Hi all,
Previous thread at here
My server appears to be sending spam out, I've followed all the steps in the guide, including putting limits in place, adding DKIM and I've even completely disabled DoveCot
I just can't figure out where the spam is coming from, I've changed all passwords, checked the lfd logs for others logging in (nothing out of the ordinary) and been through the exim logs for users authenticating (none).
I'm seeing the limit emails coming out so I know which user is "compromised", but I can't understand how this mail is getting sent.
The limit emails report the following:
I believe the important part is "187.23.170.133, at 501 emails (100%)", how is another host (this IP is nothing to do with my web server) sending emails from my web server? This problem has exceeded my knowledge of how email works!
Have I overlooked something simple or is there anything else I can look at? Any help is appreciated.
Thank you,
P.s. The host in question is found at http://tent.pezcuckow.com/ (no website though)
---
Here's a header from one of the emails (how is user-pc authenticated?):
1U0Etk-0004AQ-RS-H
mail 8 12
<myfs0o@[host].com>
1359480184 0
-helo_name User-PC
-host_address 187.23.174.173.59410
-interface_address 78.129.132.155.25
-received_protocol esmtp
-body_linecount 17
-max_received_linelength 200
-host_lookup_failed
YY [email protected]
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
10
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
173P Received: from [187.23.174.173] (helo=User-PC)
by tent with esmtp (Exim 4.72)
(envelope-from <myfs0o@[host].com>)
id 1U0Etk-0004AQ-RS; Tue, 29 Jan 2013 17:23:05 +0000
045F From: "Rafaela Gomes" <myfs0o@[host].com>
045 Subject: Queda de cabelo? Podemos te ajudar!
028T To: [email protected]
024 Content-Type: text/html
039R Reply-To: [email protected]
038 Date: Tue, 29 Jan 2013 15:23:07 -0200
Previous thread at here
My server appears to be sending spam out, I've followed all the steps in the guide, including putting limits in place, adding DKIM and I've even completely disabled DoveCot
I just can't figure out where the spam is coming from, I've changed all passwords, checked the lfd logs for others logging in (nothing out of the ordinary) and been through the exim logs for users authenticating (none).
I'm seeing the limit emails coming out so I know which user is "compromised", but I can't understand how this mail is getting sent.
The limit emails report the following:
The admin account has just finished sending 500 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.
After some processing of the /etc/virtual/usage/admin.bytes file, it was found that the highest sender was uujcgpvy@[host].com, at 10 emails.
The top sending host was 187.23.170.133, at 501 emails (100%).
There could be a spammer, the account could be compromised, or just sending more emails than usual.
After some processing of the /etc/virtual/usage/admin.bytes file, it was found that the highest sender was uujcgpvy@[host].com, at 10 emails.
The top sending host was 187.23.170.133, at 501 emails (100%).
I believe the important part is "187.23.170.133, at 501 emails (100%)", how is another host (this IP is nothing to do with my web server) sending emails from my web server? This problem has exceeded my knowledge of how email works!
Have I overlooked something simple or is there anything else I can look at? Any help is appreciated.
Thank you,
P.s. The host in question is found at http://tent.pezcuckow.com/ (no website though)
---
Here's a header from one of the emails (how is user-pc authenticated?):
1U0Etk-0004AQ-RS-H
mail 8 12
<myfs0o@[host].com>
1359480184 0
-helo_name User-PC
-host_address 187.23.174.173.59410
-interface_address 78.129.132.155.25
-received_protocol esmtp
-body_linecount 17
-max_received_linelength 200
-host_lookup_failed
YY [email protected]
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
10
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
173P Received: from [187.23.174.173] (helo=User-PC)
by tent with esmtp (Exim 4.72)
(envelope-from <myfs0o@[host].com>)
id 1U0Etk-0004AQ-RS; Tue, 29 Jan 2013 17:23:05 +0000
045F From: "Rafaela Gomes" <myfs0o@[host].com>
045 Subject: Queda de cabelo? Podemos te ajudar!
028T To: [email protected]
024 Content-Type: text/html
039R Reply-To: [email protected]
038 Date: Tue, 29 Jan 2013 15:23:07 -0200
Last edited: