Server sends SPAM

xenotek · Nov 7, 2012

Hi,

my server sends SPAM. I have read all advices I can read. I have limited the number of sending mails with 200. An account hase reached the limit. But removing that account has not solved the problem. Maybe my server is infected twice.
So I have researched /etc/virtual/usage/. And followed the message ID's in Exim mainlog. I found the SPAM messages. The problem is; I found them in unknown.bytes including nothing else then the ID's. What shall I do now?

System information about my box is as follows:
Apache 2.2.17
DirectAdmin 1.41.1
Exim 4.72
MySQL 5.0.51a
Named 9.3.6
ProFTPd 1.3.3c
sshd
dovecot 2.0.11
Php 5.3.17

and the content of the unknown.bytes is as follows;

8591=type=email&email=&method=outgoing&id=1TVtOs-0000Tb-5D&authenticated_id=&sender_host_address=&log_time=1352247706&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352252411&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352252856&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352252958&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352253756&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352253765&path=/
9236=type=email&email=&method=outgoing&id=1TVuzo-0001pp-D7&authenticated_id=&sender_host_address=&log_time=1352253840&path=/
9236=type=email&email=&method=outgoing&id=1TVuzo-0001pp-D7&authenticated_id=&sender_host_address=&log_time=1352254656&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352254660&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352254660&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352255556&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352255557&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352256456&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352256457&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352257357&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352257358&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352258260&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352258264&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352259159&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352259160&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352260060&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352260063&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352260956&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352260957&path=/
1942=type=email&email=&method=outgoing&id=1TVwwX-0002NQ-NF&authenticated_id=&sender_host_address=&log_time=1352261325&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352261856&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352261857&path=/
18639=type=email&email=&method=outgoing&id=1TVxIg-0002Si-1h&authenticated_id=&sender_host_address=&log_time=1352262698&path=/
8920=type=email&email=&method=outgoing&id=1TVulZ-000149-Vo&authenticated_id=&sender_host_address=&log_time=1352262756&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352262757&path=/
3625=type=email&email=&method=outgoing&id=1TVucl-00011n-46&authenticated_id=&sender_host_address=&log_time=1352263656&path=/

Thanks in advance

zEitEr · Nov 7, 2012

Hello,

The posted data is mostly useless without ability to check the MID against exim log, nevertheless, its not an authenticated user who is sedning SPAM. It might be bounces... and/or forwarders. Check your exim queue and enable in /etc/exim.conf logging of arguments:

Code:

log_selector = \
  +arguments \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery

I'd guess you should hire somebody to check your server. I'm as well as others here are available for this kind of job.

Server sends SPAM

xenotek

New member

zEitEr

Super Moderator