how to track users spamming from my server

[fmortara]

I already explained why email may be considered spam; more below.

I don't understand, but maybe is my english...

Yes, If someone installs their own software to send email, and doesn't use exim, it won't appear in the exim logs.

None has the possibility to install any software on server, all user must use exim for sending email.
If use their own software on their local pc, they can't use the server's account, but only the domain's address... In this case, what spamblocker report for block? Domain or Ip address of domain?
In particular one of my user, use own mail server as MX record...
This is their configuration of DNS for USERDOMAIN on my SERVER:
x.x.x.x is My server IP
y.y.y.y and z.z.z.z is their 1st and 2nd mail server

ftp A x.x.x.x
USERDOMAIN.it. A x.x.x.x
localhost A 127.0.0.1
mail A y.y.y.y
mail2 A z.z.z.z
pop A x.x.x.x
webmail A x.x.x.x
www A x.x.x.x
USERDOMAIN.it. NS ns1.SERVER.it.
USERDOMAIN.it. NS ns2.SERVER.it.
mail.USERDOMAIN.it. MX 10
mail2.USERDOMAIN.it. MX 20
USERDOMAIN.it. TXT "v=spf1 a mx ip4:x.x.x.x ?all"

They want to have the complete control of their mailserver because in the past they have had some problem with their hoster...
If they send spam, which IP address is listed in the blacklist to block?
Keep in mind that they don't use my mailserver for send their email...

If you sent the email through your server the attempt should appear in your /var/log/exim/mainlog file. You can always tail the file in realtime while sending the mail to see if your server is logging it properly.

In the exact moment that I have received the mail delivery notification, I log into directadmin to see the /var/log/exim/mainlog file, but I see that there isn't the loggin of error while sending. After I see it, I resend the message and exim correctly log it!

Because the other end disconnected you.

And is it a problem? Why the other disconnect me?
You intend to say that the process ends with an error or may be a normal thing?

 

[nobaloney]

None has the possibility to install any software on server, all user must use exim for sending email.

Really? You mean you don't allow CGI scripts or PHP? Either can be used to write a mailserver.

If use their own software on their local pc, they can't use the server's account, but only the domain's address... In this case, what spamblocker report for block? Domain or Ip address of domain?

If they're using their own PC, then you either allow them access to your mailserver (you probably do) in which case they can either use their ISP's server for outgoing email, or yours. Or if you don't, they have to use their ISP's mailserver for outgoing email.

In either event, IP#s are blocked, not domain names.

In particular one of my user, use own mail server as MX record...
This is their configuration of DNS for USERDOMAIN on my SERVER:
x.x.x.x is My server IP
y.y.y.y and z.z.z.z is their 1st and 2nd mail server

They could still be using your mailserver if they want to; they could use ftp or www for their outgoing mail if they wish, and still find your server. There's no inherent limitation in either DNS, or your server; using different service names is a convenience, not a requirement.

They want to have the complete control of their mailserver because in the past they have had some problem with their hoster...
If they send spam, which IP address is listed in the blacklist to block?
Keep in mind that they don't use my mailserver for send their email...

As I wrote above, you don't know that unless you read and understand the logs. The IP# address blocked will be the IP# of the last server handling the mail before it reaches the server blocking it.

In the exact moment that I have received the mail delivery notification, I log into directadmin to see the /var/log/exim/mainlog file, but I see that there isn't the loggin of error while sending. After I see it, I resend the message and exim correctly log it!

Then you need to ask the recipient why they're blocking your mail.

And is it a problem? Why the other disconnect me?
You intend to say that the process ends with an error or may be a normal thing?

No, I'm just explaining what the message means. Generally if they disconnect you they have a reason; for example they may believe you're a spammer.

Jeff

 

[fmortara]

They could still be using your mailserver if they want to; they could use ftp or www for their outgoing mail if they wish, and still find your server. There's no inherent limitation in either DNS, or your server; using different service names is a convenience, not a requirement.

I have unchecked the flag on "Use this server to handle my emails" in MX Record fields in user area of Directadmin control panel. In this case mail-server cannot be used for send or receive email...??
[OT] If I disable "DNS control" for user (that are enabled at this moment), this modification make some change, or it's the same for email of user? In admin or reseller area, there is a field for check/uncheck this flag?

No, I'm just explaining what the message means. Generally if they disconnect you they have a reason; for example they may believe you're a spammer.

Jeff

But in this case, is my server that received an email from my user for an his contact... PCRaffaele il my user... and 87.17.31.77 is his local IP address.

He send an email with his email address of domain.it at his contact [email protected] has regularily received this email.
In this case, why there is an incomplete transaction (RSET)?

2008-06-30 12:34:23 H=host77-31-dynamic.17-87-r.retail.telecomitalia.it (PCRaffaele) [87.17.31.77] incomplete transaction (RSET) from <[email protected]> for [email protected]
2008-06-30 12:34:31 1KDGiG-0005Oe-HA <= [email protected] H=host77-31-dynamic.17-87-r.retail.telecomitalia.it (PCRaffaele) [87.17.31.77] P=esmtpa A=login:[email protected] S=653874 id=3B73C8EA80BB4B688C2C2775625DDF19@PCRaffaele T="regolamento" from <[email protected]> for [email protected]
2008-06-30 12:34:33 1KDGiG-0005Oe-HA => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=662411 H=mail-mx-2.tiscali.it [213.205.33.32] C="250 <485628E002BA088F> Mail accepted"
2008-06-30 12:34:33 1KDGiG-0005Oe-HA Completed

 

[Henrik]

Hi Jeff,

Once you recognize an email problem you can search the /var/log/exim/mainlog for the username to see how many emails the spammer is sending. You can also set a cronjob to search for any/all users who send (for example) over 250 emails a day, and to notify you of those users by username.

Is there code examples available for such a cronjob (possible together with a trigger that only makes the script send out an email when the 250 email a day-limit is reached)?

Thanks

 

[fmortara]

I have the solution for my original question...

In DA you can edit the file "/usr/local/directadmin/data/users/USERNAME/httpd.conf" and in the section called <IfModule !mod_suphp.c> you can edit the default recipients that you will be used for default value of return-path header.

I have already attempted to edit this parameter in main httpd.conf file, but the modification not apply... Of course, it was overwrite by included custom httpd.conf...

        <IfModule !mod_suphp.c>
                php_admin_flag engine ON
                php_admin_flag safe_mode OFF
[COLOR="Red"]                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f [email protected]'[/COLOR]

                php_admin_value open_basedir /home/USERNAME/:/tmp:/usr/local/lib/php/

        </IfModule>

Paid attention!
This trick is useful for receive, in most case, returned mail that cannot delivered correctly from your server (infact in most case the default value is the user@domain and some times it isn't used to receive email or you can, for a short time, put here your alternative or dedicated, ie abuse@hostname, address for monitoring use of email by your user), but, it can determine in recipients server that you are a spammer...
Jeff docet!

 

[fmortara]

Really? You mean you don't allow CGI scripts or PHP? Either can be used to write a mailserver.
Jeff

Hi!
Today I have the same problem, after 15 days, where the emails was sended correctly, libero.it rejected the email from my server whit the same error code (550 too many invalid recipients).

Please, can you provide me information, in order to identify if anyone use an external CGI or PHP script to send email from my server?
Where I can look into for identify?

 

[nobaloney]

You have to check your user accounts to see if they've put any executable scripts onto their server. It's not easy, and I don't have any suggestions; perhaps someone else does.

Jeff