Spam does not stop after password change

T

tom10

Verified User
Joined
Jul 3, 2012
Messages
11
Hi all

I don't know how to stop a spammer from sending mails through one of our accounts. The user is the main user of the account(the mailbox that is automatically created when the user is created: [email protected]). So if I go to admin level/change password for that user the password should change and I assume that the spammer can't send mails anymore. The strange thing is that he still can. I've limited the mails for that account to 1 per day, but the mailbox is getting filled with undeliverable messages, so I really need to stop the mails from being sent.
In the exim/mainlog I can see that the mail is send from [email protected] => so not the domainname. And the other information on this line is "R=localuser T=local_delivery". I checked the site of that user and it has no php mail() method. The site is plain html. How is it possible that the spammer still sends mail from that user? How can I stop this?

Kind regards

Tom
 
Maybe is a php script, you should need header of one email.

Probably is not using authentication, you should check /etc/exim.conf for relay_hosts and remove 127.0.0.1

Regards
 
Thx for the answer SeLLeRoNe. I checked the users public_html for php scripts, but there weren't any.
I also check /etc/exim.conf but I don't have the line you mentioned. I only have this lines:
hostlist auth_relay_hosts = *
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts

Attached you can find the mail headers of a spam mail. I changed the mail adresses and hostname.
 

Attachments

Apparently is not the header of the ougoing mail but the one that come back in error, i dont think is useful.

Also provide real email/server hostname should be useful for check if is an open relay.

Regards
 
I checked if it is an open relay on http://www.mailradar.com/openrelay/ and http://www.checkor.com/. Both test were completed without any warnings, all tests passed.

Where can I find the headers of the outgoing mail? I checked the exim queue but it didn't contain any messages from the spammer. They are immediatly rejected.

If you want I can give you part of the exim mainlog, but I'm not sure it'll be usefull.
 
I think no, it isnt.

maybe stop exim would let you see in queue the outgoing email, but i suppose you shold seem them without stop exim, cause usually queue get filled so fast, if not, try set limit per user 1 email per ay and check if you got in queue some outgoing email.

Regards
 
Do you have a line in your users httpd.conf (/usr/local/directadmin/data/users/${USERNAME}/httpd.conf) that looks similar to this:
php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f [email protected]'
If so, then you should see something like this in your /var/log/exim/mainlog:
2012-07-02 13:25:09 cwd=/home/${USERNAME}/domains/domain.com/public_html 5 args: /usr/sbin/sendmail -t -i -f [email protected]

I would at least do a search for E1SkGcY-0002EX-NJ in your mainlog, and look for all the lines that relate to that message, it should give you a hint if the message actually originated from your server or a different server. If it originated from you server, it should give you an idea of how they are connecting. For example from an email client on my server, I can see I was authenticated as plain text:
P=esmtpsa X=TLSv1:AES128-SHA:128 A=plain:[email protected]
If you don't have lines similar to this, then they weren't authenticated and possibly are originating from a script on the server, since a local script running as that user, normally doesn't require authentication.


Also, note that public_html isn't the only place someone can run a php script from, there is also the private_html directory and any sub-directory of public_html and private_html.
 
I do have the line in my users httpd.conf, but I don't have the entry in my exim/mainlog.
What I do have is this info, related to 1 message from the spammer:
Code: 
# grep 1Sl9Mg-0007ce-VI /var/log/exim/mainlog
2012-07-01 03:54:19 1Sl9Mg-0007ce-VI <= [email protected] U=brokenchai P=local S=465 T="Test mail 1447819198" from <[email protected]> for [email protected]
2012-07-01 03:54:19 1Sl9Mg-0007ce-VI failed to expand condition "${perl{check_limits}}" for lookuphost router: You (brokenchai) have reach your daily email limit of 1 emails
2012-07-01 03:54:19 1Sl9Mg-0007ce-VI ** [email protected] F=<[email protected]>: Unrouteable address
2012-07-01 03:54:19 1Sl9Mh-0007cj-Dk <= <> R=1Sl9Mg-0007ce-VI U=mail P=local S=1333 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2012-07-01 03:54:20 1Sl9Mg-0007ce-VI Completed
Like you can notice in the log, I've already limited the mails to 1 per day.

I also checked the private html, but it only has the original index.html file. I checked the public html recursively using grep searching for php tags and the mail method => no results.
 
Solution

I've found the culprit. There was a perl script running from within the /tmp directory. The script was already deleted, but it was still sending spam. The load it generated was too low to show up in top and a ps -ef | grep brokenchai didn't report it.

Thanks for all the help.
 
The vps doesn't have a separate /tmp filesystem, so I can't mount it noexec, nosuid.
I did a top and saw the perl entry at the bottom of the screen. I had previously run top, but it never showed up.
 
Do you disable functions for php? I would research how a script/they had gotten /tmp access.
My advice would to have mod_ruid (if youre using mod_php) and mod_security2.
 
You must log in or register to reply here.
Back
Top