Results 1 to 12 of 12
Thread: How to track spammer in whm?
-
09-12-2009, 03:49 PM #1Web Hosting Guru
- Join Date
- May 2008
- Posts
- 296
How to track spammer in whm?
Hello,
I run a web hosting company.
Some spammer is spamming in whm server.
Can you guide me how can I find which account that mail is going?
Following is the mail with full headers.
Code:1MmOCC-0003Jt-HT-H nobody 99 32003 <nobody@server1.somedomain.com> 1252744980 0 -ident nobody -received_protocol local -body_linecount 30 -max_received_linelength 2517 -auth_id nobody -auth_sender nobody@server1.somedomain.com -allow_unqualified_recipient -allow_unqualified_sender -local XX 1 WBonomi@maildomination.com 202P Received: from nobody by server1.somedomain.com with local (Exim 4.69) (envelope-from <nobody@server1.somedomain.com>) id 1MmOCC-0003Jt-HT for WBonomi@maildomination.com; Sat, 12 Sep 2009 08:43:00 +0000 031T To: WBonomi@maildomination.com 045 Subject: Work at Home and Earn 425€ per week 052F From: Hans-Peter Dresen <dresen.hanspeter@yahoo.de> 036R Reply-To: dresen.hanspeter@yahoo.de 018 MIME-Version: 1.0 024 Content-Type: text/html 032 Content-Transfer-Encoding: 8bit 053I Message-Id: <E1MmOCC-0003Jt-HT@server1.somedomain.com> 038 Date: Sat, 12 Sep 2009 08:43:00 +0000 1MmOCC-0003Jt-HT-D Sheepon Textile Company Ltd www.sheepon.com.tw My Name is MR Hans-Peter Dresen. I was born in Germany but British Citizen, 47 year old man, Presently in England for work. We are looking for a Male or Female representatives, who can be working for us as a part time worker and earn 475€ per week. We are happy to inform you that this would not affect your present job but rather get more extra earnings in your wallet.Our main factory is located in Taiwan , while we extract the raw materials needed for the manufacturing of fabrics from Taiwan , Asia and South Americans We produce standard articles for the promotional, catering, hotel and laundry trades. We are also able to manufacture to our customer’s specific design requirements. As our main area of business is the promotional market we are constantly working with our clients on new and innovative designs and provide a fast and flexible service. Blank Tea Towels, Cotton Canvas Bags and Cotton Drill Aprons are our most popular products used by screen printers and embroiderers for tourism, schools, special events and promotions.We are in need of a representative, someone who is honest, sincere, trustworthy, capable and reliable that would help us receive payments from our customers. The reason why we need this rep is that the cost of coming down and get those payments is very expensive, we can spend up 2,500 dollars on every trip,(feeding, accommodation and flight tickets) so we need a representative who will be handling that aspect.We are willing to pay you 475€ per week, and you can still keep your regular job while you work for us All you have to do is help us receive payments from our customers. These payments May come in Check, Cashiers Check, Money Order and Travellers Check, or International Money Orders base on what our client decides to pay with. and they would come to you in your name, because you're the one to get them cashed, so all you need do is cash the payment in your bank , you will earn 475€ per week for doing this for us. You can definitely earn more than 475€ per week depending on how many payments sent to you. Most payment sent are 4750€ that’s the reason why your 10% is 475€ but if you receive like 5 payments during the week it means you will earn 2250€. The more payments you receive the more money you will earn .All we need now is your trust and you will work with us. It would not cost you any amount, you are to receive payments which will be sent to you by post from our business partners, or those mailed to us in our Location will be sent out to you. Finally, these are the information that we need for your application form, your mailing address and your contact telephone number and a copy of identification. FIRST NAME........... SURNAME............ ADDRESS......... CITY........ STATE.......... ZIP CODE......... COUNTRY....... PHONE NUMBER(S).......... OCCUPATION........... GENDER......... MARITAL STATUS AGE.......... NATIONALITY........... ID NUMBER.......... BANK NAME............... SCAN COPY OF YOUR PHOTO ID (PASSPORT OR DRIVERS LICENCE) Regards, Hans-Peter DresenEsq. Recruiting Manager, Sheepon Textile Company Ltd
From the above mail I cannot sort out which account is sending it. It seems that they are using nobody account.
Please help me to find the account which is sending the mail.
-
09-12-2009, 05:52 PM #2-auth_sender nobody@server1.somedomain.com
How? you can start by recompiling php with the mail sender patch in it. That's not going to find your current problem though, you need to resolve THAT first.
WHM is not your server administrator, you are. You need to learn and understand how to properly manage and maintain a server, which includes finding out which process is doing this, and killing it, properly. WHM won't do that for you.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
09-12-2009, 05:57 PM #3Web Hosting Guru
- Join Date
- May 2008
- Posts
- 296
-
09-12-2009, 06:12 PM #4WHT Addict
- Join Date
- Mar 2009
- Location
- London, UK
- Posts
- 134
Step 1)
Login to your server and su - to root.
Step 2)
Turn off exim while we do this so it doesn't freak out.
/etc/init.d/exim stop
Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden
Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail
Paste in the following:
Code:#!/usr/local/bin/perl # use strict; use Env; my $date = `date`; chomp $date; open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!"; my $uid = $>; my @info = getpwuid($uid); if($REMOTE_ADDR) { print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n"; } else { print INFO "$date - $PWD - @infon"; } my $mailprog = '/usr/sbin/sendmail.hidden'; foreach (@ARGV) { $arg="$arg" . " $_"; } open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n"; while (<STDIN> ) { print MAIL; } close (INFO); close (MAIL);
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail
Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log
chmod 0777 /var/log/spam_log
Step 7)
Start Exim up again.
/etc/init.d/exim start
Step 8)
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
tail - f /var/log/spam_log
Sample Log Output
Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory - nobody x 99 99 Nobody / /sbin/nologin
Log Rotation Details
Your spam_log file isn't set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.
pico /etc/logrotate.conf
FIND:
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
ADD BELOW:
# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}
Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn't get overwritten.
Enjoy knowing you can see nobody is actually somebody =)►► Magmahost ►► Professional & Affordable Shared, Reseller Services.
»» Performance, Reliability, Stability. Your data is safe with us.
»» 99.9 Uptime | Extremely Secure | 24/7 Support | LiteSpeed
★★★ Hosting anyone can afford. ★★★ UK AND USA SERVERS
-
09-12-2009, 06:33 PM #5
Unless you understand 100% of what you're doing do not follow the above instructions.
Following guides, tutorials, instructions, etc, online, even from reputable, trusted individuals will cause issues, especially when dealing with root access and server issues.
Contact your server administrator, have them look @ this for you. If you don't have one, get one. If you don't, you will end up screwing up your server by relying on online forums for information that is unreliable.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
09-12-2009, 07:11 PM #6Web Hosting Guru
- Join Date
- May 2008
- Posts
- 296
Code:Sat Sep 12 22:28:38 GMT 2009 - /root - Sat Sep 12 22:30:53 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXX.com nSat Sep 12 22:31:00 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXXX.com nSat Sep 12 22:39:31 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXX.com nSat Sep 12 22:40:52 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXXX.com nSat Sep 12 22:43:03 GMT 2009 - /home/paybackh/public_html - Sat Sep 12 22:43:44 GMT 2009 - /home/dailycom/public_html - Sat Sep 12 22:45:25 GMT 2009 - /home/alfain/public_html - Sat Sep 12 22:45:25 GMT 2009 - /home/alfain/public_html - Sat Sep 12 22:58:02 GMT 2009 - / -
The above is log in spam_log.txt.
Can you explain me how it works ?
-
09-12-2009, 07:14 PM #7WHT Addict
- Join Date
- Mar 2009
- Location
- London, UK
- Posts
- 134
►► Magmahost ►► Professional & Affordable Shared, Reseller Services.
»» Performance, Reliability, Stability. Your data is safe with us.
»» 99.9 Uptime | Extremely Secure | 24/7 Support | LiteSpeed
★★★ Hosting anyone can afford. ★★★ UK AND USA SERVERS
-
09-12-2009, 07:38 PM #8Web Hosting Guru
- Join Date
- May 2008
- Posts
- 296
Thanks the script works fine.
-
09-12-2009, 07:38 PM #9Web Hosting Guru
- Join Date
- May 2008
- Posts
- 296
-
09-12-2009, 08:05 PM #10WHT Addict
- Join Date
- Mar 2009
- Location
- London, UK
- Posts
- 134
It's a good script we use it ourselves along with CSF Mail Tools
►► Magmahost ►► Professional & Affordable Shared, Reseller Services.
»» Performance, Reliability, Stability. Your data is safe with us.
»» 99.9 Uptime | Extremely Secure | 24/7 Support | LiteSpeed
★★★ Hosting anyone can afford. ★★★ UK AND USA SERVERS
-
01-29-2013, 09:46 AM #11Web Hosting Evangelist
- Join Date
- Aug 2008
- Posts
- 511
Such a useful thread i found.
-
01-29-2013, 09:50 AM #12Web Hosting Evangelist
- Join Date
- Aug 2008
- Posts
- 511
such a useful thread
such a useful thread
Similar Threads
-
Track SPAMMER
By UnrealSilence in forum Hosting Security and TechnologyReplies: 12Last Post: 02-17-2006, 09:46 PM -
Help Me Track This Spammer
By SimonMc in forum Web Hosting LoungeReplies: 7Last Post: 01-30-2006, 10:51 AM -
how to track/trace a threatening spammer ??
By smily in forum Hosting Security and TechnologyReplies: 6Last Post: 11-28-2003, 06:01 PM -
How do I track this spammer?
By Brian S in forum Hosting Security and TechnologyReplies: 3Last Post: 04-22-2003, 08:54 AM -
How Do You Track A Spammer?
By OhSoKorny in forum Web Hosting LoungeReplies: 5Last Post: 10-09-2002, 02:32 AM