Results 1 to 12 of 12
  1. #1
    Join Date
    May 2008
    Posts
    296

    How to track spammer in whm?

    Hello,

    I run a web hosting company.

    Some spammer is spamming in whm server.

    Can you guide me how can I find which account that mail is going?

    Following is the mail with full headers.

    Code:
    1MmOCC-0003Jt-HT-H
    nobody 99 32003
    <nobody@server1.somedomain.com>
    1252744980 0
    -ident nobody
    -received_protocol local
    -body_linecount 30
    -max_received_linelength 2517
    -auth_id nobody
    -auth_sender nobody@server1.somedomain.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    XX
    1
    WBonomi@maildomination.com
    
    202P Received: from nobody by server1.somedomain.com with local (Exim 4.69)
    	(envelope-from <nobody@server1.somedomain.com>)
    	id 1MmOCC-0003Jt-HT
    	for WBonomi@maildomination.com; Sat, 12 Sep 2009 08:43:00 +0000
    031T To: WBonomi@maildomination.com
    045  Subject: Work at Home and Earn 425€ per week
    052F From: Hans-Peter Dresen <dresen.hanspeter@yahoo.de>
    036R Reply-To: dresen.hanspeter@yahoo.de
    018  MIME-Version: 1.0
    024  Content-Type: text/html
    032  Content-Transfer-Encoding: 8bit
    053I Message-Id: <E1MmOCC-0003Jt-HT@server1.somedomain.com>
    038  Date: Sat, 12 Sep 2009 08:43:00 +0000
    1MmOCC-0003Jt-HT-D
    Sheepon Textile Company Ltd
    www.sheepon.com.tw
    
    My Name is MR Hans-Peter Dresen. I was born in Germany but British Citizen, 47 year old man, Presently in England for work. We are looking for a Male or Female representatives, who can be working for us as a part time worker and earn 475€ per week. We are happy to inform you that this would not affect your present job but rather get more extra earnings in your wallet.Our main factory is located in Taiwan , while we extract the raw materials needed for the manufacturing of fabrics from Taiwan , Asia and South Americans We produce standard articles for the promotional, catering, hotel and laundry trades. We are also able to manufacture to our customer’s specific design requirements. As our main area of business is the promotional market we are constantly working with our clients on new and innovative designs and provide a fast and flexible service. Blank Tea Towels, Cotton Canvas Bags and Cotton Drill Aprons are our most popular products used by screen printers and embroiderers for tourism, schools, special events and promotions.We are in need of a representative, someone who is honest, sincere, trustworthy, capable and reliable that would help us receive payments from our customers. The reason why we need this rep is that the cost of coming down and get those payments is very expensive, we can spend up 2,500 dollars on every trip,(feeding, accommodation and flight tickets) so we need a representative who will be handling that aspect.We are willing to pay you 475€ per week, and you can still keep your regular job while you work for us All you have to do is help us receive payments from our customers. These payments May come in Check, Cashiers Check, Money Order and Travellers Check, or International Money Orders base on what our client decides to pay with. and they would come to you in your name, because you're the one to get them cashed, so all you need do is cash the payment in your bank , you will earn 475€ per week for doing this for us. You can definitely earn more than 475€ per week depending on how many payments sent to you. Most payment sent are 4750€ that’s the reason why your 10% is 475€ but if you receive like 5 payments during the week it means you will earn 2250€. The more payments you receive the more money you will earn .All we need now is your trust and you will work with us. It would not cost you any amount, you are to receive payments which will be sent to you by post from our business partners, or those mailed to us in our Location will be sent out to you.
    Finally, these are the information that we need for your application form, your mailing address and your contact telephone number and a copy of identification.
    
    FIRST NAME...........
    SURNAME............
    ADDRESS.........
    CITY........
    STATE..........
    ZIP CODE......... 
    COUNTRY.......
    PHONE NUMBER(S).......... 
    OCCUPATION...........
    GENDER......... 
    MARITAL STATUS
    AGE.......... NATIONALITY........... 
    ID NUMBER..........
    BANK NAME...............
    SCAN COPY OF YOUR PHOTO ID (PASSPORT OR DRIVERS LICENCE)
     
    Regards,
     
    Hans-Peter DresenEsq.
    Recruiting Manager,
    Sheepon Textile Company Ltd


    From the above mail I cannot sort out which account is sending it. It seems that they are using nobody account.

    Please help me to find the account which is sending the mail.

