Exim Sending Out Spam

ORiN · May 10, 2018

I am seeing spam being sent out by Exim but I can't quite pinpoint where is the issue.

2018-05-11 11:44:02 1fGyyQ-0002rk-10 <= [email protected] H=(sxbxxh.org) [180.121.132.156] P=smtp S=1130 [email protected] T="11顶级博彩领袖！注册领18⒏綵金咨询企鹅专员【1991966418】王之【336468。com�" from <[email protected]> for [email protected]

Any ideas how do I go about fixing this issue? Is this an issue with my Exim config?

webaltern · May 11, 2018

I don't think the problem is the exim config... It's probably a compromised account on your server or something like this......

Do you know witch account is the sender?

ORiN · May 11, 2018

I can't quite tell which account from the Exim log. What would be the best method to identify those emails?

webaltern · May 11, 2018

Start by looking who is in the top 5 senders:

grep "<=.*P=local" /var/log/exim/mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5

Check top sending path

grep cwd /var/log/exim/mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

ORiN · May 12, 2018

It seems that the 2 of the top 3 senders are 'root' and 'diradmin' users.

The top 3 sending paths are:
1239 /usr/local/directadmin
2183 /
3473 /etc/csf

The top sender seems weird.

webaltern · May 12, 2018

Hi,

add me on skype (webalternativeorg) and I will be happy to take a look if you give me some access to the server..

Regards,

ORiN · May 13, 2018

webaltern said:
Hi,

add me on skype (webalternativeorg) and I will be happy to take a look if you give me some access to the server..

Regards,

Thanks, I will add you on Skype.

Exim Sending Out Spam

ORiN

Verified User

webaltern

Verified User

ORiN

Verified User

webaltern

Verified User

ORiN

Verified User

webaltern

Verified User

ORiN

Verified User