My server is spamming through SMTP

S

Sfinks

New member
Joined
Dec 26, 2005
Messages
1
When i type the following command:
lsof -i |grep mail

I see a lot of smtp connections with my server, wen look into the logfiles of exim's mainlog, the server is spamming a lot !

can someone help me ?

output of command:
lsof -i |grep mail

exim 3471 mail 4u IPv4 237384 TCP servername.com:smtp->jewel.siteprotect.com:38355 (ESTABLISHED)
exim 3471 mail 5u IPv4 237384 TCP servername.com:smtp->jewel.siteprotect.com:38355 (ESTABLISHED)
exim 3628 mail 4u IPv4 238928 TCP servername.com:smtp->itworld-fw.itworld.com:57538 (ESTABLISHED)
exim 3628 mail 5u IPv4 238928 TCP servername.com:smtp->itworld-fw.itworld.com:57538 (ESTABLISHED)
exim 3835 mail 4u IPv4 240797 TCP servername.com:smtp->pmedge.cr.duq.edu:49488 (ESTABLISHED)
exim 3835 mail 5u IPv4 240797 TCP servername.com:smtp->pmedge.cr.duq.edu:49488 (ESTABLISHED)
exim 3906 mail 4u IPv4 241357 TCP servername.com:smtp->mss01.glink.net.hk:62183 (ESTABLISHED)
exim 3906 mail 5u IPv4 241357 TCP servername.com:smtp->mss01.glink.net.hk:62183 (ESTABLISHED)
exim 3981 mail 4u IPv4 242128 TCP servername.com:smtp->ftp.whs1.order-vault.net:2485 (ESTABLISHED)
exim 3981 mail 5u IPv4 242128 TCP servername.com:smtp->ftp.whs1.order-vault.net:2485 (ESTABLISHED)
exim 4133 mail 4u IPv4 243295 TCP servername.com:smtp->pop.telegroup.com:4356 (ESTABLISHED)
exim 4133 mail 5u IPv4 243295 TCP servername.com:smtp->pop.telegroup.com:4356 (ESTABLISHED)
exim 4242 mail 4u IPv4 244337 TCP servername.com:smtp->flpvm19.prodigy.net:38119 (ESTABLISHED)
exim 4242 mail 5u IPv4 244337 TCP servername.com:smtp->flpvm19.prodigy.net:38119 (ESTABLISHED)
exim 4250 mail 4u IPv4 244406 TCP servername.com:smtp->plus3.host4u.net:54455 (ESTABLISHED)
exim 4250 mail 5u IPv4 244406 TCP servername.com:smtp->plus3.host4u.net:54455 (ESTABLISHED)
exim 4316 mail 4u IPv4 245144 TCP servername.com:smtp->mc2.tradal.net:52983 (ESTABLISHED)
exim 4316 mail 5u IPv4 245144 TCP servername.com:smtp->mc2.tradal.net:52983 (ESTABLISHED)
exim 4419 mail 4u IPv4 246096 TCP servername.com:smtp->p0016c26.us.kpmg.com:55117 (ESTABLISHED)
exim 4419 mail 5u IPv4 246096 TCP servername.com:smtp->p0016c26.us.kpmg.com:55117 (ESTABLISHED)
exim 6383 mail 3u IPv4 43774 TCP *:smtp (LISTEN)
 
Can you find and show us some lines from /var/log/exim/mainlog ?

Jeff
 
jlasman said:
Can you find and show us some lines from /var/log/exim/mainlog ?

Jeff
Click to expand...

Got the same problem here. I could show you "a few lines", the problem is that there are thousands and thousands of lines.

To give you an idea, click here and multiply that by a couple of hundred. I've already emptied the /var/spool/exim/input dir, there were thousands of files in that directory as well.

All the SMTP connections on this server are closed with a "SIGTERM". There are also many different IP's. For the last lines in the log file, click here (WARNING: 1,66 MB .txt ). You can clearly see when the exim process is online, and when I've shutted it down.

Does someone have a solution?

Peter
 
The solution is to find out where the spam is coming from. If your server has been hacked the email could be coming from a script and exim is doing the right thing attempting to deliver it.

With the default DA exim.conf, it is much more difficult to spam via SMTP. They would need to spoof the IP address of an entry already allowed via da-popb4smtp, or they would need a username/password of a user on the system.

I am guessing you have a vulnerable script or you have been hacked. There was a mod I saw someone post on this board, to inject certain headers into the email, to identify the system account causing the spam, you might want to implement that to help find where it is coming from.
 
toml said:
The solution is to find out where the spam is coming from. If your server has been hacked the email could be coming from a script and exim is doing the right thing attempting to deliver it.

With the default DA exim.conf, it is much more difficult to spam via SMTP. They would need to spoof the IP address of an entry already allowed via da-popb4smtp, or they would need a username/password of a user on the system.

I am guessing you have a vulnerable script or you have been hacked. There was a mod I saw someone post on this board, to inject certain headers into the email, to identify the system account causing the spam, you might want to implement that to help find where it is coming from.
Click to expand...

Thank you for this information, I will start searching now. We've had troubles with plugins before indeed, and since the spamming is coming from 3 accounts (root for the queue, and 2 other users for the "new" messages) I guess that is a pretty good option.
 
The only plugin installed is "AwStats", version 2.1.7, is this the mod that has this bug?

Peter
 
PeterB said:
To give you an idea, click here and multiply that by a couple of hundred.
Click to expand...
Useless.

Thousands of file names tell us nothing. A few lines from the log tell us all we need to know.
Does someone have a solution?
Click to expand...
Yes.
The only plugin installed is "AwStats", version 2.1.7, is this the mod that has this bug?
Click to expand...
Toml said script. A script is not the same as a plugin.

No doubt someone is running an insecure php script on your server. Our clients have had them, and it's likely you have them as well.

If you'd give me some of those loglines I could show you how to find which users/domains have bad scripots.

Jeff
 
Jeff,

I've posted a logfile here. Most lines say bttc.tdl indeed, but his account has been suspended and the files cannot be accessed anymore.. I've also checked his files, and there was nothing that could send mails, except one perlscript (insecure indeed). I've renamed the file and suspended the user, but the spam sends, even after a roboot.

The leak was an insecure orderscript by the way.

Peter
 
Can you please send just one or two lines from the log, specific to the problem? I can't take the time to grep such a huge file.

Thanks.

Jeff
 
All these lines are the problem... you can pick any one of these lines :(
 
PeterB said:
All these lines are the problem... you can pick any one of these lines :(
Click to expand...
These lines appear to show all the delivery attempts.

I need to see a log line that shows where your server accepted the email. That's going to tell which user has the problematic script.

Jeff
 
I'm more than willing to search, but I don't have a clue how to recognise that..
 
The lines you need to look for will have <= in them, delivery attempts will have => in them. Try posting a few lines that have the <= in them.
 
Thank you!

I've took the liberty to PM you and jlasman, because I do not want to publish the e-mail addresses of some of my customers.
 
The log lines I received are only emails sent by a server complaining about spam. They don't show any spam being sent from your server.

Jeff
 
You must log in or register to reply here.
Back
Top