How are they sending this spam from default account

wattie

wattie

Verified User
Joined
May 31, 2008
Messages
948
Location
Bulgaria
I have a user who has no website and no e-mails. Their public_html folder contains a single .htaccess file which defines a simple 403 redirect to their new website which is not on my server. Same in private_html. The php-mail.log is 0 bytes but I've disabled PHP just to make sure... And their configuration is:

Code: 
Shell Access (ssh)    OFF  
Secure Socket Layer (ssl)    ON  
CGI-Bin    OFF  
PHP    OFF  
SpamAssassin    OFF  
Catch-All Email    OFF  
Anonymous Ftp    OFF  
Cron Jobs    OFF  
System Info    OFF  
Login Keys    OFF  
DNS Control    ON  
Suspend at Limit    ON

Only one e-mail account is available and it's the default one: <username>@<domain>. I changed their password but they continue to send spam from <username>@<domain>.

The default limit was 2000 and it stopped. I played for some time - as soon as I reset their daily limit, they send again. I lowered their daily limit to 2 by now. Here is what happens when I reset it - they send immediately. The directadmin security log shows this:

Code: 
2022:12:12-11:37:32: Warning: 2 emails have just been sent by <username>.  Sender <username>@<domain> sent 2723.  authenticated_id=<username> sent 2723.  host=<some unknown IP for me> sent 107.  2723 emails came from /root
.

I am pretty sure they send from some kind of script but there are no scripts in their /home/<username> folder. Where it can be?
 
Last edited:
check email log, grep it for email ID and you will see what email, from where to whom.
 
wattie said:
I see from where to whom but can't find out HOW...
Click to expand...

Do you have any of the emails stuck in queue? If you have the user's permission or know you don't need it (can be relevant, depending on the relationship), you might be able to pull an email from queue and see if you see something like an X-PHP-Script header or something that identifies the source.

You'd do:
exim -bp

To view the queue. If you see an email there from them you might see an exim ID similar to 1p59kV-0006yj-0H. So you'd run:
exim -Mvh 1p59kV-0006yj-0H

That would give you a look at the headers of the email. Surely, if they're sending spam from the default account, there's at least one invalid recipient causing it to sit in queue.

This is at least how I used to help users identify what part of their website was sending spam back in 2012 or so, not a whole lot has changed as far as how it all works at least. You generally don't want to pull email from queue unless you and the user are working together on it, it could be considered a pretty significant violation of privacy to do this routinely. Sometimes, if a user is compromised, I'll redirect "exim -Mvh" and "exim -Mvb" to a file just in case the customer asks for a copy of what was being sent, and then I delete it later if they don't ask for it. I figure that's a good middle ground.

That said, if you subscribe to feedback loops you can often get a copy of spam email without having to do anything like that, and it removes any/all privacy concerns (because they're being sent back to you directly, by the recipient, as abuse complaints). You can subscribe to a bunch of those here: https://fbl.validity.com/
 
wattie said:
I see from where to whom but can't find out HOW...
Click to expand...

You might find out it in exim maillog. If you find difficult to interpret exim logs, use [icod]exigrep[/icode] to gather all related lines on per email bases and post a couple of sets here. We will be glad to help you. You might mask critical data from logs.
 
You must log in or register to reply here.
Back
Top