  2. #2
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    There's your problem right there. The user 'nobody' is sending mail. This means it's a php or perl script usually, and you need to find and remove it.

    How? you can start by recompiling php with the mail sender patch in it. That's not going to find your current problem though, you need to resolve THAT first.

    WHM is not your server administrator, you are. You need to learn and understand how to properly manage and maintain a server, which includes finding out which process is doing this, and killing it, properly. WHM won't do that for you.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  3. #3
    Join Date
    May 2008
    Posts
    296
    Quote Originally Posted by linux-tech View Post
    There's your problem right there. The user 'nobody' is sending mail. This means it's a php or perl script usually, and you need to find and remove it.

    How? you can start by recompiling php with the mail sender patch in it. That's not going to find your current problem though, you need to resolve THAT first.

    WHM is not your server administrator, you are. You need to learn and understand how to properly manage and maintain a server, which includes finding out which process is doing this, and killing it, properly. WHM won't do that for you.
    Thank You for your help, yes that is the really problem.

    How can I track php script, I guess the person is using some php mailer.

    From 140 accounts it is almost impossible to find.

    Can someone guide me to do that?
    Host Speech - Talk About Web Hosting, Design & Marketing

    Website URL: http://www.hostspeech.com

  4. #4
    Join Date
    Mar 2009
    Location
    London, UK
    Posts
    134
    Quote Originally Posted by PNH-Madih View Post
    Thank You for your help, yes that is the really problem.

    How can I track php script, I guess the person is using some php mailer.

    From 140 accounts it is almost impossible to find.

    Can someone guide me to do that?
    Step 1)


    Login to your server and su - to root.

    Step 2)


    Turn off exim while we do this so it doesn't freak out.
    /etc/init.d/exim stop

    Step 3)

    Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
    mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden


    Step 4)



    Create the spam monitoring script for the new sendmail.
    pico /usr/sbin/sendmail

    Paste in the following:

    Code:
    #!/usr/local/bin/perl
    # use strict;
    use Env;
    my $date = `date`;
    chomp $date;
    open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
    my $uid = $>;
    my @info = getpwuid($uid);
    if($REMOTE_ADDR) {
    print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
    }
    else {
    print INFO "$date - $PWD - @infon";
    }
    my $mailprog = '/usr/sbin/sendmail.hidden';
    foreach (@ARGV) {
    $arg="$arg" . " $_";
    }
    open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
    while (<STDIN> ) {
    print MAIL;
    }
    close (INFO);
    close (MAIL);
    Step 5)

    Change the new sendmail permissions
    chmod +x /usr/sbin/sendmail

    Step 6)



    Create a new log file to keep a history of all mail going out of the server using web scripts
    touch /var/log/spam_log

    chmod 0777 /var/log/spam_log

    Step 7)


    Start Exim up again.
    /etc/init.d/exim start

    Step 8)



    Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
    tail - f /var/log/spam_log

    Sample Log Output

    Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory - nobody x 99 99 Nobody / /sbin/nologin

    Log Rotation Details

    Your spam_log file isn't set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

    pico /etc/logrotate.conf
    FIND:
    # no packages own wtmp -- we'll rotate them here
    /var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
    }
    ADD BELOW:
    # SPAM LOG rotation
    /var/log/spam_log {
    monthly
    create 0777 root root
    rotate 1
    }



    Notes:

    You may also want to chattr + i /usr/sbin/sendmail so it doesn't get overwritten.

    Enjoy knowing you can see nobody is actually somebody =)
    ►► Magmahost ►► Professional & Affordable Shared, Reseller Services.
    »» Performance, Reliability, Stability. Your data is safe with us.
    »» 99.9 Uptime | Extremely Secure | 24/7 Support | LiteSpeed
    ★ Hosting anyone can afford. ★ UK AND USA SERVERS

  5. #5
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Unless you understand 100% of what you're doing do not follow the above instructions.

    Following guides, tutorials, instructions, etc, online, even from reputable, trusted individuals will cause issues, especially when dealing with root access and server issues.

