:43:51 -0700
    Received: from rgyiqmh (79.181.190.205)
    by my.serverhostname.com; Thu, 2 Jul 2009 06:43:46 +0800
    Date: Thu, 2 Jul 2009 06:43:46 +0800
    From: <[email protected]>
    X-Mailer: The Bat! (v2.01)
    Reply-To: <[email protected]>
    X-Priority: 3 (Normal)
    Message-ID: <[email protected]>
    To: <[email protected]>
    Subject: =?iso-8859-5?B?Uk9HQUlOSU5HIFBST1RFQ1Qg?=
    =?iso-8859-5?B?QUdBSU5TVCBUSEUgTE9TUyBP?=
    =?iso-8859-5?B?RiBZT1VSIFBSRUNJT1VTIEhB?=
    =?iso-8859-5?B?SVIu?=
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----------D3AF8697FE5"
    X-Sender-Domain: serverhostname.com
    X-Freemail-From: aol.com
    X-Freemail-Reply-to: yahoo.com
    X-Spamfilter-host: pascal.junkemailfilter.com - http://www.junkemailfilter.com
    X-Mail-from: [email protected]
    X-Spam-Class: SPAM-HIGH-VERY - 419scam Freemail - Reply-to does not match From - R=<[email protected]> F=<[email protected]> - X=pascal H=my.serverhostname.com [XX.XX.XX.XX] HELO=[my.serverhostname.com] F=[[email protected]] T=[[email protected]] S=[ROGAINING PROTECT AGAINST THE LOSS OF YOUR PRECIOUS HAIR.]
    X-Spamsave: Yes - 419scam Freemail - Reply-to does not match From - R=<[email protected]> F=<[email protected]> - X=pascal H=my.serverhostname.com [XX.XX.XX.XX] HELO=[my.serverhostname.com] F=[[email protected]] T=[[email protected]] S=[ROGAINING PROTECT AGAINST THE LOSS OF YOUR PRECIOUS HAIR.]
    X-Sender-Host-Address: XX.XX.XX.XX
    X-Sender-Host-Name: my.serverhostname.com
    X-Original-helo: my.serverhostname.com


    Found something here in my WHM > Mail Queue but still does not contain any senders information

    MM9cN-0006YT-Cr-H
    mailnull 47 12
    <>
    1246492415 0
    -ident mailnull
    -received_protocol local
    -body_linecount 85
    -max_received_linelength 161
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1246492418
    -localerror
    XX
    1
    [email protected]

    153P Received: from mailnull by my.serverhostname.com with local (Exim 4.69)
    id 1MM9cN-0006YT-Cr
    for [email protected]; Thu, 02 Jul 2009 07:53:35 +0800
    038 X-Failed-Recipients: [email protected]
    029 Auto-Submitted: auto-replied
    067F From: Mail Delivery System <[email protected]>
    024T To: [email protected]
    059 Subject: Mail delivery failed: returning message to sender
    056I Message-Id: <[email protected]>
    038 Date: Thu, 02 Jul 2009 07:53:35 +0800

    1MM9cN-0006YT-Cr-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    [email protected]
    The mail server could not deliver mail to [email protected]. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <[email protected]>
    Received: from localhost ([127.0.0.1] helo=my.serverhostname.com)
    by my.serverhostname.com with smtp (Exim 4.69)
    (envelope-from <[email protected]>)
    id 1MM9cM-0006YP-Oa
    for [email protected]; Thu, 02 Jul 2009 07:53:34 +0800
    Received: from zmzna (108.231.31.17)
    by my.serverhostname.com; Thu, 2 Jul 2009 07:53:34 +0800
    Date: Thu, 2 Jul 2009 07:53:34 +0800
    From: <[email protected]>
    X-Mailer: The Bat! (v2.01)
    Reply-To: <[email protected]>
    X-Priority: 4 (Low)
    Message-ID: <[email protected]>
    To: <[email protected]>
    Subject: =?iso-8859-5?B?QWN0aXZhdGUgdGhlIHBvd2Vy?=
    =?iso-8859-5?B?IG9mIGxvdmU=?=
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----------3505C589BDC8"
    X-ACL-Warn: {
    Last edited by afree2; 07-01-2009 at 08:21 PM.

  2. #2
    Join Date
    Oct 2007
    Posts
    62
    I just find out The Bat! is a kind of e-mail application software and not a script. The problem is the header information is insufficient for me to trace which user in my cPanel server is sending those spam even tho I have authentication turned on!

  3. #3
    Join Date
    Mar 2009
    Location
    Chicago, IL
    Posts
    219
    You should be able to go look at your exim logs in WHM and get a very good idea of which domain it's coming from. Also there's quite a few extended logging options that you can add to exim which will help you run items like this down.

    btw, you in WHM->Tweak Settings you should enable the "maximum amount of email a domain can send per hour" and set that to something other than zero.

  4. #4
    Add the following to the first textarea in the Advanced Mode Exim Configuration Editor (Found in your WHM)

    log_selector = +arguments +subject +received_recipients

    Set a maximum amount of emails a domain can send per hour under tweak settings.

    This wont stop the spam, however will slow it down and make it easier to track.

    If you're unable to find the spam, you may wish to hire someone to help. Steve from Rack911 works wonders.

  5. #5
    Join Date
    Mar 2009
    Location
    Chicago, IL
    Posts
    219
    Quote Originally Posted by AquariusADMIN View Post
    Add the following to the first textarea in the Advanced Mode Exim Configuration Editor (Found in your WHM)

    log_selector = +arguments +subject +received_recipients
    .

    That's it, you sir are faster than I. =P

  6. #6
    Join Date
    Oct 2007
    Posts
    62
    ok thanks guys.

    exim.conf

    #!!# cPanel Exim 4 Config

    log_selector = +arguments +subject +received_recipients

    #!!# These options specify the Access Control Lists (ACLs) that
    #!!# are used for incoming SMTP messages - after the RCPT and DATA
    #!!# commands, respectively.

    acl_smtp_rcpt = check_recipient
    acl_smtp_data = check_message

    #!!# This setting defines a named domain list called
    #!!# local_domains, created from the old options that
    #!!# referred to local domains. It will be referenced
    #!!# later on by the syntax "+local_domains".
    #!!# Other domain and host lists may follow.
    I hope I did this right.

  7. #7
    Join Date
    Mar 2009
    Location
    Chicago, IL
    Posts
    219
    Quote Originally Posted by afree2 View Post
    ok thanks guys.

    exim.conf



    I hope I did this right.

    That should work, however it's not going to go through an exim upgrade. Launch the exim editor from WHM and then paste that into the first open box you see, then do 'save' and it'll ensure those changes stick.

Similar Threads

  1. cgi spam script
    By sander815 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 04-05-2009, 03:44 PM
  2. My Server is Sending Spam via PHP Script Need Someone to Stop It
    By weldonj in forum Employment / Job Offers
    Replies: 9
    Last Post: 10-09-2006, 03:59 PM
  3. Replies: 3
    Last Post: 03-18-2005, 09:59 AM
  4. Block spam from script
    By fabiano in forum Web Hosting
    Replies: 0
    Last Post: 08-23-2004, 02:28 PM
  5. possible spam script
    By SigilStudios in forum Dedicated Server
    Replies: 16
    Last Post: 06-14-2003, 12:51 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •