Results 1 to 8 of 8
  1. #1

    Help me find out which user is sending spam

    Hi there, ThePlanet just sent me an alert that my server is being flagged as a spam source. They sent me 2 examples but I can't figure out which user is sending the messages. Looks like a backdoor was found in someone's outdated site and spam-sending files got injected.

    I have tracked down the messages they sent me in exim_mainlog but I can't find any sign of a username. No "U=" or "A=fixed_login" in the log to help me, just a localhost connection.

    2009-09-05 12:13:02 1Mjwwo-0002Hq-DJ <= [email protected] H=localhost ( []:48863 I=[]:25 P=smtp S=912 [email protected] T="$$$$$LOVE_SEX_LOVE$$$$$" from <[email protected]> for [email protected]
    2009-09-05 12:13:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Mjwwo-0002Hq-DJ
    Do I have any chance on figuring this out?


  2. #2
    Join Date
    Jun 2008
    If it is a cpanel server you can enable extended login so that you can track down all details if you are suspecting a spammer.

    you can edit exim.conf file and use
    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peer is that a domain in your server also try to exigrep msgid to check .sometimes it will provide little more clear logs

    => means sent to and <= means sent from address.
    Last edited by ianeeshps; 09-06-2009 at 06:01 AM.

  3. #3
    Join Date
    Jul 2009
    grep "exceeded the max emails per hour" /var/log/exim_mainlog

    This will help you find the user who send max emails and most of the times its spams.

  4. #4
    You can easily trace the users sending the spam on the server by checking the maillogs using,

    #tail -f /var/log/exim_mainlog
    Support Facility | 24/7 web hosting technical support services
    Technical support | Server management | Data migration

    Technical Articles

  5. #5
    Join Date
    Aug 2009
    for i in `grep "max emails" /var/log/exim_mainlog | awk {'print $9'} | sort -u`; do echo $i: `grep "max emails" /var/log/exim_mainlog| grep -c $i`; done
    Try this and it should report how many times the abusers hit your limits .

  6. #6
    Thank you guys,

    Looks like Wordpress has a huge security hole that let spammers inject code on outdated sites. Since like 80% of my customers run Wordpress... X-(

  7. #7
    Yeah...WordPress is a HUGE pain in the REAR END!

  8. #8
    Join Date
    May 2009
    yea.. i would recommend you to upgrade wp

Similar Threads

  1. abusing box by sending out spam
    By alisaqi in forum Hosting Security and Technology
    Replies: 0
    Last Post: 12-24-2007, 02:37 AM
  2. sending spam
    By magroot in forum Hosting Security and Technology
    Replies: 3
    Last Post: 02-14-2007, 02:10 AM
  3. How to see if a user is sending spam
    By joekushner in forum Dedicated Server
    Replies: 8
    Last Post: 04-09-2004, 01:45 PM
  4. Best way to determine which user is sending spam
    By justhost in forum Hosting Security and Technology
    Replies: 2
    Last Post: 10-01-2003, 01:54 PM
  5. Someone is sending spam in our name, please advise
    By nozol in forum Running a Web Hosting Business
    Replies: 8
    Last Post: 10-19-2002, 02:13 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts