How to know who sent spam mail from my server

Umpol

Umpol

Verified User
Joined
May 14, 2008
Messages
29
I found a problem because my server ip listed in http://cbl.abuseat.org. How can I know that who (my user) sent spam mail ?

I saw mainlog of exim but I can't determine that which one. please suggest me how to know this.
 
You could follow this guide to help you distinguish which domains are sending out the most mail but i can't guarantee you'll be any the wiser.
 
Obtain the headers of the spam and that will help.
 
Rich-Boy said:
You could follow this guide to help you distinguish which domains are sending out the most mail but i can't guarantee you'll be any the wiser.
Click to expand...

I found


Code: 
Top 50 sending hosts by volume
------------------------------
  Messages      Bytes    Average   Sending host
      4029       10MB       2602   local

Local isn't make sense for me. or which stats I need to look.
 
I have the similar problem too. I have check sender email, it is from yahoo mail , hotmail, etc. some domain mail like @cbn.com

May i know anyway to search the email address is create from which user?
 
R1Lover said:
I'm far from superman.... but next time you are deleting spam from your inbox you can thank people like yourself that run servers without having them secure enough to prevent spammers on their own servers.

I'm just being brutally honest, it's nothing personal at all, so don't get upset, use the frustration to learn more about your server and how to prevent these types of things.
Click to expand...

Your comment are right but wrong place please read my topic title again. it's very easy to understand.

"How to know who sent spam mail from my server"

I'm not start this topic to discuss about good or bad security. you should read all topic title before post (if you're not bot)

Thanks and go to the point

I received a sugestion like

Check /etc/virtual/usage/*

the larger of the files (by a lot) would be the spamming account.

Related:
http://help.directadmin.com/item.php?id=81
Click to expand...

but I think may be some emails sent without recode here. I saw in "Mail Queue Administration" and found many emails sent with sender is <>
 
Last edited:
I get some info from other forum as below:

Who is having large number of emails?

exim -bp | exiqsumm


To check message header

exim -Mvh messageid


To check message content

exim -Mvb messageid


Removing Bad Mail

for i in `exiqgrep -i -f nobody`; do exim -Mrm $i; done >> Removes Nobody Mail

for i in `exiqgrep -i -o 259200`; do exim -Mrm $i; done >> Removes Mail older than 3 Days

for i in `exiqgrep -i -f “^<>$”`; do exim -Mrm $i; done >> Removes Mail with weird Characters (Spam)


Delete mails from a particular domain

for i in `exiqgrep -i -f domain.com`; do exim -Mrm $i; done



Delete mails to a particular domain

for i in `exiqgrep -i -r domain.com`; do exim -Mrm $i; done


Flush the entire Mail queue

for i in `exiqgrep -i -f `; do exim -Mrm $i; done


Run Mail queue

runq -qqff&
Click to expand...
 
Umpol said:
Your comment are right but wrong place please read my topic title again. it's very easy to understand.

"How to know who sent spam mail from my server"
Click to expand...

I believe you can use cbl.abuseat.org to determine why you got listed. If you do not know how to use it then give us the ip that is listed and I will look at it for you.
 
Umpol said:
I saw in "Mail Queue Administration" and found many emails sent with sender is <>
Click to expand...
Unfortunately the Mailer Daemon sends back reports with a null sender (<>).

And the RFCs say you have to accept emails from Mailer Daemon.

And there are still many servers that use Mailer Daemons to return email rather than refuse it as it comes in.

What's probably happening is that spammers are forging your email addresses.

Check on these forums and elsewhere for collateral spam.

Jeff
 
Can anyone make a tutorial for this issue.
Got the same problem too and it is not a piece
of cake to find the spammer. :(
 
You must log in or register to reply here.
Back
Top