Server sending out spam.

[DannyTip]

My server seems to be sending out spam and i can't find the source. I have the latest exim configs for DA as per http://help.directadmin.com/item.php?id=51

My mailqueue is full of entries like:

 4m  4.1K 1S1xcN-00048m-Ci <> *** frozen ***
          [email][email protected][/email]

 4m   47K 1S1xci-00049z-PO <> *** frozen ***
          [email][email protected][/email]

 4m  4.1K 1S1xcm-0004A6-6X <> *** frozen ***
          [email][email protected][/email]

 3m  4.1K 1S1xdo-0004C9-84 <> *** frozen ***
          [email][email protected][/email]

 3m  4.0K 1S1xe8-0004Cd-9Y <> *** frozen ***
          [email][email protected][/email]

 2m  4.0K 1S1xeE-0004Cp-Cp <> *** frozen ***
          [email][email protected][/email]

 2m  3.9K 1S1xeS-0004DR-I6 <> *** frozen ***
          [email][email protected][/email]

 2m  4.1K 1S1xee-0004Dt-Va <> *** frozen ***
          [email][email protected][/email]

 2m  4.1K 1S1xey-0004Eb-Fk <> *** frozen ***
          [email][email protected][/email]

 2m  4.0K 1S1xf3-0004Eo-VX <> *** frozen ***
          [email][email protected][/email]

 1m  4.0K 1S1xfK-0004FJ-Vt <> *** frozen ***
          [email][email protected][/email]

 1m  4.0K 1S1xfM-0004FR-DD <> *** frozen ***
          [email][email protected][/email]

 1m  4.0K 1S1xfl-0004GB-1q <> *** frozen ***
          [email][email protected][/email]

 1m  3.2K 1S1xg1-0004GO-BW <[email protected]>
          [email][email protected][/email]

 0m  4.1K 1S1xgA-0004H0-5B <> *** frozen ***
          [email][email protected][/email]

 0m  3.9K 1S1xgI-0004HK-LU <> *** frozen ***
          [email][email protected][/email]

 0m  3.9K 1S1xgK-0004HY-8l <> *** frozen ***
          [email][email protected][/email]

 0m  4.0K 1S1xgh-0004Jz-JL <> *** frozen ***
          [email][email protected][/email]

Where should i start looking? Why is exim even allowing emails to be sent from the mail.ru domain on my server?

Thanks
Danny

 

[daveyw]

Check the mail headers, mostly there you find something like: X-PHP-header http://location.to/the.file
Also its possible that they are trying to send the email from an account, that should be also listed in the mail headers. Maybe you can post it?

 

[DannyTip]

Heres the headers for 1 message. It doesnt appear to be being sent via php...

1S1yhc-00073k-3j-H
mail 8 12
<[email protected]>
1330341912 0
-helo_name smtp-03.tomatoit.net
-host_address 61.152.145.33.1986
-host_auth login
-interface_address 212.7.200.162.25
-received_protocol esmtpa
-body_linecount 51
-max_received_linelength 76
-auth_id [email protected]
-deliver_firsttime
-host_lookup_failed
XX
1
[email protected]

230P Received: from [61.152.145.33] (helo=smtp-03.tomatoit.net)
	by server3.stinghost.co.uk with esmtpa (Exim 4.77)
	(envelope-from <[email protected]>)
	id 1S1yhc-00073k-3j
	for [email protected]; Mon, 27 Feb 2012 11:25:17 +0000
054I Message-ID: <6904A1A80D8A4D368431CF7AE74C1A0C@cqyctk>
049R Reply-To: =?koi8-r?B?7sHT1NE=?= <[email protected]>
045F From: =?koi8-r?B?7sHT1NE=?= <[email protected]>
032T To: <[email protected]>
086  Subject: =?koi8-r?B?8NLJx8zB28HAINTFwtEgzsEg0sHCz9TVINcg7c/Ty9fV?=
	=?koi8-r?B?Lg==?=
038  Date: Mon, 27 Feb 2012 15:24:55 +0400
036  Organization: =?koi8-r?B?7sHT1NE=?=
018  MIME-Version: 1.0
091  Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_024D_01CCF563.F56C88C0"
014  X-Priority: 3
026  X-MSMail-Priority: Normal
048  X-Mailer: Microsoft Windows Mail 6.0.6001.18416
057  X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18645

 

[daveyw]

Could you also paste the stuff located in the 'log' section? Maybe you find something like login:[email protected]

 

[zEitEr]

@DannyTip,

I guess your account [email protected] is compromised. You should change a password for the account.

 

[DannyTip]

Thanks.

Ive changed the passwords on 2 accounts that seemed to be affected and put limit's on those mailboxes (5 per day). I am actually using google to handle the mail so those accounts don't need to exist anymore anyway.