    Contact your server administrator, have them look @ this for you. If you don't have one, get one. If you don't, you will end up screwing up your server by relying on online forums for information that is unreliable.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  6. #6
    Join Date
    May 2008
    Posts
    296
    Code:
    Sat Sep 12 22:28:38 GMT 2009 - /root - Sat Sep 12 22:30:53 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXX.com nSat Sep 12 22:31:00 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXXX.com nSat Sep 12 22:39:31 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXX.com nSat Sep 12 22:40:52 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXXX.com nSat Sep 12 22:43:03 GMT 2009 - /home/paybackh/public_html - Sat Sep 12 22:43:44 GMT 2009 - /home/dailycom/public_html - Sat Sep 12 22:45:25 GMT 2009 - /home/alfain/public_html - Sat Sep 12 22:45:25 GMT 2009 - /home/alfain/public_html - Sat Sep 12 22:58:02 GMT 2009 - / -

    The above is log in spam_log.txt.

    Can you explain me how it works ?
    Host Speech - Talk About Web Hosting, Design & Marketing

    Website URL: http://www.hostspeech.com

  7. #7
    Join Date
    Mar 2009
    Location
    London, UK
    Posts
    134
    Quote Originally Posted by PNH-Madih View Post
    Code:
    Sat Sep 12 22:28:38 GMT 2009 - /root - Sat Sep 12 22:30:53 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXX.com nSat Sep 12 22:31:00 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXXX.com nSat Sep 12 22:39:31 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXX.com nSat Sep 12 22:40:52 GMT 2009 - 96.9.152.6 ran /cgi/addon_csf.cgi at server.XXXXX.com nSat Sep 12 22:43:03 GMT 2009 - /home/paybackh/public_html - Sat Sep 12 22:43:44 GMT 2009 - /home/dailycom/public_html - Sat Sep 12 22:45:25 GMT 2009 - /home/alfain/public_html - Sat Sep 12 22:45:25 GMT 2009 - /home/alfain/public_html - Sat Sep 12 22:58:02 GMT 2009 - / -

    The above is log in spam_log.txt.

    Can you explain me how it works ?
    It's telling you the directory of the scripts that are sending mail as "nobody"
    ►► Magmahost ►► Professional & Affordable Shared, Reseller Services.
    »» Performance, Reliability, Stability. Your data is safe with us.
    »» 99.9 Uptime | Extremely Secure | 24/7 Support | LiteSpeed
    ★ Hosting anyone can afford. ★ UK AND USA SERVERS

  8. #8
    Join Date
    May 2008
    Posts
    296
    Thanks the script works fine.
    Host Speech - Talk About Web Hosting, Design & Marketing

    Website URL: http://www.hostspeech.com

  9. #9
    Join Date
    May 2008
    Posts
    296
    Quote Originally Posted by linux-tech View Post
    Unless you understand 100% of what you're doing do not follow the above instructions.

    Following guides, tutorials, instructions, etc, online, even from reputable, trusted individuals will cause issues, especially when dealing with root access and server issues.

    Contact your server administrator, have them look @ this for you. If you don't have one, get one. If you don't, you will end up screwing up your server by relying on online forums for information that is unreliable.
    I am too programmer and the code is ok.
    Host Speech - Talk About Web Hosting, Design & Marketing

    Website URL: http://www.hostspeech.com

  10. #10
    Join Date
    Mar 2009
    Location
    London, UK
    Posts
    134
    It's a good script we use it ourselves along with CSF Mail Tools
    ►► Magmahost ►► Professional & Affordable Shared, Reseller Services.
    »» Performance, Reliability, Stability. Your data is safe with us.
    »» 99.9 Uptime | Extremely Secure | 24/7 Support | LiteSpeed
    ★ Hosting anyone can afford. ★ UK AND USA SERVERS

  11. #11
    Join Date
    Aug 2008
    Posts
    511
    Such a useful thread i found.

  12. #12
    Join Date
    Aug 2008
    Posts
    511

    Arrow such a useful thread

    such a useful thread

Similar Threads

  1. Track SPAMMER
    By UnrealSilence in forum Hosting Security and Technology
    Replies: 12
    Last Post: 02-17-2006, 09:46 PM
  2. Help Me Track This Spammer
    By SimonMc in forum Web Hosting Lounge
    Replies: 7
    Last Post: 01-30-2006, 10:51 AM
  3. how to track/trace a threatening spammer ??
    By smily in forum Hosting Security and Technology
    Replies: 6
    Last Post: 11-28-2003, 06:01 PM
  4. How do I track this spammer?
    By Brian S in forum Hosting Security and Technology
    Replies: 3
    Last Post: 04-22-2003, 08:54 AM
  5. How Do You Track A Spammer?
    By OhSoKorny in forum Web Hosting Lounge
    Replies: 5
    Last Post: 10-09-2002, 02:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •