how to track users spamming from my server

[txt3rob]

im getting complaints from my DC that my server is beeing used to spam
but i carnt see anything in the email logs in DA any other way to find out what they are using to send spam?

or should i change the SMTP port?

i've got a rootkit detector installed and its finding nothing

example header from a complaint

> X-Mailer: Openwave WebEngine, version 2.8.16.1
> (webedge20-101-1106-101-20040924)
> X-Originating-IP: [85.**.**.***] my i.p was there
> From: kola williams <[email protected]>
> Reply-To: [email protected]

 

[pucky]

Rootkits dont attribute to spam. Its something else and here are some of the things you need to look at;

1) formmail installed on any domain
2) old and outdated scripts such as Gallery, Phpnuke etc installed in a user webspace that has major security hole.
3) a compromised account. A user account that has had the password guessed to the account which allows a spammer to login, upload their scripts into the sites webspace then use it to spam from
4) any form on a user site, eg contact forms that allows the injection of bcc, cc etc.

This is only 4 and a good start. I would also look at any new signup recently. Usually, those have have recently signed up and not verified properly are responsible so i suggest you take a good look.

If you know what your doing, you could set some traps via exim.conf but thats provided you know how to do it. There are many other way for spammer to send outgoing spam.

Good luck.

 

[txt3rob]

the server is only used by me i have SMF and plogger gallery on there and a about 2 directory listing scripts thats about it on my server.

i've removed wordpress blog and can not think of any scripts on my server that should allow emails out

 

[nobaloney]

Rootkits dont attribute to spam.

I'd almost agree with that statement if you'd said something like usually rootkits don't attribute to spam. Rootkits can and may be used by spammers, especially criminal spammers.

here are some of the things you need to look at

Good list.

Jeff

 

[nobaloney]

the server is only used by me i have SMF and plogger gallery on there and a about 2 directory listing scripts thats about it on my server.

Check your exim mainlog. If your server is being used to send spam through exim, then results should be in the logs.

Somewhere on these forums is a patch you can make to PHP to add lines to outgoing emails indicating which PHP script created the email. Install that, then when your upstream says your server is spamming ask them for one of the spams and look for that header.

Jeff

 

[fmortara]

Somewhere on these forums is a patch you can make to PHP to add lines to outgoing emails indicating which PHP script created the email
Jeff

Hi Jeff!
Can you provide a link for that?

I want to put an additional header line in all outgoing message from my server... i.e. Return-path: <[email protected]> for having a reply in case of spam that are sending with brute force rootkit or similar...

 

[smtalk]

PHP is patched by default with this patch: http://choon.net/php-mail-header.php

 

[fmortara]

ok... I see it!

and for insert of one additional header line with return-path in all message outgoing of my server?

 

[smtalk]

Are you talking about sendmail_from? You can set it in /usr/local/lib/php.ini. If not - take a look at http://uk2.php.net/manual/en/book.mail.php.

 

[fmortara]

No,
I want to set one additional header in email that server is sending...

for example:
this is an original email's header where:

[email protected] is the directadmin user owner of domain
[email protected] is the destination of email
http://www.domain.it/message-mailer.php is the php file that is sinding the email whit mail() function

From [email protected] Sun Jun 22 12:45:12 2008
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Sun, 22 Jun 2008 12:45:12 +0200
Received: from apache by host.hostname.it with local (Exim 4.54)
id 1KAN4K-0001R9-2W
for [email protected]; Sun, 22 Jun 2008 12:45:12 +0200
To: [email protected]
Subject: Ciao User, hai appena ricevuto un nuovo commento alla tua foto su domain.it
X-PHP-Script: www.domain.it/message-mailer.php for 87.1.xx.xx
From:[email protected]
Content-type: text/html;
Message-Id: <[email protected]>
Date: Sun, 22 Jun 2008 12:45:12 +0200

In this header I want to insert this additional line (in red), even in substitution of previous Return-path, but I want that is exim (or apache or php) to make it, not user's php script

From [email protected] Sun Jun 22 12:45:12 2008
Return-path: <[email protected]>
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Sun, 22 Jun 2008 12:45:12 +0200
Received: from apache by host.hostname.it with local (Exim 4.54)
id 1KAN4K-0001R9-2W
for [email protected]; Sun, 22 Jun 2008 12:45:12 +0200
To: [email protected]
Subject: Ciao User, hai appena ricevuto un nuovo commento alla tua foto su domain.it
X-PHP-Script: www.domain.it/message-mailer.php for 87.1.xx.xx
From:[email protected]
Content-type: text/html;
Message-Id: <[email protected]>
Date: Sun, 22 Jun 2008 12:45:12 +0200

 

[nobaloney]

Note that RFC 2822 requires one (optional) Return-Path header, and not more. If you're going to add one, you need to remove the original.

I suppose you could rewrite exim or php, or even use functionality in exim.conf, but it would make your email non-compliant.

Which won't help you with anti-spam issues.

Jeff

 

[fmortara]

Note that RFC 2822 requires one (optional) Return-Path header, and not more. If you're going to add one, you need to remove the original.

I suppose you could rewrite exim or php, or even use functionality in exim.conf, but it would make your email non-compliant.

Which won't help you with anti-spam issues.

Jeff

Ok, I want to put into every outgoing email from my server one email "[email protected]" for receive the bounce error email...

How can do it?

 

[fmortara]

If my server send an email with php, with any user, in /etc/email-addresses what can I to put for force exim to rewrite return-path into email address that I want to...

 

[nobaloney]

I'm not going to take the time here to verify all the details but I believe you have to set the user sender in your php headers, and then in exim.conf set the trusted_users.

If I'm missing something or I'm in error, someone please correct me.

Thanks.

Jeff

 

[fmortara]

I'm not going to take the time here to verify all the details but I believe you have to set the user sender in your php headers, and then in exim.conf set the trusted_users.

If I'm missing something or I'm in error, someone please correct me.

Thanks.

Jeff

Hi Jeff,
I don't want to put return-path header by my script in php, but I want that Exim put it in all email that it is sending from my server...

the same header for all email

EDIT:
I don't have the total control of php script on server, but i think that one of my user is sending spam... Can I to do for identify who is?
What is the log file that log this fact?

 

[nobaloney]

It seems that each time I read this thread I understand it differently... that's probably my fault; I'm very busy on other matters this week .

Let's look for a moment at the section of your post following your EDIT header:

Exim should set the user's username as the return-path header. This is invaluable for searching for a spammer; you can just check the logs.

Jeff

 

[fmortara]

Exim should set the user's username as the return-path header. This is invaluable for searching for a spammer; you can just check the logs.

Jeff

I have check the log... but I'm not an expert...

what is the log that I must to check for find my spammer-user?
I've already searched in /etc/virtual/usage, var/log/mail.log, mail.info, mail.warn, /var/log/exim -> all log, var/spool/mail -> all file, but I find no information that identify the responsible

If the return-path is the same for all email, I can receive the bounce email and I can see who is the sender and what is the script that is sending mail

for example:
if the user named "fmortara" send an email, exim put this into header of mail: return-path: [email protected].
I want to substitue it with email of administrator.
And this for every mail that is sending for all user...

What must I to put In /etc/email-addresses for this substitution? And in /etc/exim.conf and /etc/exim/exim.conf?

 

[nobaloney]

In my humble opinion you really don't want to do that because if you do you could get thousands of returned emails into your server, the anti-spam world will consider you responsible since you're telling the world you're the sender, and you'll have obliterated any way to tell which of your users actually sent the spam.

Once you recognize an email problem you can search the /var/log/exim/mainlog for the username to see how many emails the spammer is sending. You can also set a cronjob to search for any/all users who send (for example) over 250 emails a day, and to notify you of those users by username.

Jeff

 

[fmortara]

In my humble opinion you really don't want to do that because if you do you could get thousands of returned emails into your server, the anti-spam world will consider you responsible since you're telling the world you're the sender, and you'll have obliterated any way to tell which of your users actually sent the spam.

Once you recognize an email problem you can search the /var/log/exim/mainlog for the username to see how many emails the spammer is sending. You can also set a cronjob to search for any/all users who send (for example) over 250 emails a day, and to notify you of those users by username.

Jeff

Yes!
I don't want to do it, but I have already looking my mainlog file and no information of mail sending (no user has sending many mail) is present into it. For this situation, I will to receive, for a short time, all bounce email of my user's outgoing email...
Now all the emails was correctly delivered, I think that libero and yahoo has a temporarily malfunction...

Please, can you provide me an example of cronjob for notify me if anyone send over "x" mail from my server?

Is it possible that one user send an email and exim don't log it into mainlog file?

Today I send an email to postmaster of libero.it and Mail delivery System (of my server..?) response that my local dinamic IP is blocked by Blacklist at 12.07 PM:

Il messaggio non ha raggiunto alcuni o tutti i destinatari.

Oggetto: I: Delivery Status Notification
Inviato: 28/06/2008 12.07

Impossibile raggiungere i seguenti destinatari:

'support_postmaster' 28/06/2008 12.07
550 5.7.1 87.6.119.253 has been blocked by abuseat

But in mainlog there isn't this sending attempt. I have resend correctly after 1 minute with the same IP address and into log there are the correct log:

2008-06-28 12:13:55 H=host253-119-dynamic.6-87-r.retail.telecomitalia.it (server) [87.6.119.253] incomplete transaction (RSET) from <[email protected]> for [email protected]
2008-06-28 12:14:00 1KCXRQ-0005Sp-1m <= [email protected] H=host253-119-dynamic.6-87-r.retail.telecomitalia.it (server) [87.6.119.253] P=esmtpa A=login:[email protected] S=3697 id=001301c8d907$b0e89490$0201a8c0@server T="I: Delivery Status Notification" from <[email protected]> for [email protected]
2008-06-28 12:14:01 1KCXRQ-0005Sp-1m => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3811 H=postmaster.libero.it [193.70.192.239] C="250 Ok: queued as 193365D04D"
2008-06-28 12:14:01 1KCXRQ-0005Sp-1m Completed

2 Ask:
1. Why in the log is writed incomplete transaction (RSET) from...
2. Why the first attempt is not into logfile?


PS: Now, without any technical configuration, libero.it and yahoo.com/it accept all my email that I've send from my server. Yesterday I have sended my newsletter and no one email has returned to me. Every time that I send my NL, I delete the bounce recipient(s).

 

[nobaloney]

Now all the emails was correctly delivered, I think that libero and yahoo has a temporarily malfunction...

I already explained why email may be considered spam; more below.

Please, can you provide me an example of cronjob for notify me if anyone send over "x" mail from my server?

Not really. I don't have time to write it at this time and if I have one of my employees write it I have to charge for it. Perhaps someone else will respond with an example.

Is it possible that one user send an email and exim don't log it into mainlog file?

Yes, If someone installs their own software to send email, and doesn't use exim, it won't appear in the exim logs.

Today I send an email to postmaster of libero.it and Mail delivery System (of my server..?) response that my local dinamic IP is blocked by Blacklist at 12.07 PM:

But in mainlog there isn't this sending attempt. I have resend correctly after 1 minute with the same IP address and into log there are the correct log:

If you sent the email through your server the attempt should appear in your /var/log/exim/mainlog file. You can always tail the file in realtime while sending the mail to see if your server is logging it properly.

2 Ask:
1. Why in the log is writed incomplete transaction (RSET) from...

Because the other end disconnected you.

2. Why the first attempt is not into logfile?

I have no idea.

PS: Now, without any technical configuration, libero.it and yahoo.com/it accept all my email that I've send from my server.

Often companies block only temporarily.

Jeff