Hi.
Im running Directadmin 1.33.4 on a CentOS release 5 (Final).
Looking at the Mail Queue Administration i've notice some SPAM comming out from my server.
Some examples:
---------------------------------------------------------------
ID Time Size Sender Frozen Recipient(s)
...
1LySql-000774-1d 23h 1.6K <> no [email protected]
1LyT5U-00089K-Ck 23h 1.6K <> no [email protected]
1LyRpV-0002DJ-MY 24h 1.6K <> no [email protected]
...
(The "Recipient(s)" changes all the days).
---------------------------------------------------------------
One of the Emails details:
---------------------------------------------------------------
• E-Mail Headers
1LySql-000774-1d-H
mail 8 12
<>
1240846471 0
-ident mail
-received_protocol local
-body_linecount 29
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
[email protected]
152P Received: from mail by MY.SERVER.com with local (Exim 4.67)
id 1LySql-000774-1d
for [email protected]; Mon, 27 Apr 2009 12:34:31 -0300
042 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
072F From: Mail Delivery System <[email protected]>
022T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
061I Message-Id: <[email protected]>
038 Date: Mon, 27 Apr 2009 12:34:31 -0300
• E-Mail Body Chunk
1LySql-000774-1d-D
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[email protected]
all relevant MX records point to non-existent hosts
------ This is a copy of the message, including all the headers. ------
Return-path: <[email protected]>
Received: from localhost ([127.0.0.1])
by MY.SERVER.com with smtp (Exim 4.67)
(envelope-from <[email protected]>)
id 1LySqk-000772-Oi
for [email protected]; Mon, 27 Apr 2009 12:34:31 -0300
Received: (tjbzhcvnu@localhost) by localhost (8.12.11.20060614) id n26yvze8od; Mon, 27 Apr 2009 12:34:29 -0300
Date: Mon, 27 Apr 2009 12:34:29 -0300
Message-Id: <200904271234.n26yvze8od@localhost>
To: [email protected]
Subject: Free Bonus for Casinos
From: [email protected]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
<font color="#8B0A50" size="4"><b><a href="http://noche-salon.com.ar/win.html">BEST CASINO</a></b></font>
• Log
2009-04-27 12:34:31 Received from <> R=1LySqk-000772-Oi U=mail P=local S=1638
2009-04-27 12:35:06 [email protected] R=lookuphost defer (-1): host lookup did not complete
2009-04-28 05:12:23 [email protected] R=lookuphost defer (-1): host lookup did not complete
---------------------------------------------------------------
Resuming...
For what i've understand the problem is this: A website of one domain in my server has a form with security problems (Maybe some PHP form without CAPTCHA that its being exploted).
I've benn reading a lot of LOGs of Apache and EXIM, however i couldnt find any domain or any IP related to the EMails that Email.
This is REALLY difficult to resolve, cause its easy to resolve the SPAM problem (just deleting all those junk EMails) however the form with the vulnerability is still around and i can see in all the domains cause i have a lot of them!
Any ideas?
Thanks in advance.
Bye!
PD: Sorry for my poor English, im from Argentina.
Im running Directadmin 1.33.4 on a CentOS release 5 (Final).
Looking at the Mail Queue Administration i've notice some SPAM comming out from my server.
Some examples:
---------------------------------------------------------------
ID Time Size Sender Frozen Recipient(s)
...
1LySql-000774-1d 23h 1.6K <> no [email protected]
1LyT5U-00089K-Ck 23h 1.6K <> no [email protected]
1LyRpV-0002DJ-MY 24h 1.6K <> no [email protected]
...
(The "Recipient(s)" changes all the days).
---------------------------------------------------------------
One of the Emails details:
---------------------------------------------------------------
• E-Mail Headers
1LySql-000774-1d-H
mail 8 12
<>
1240846471 0
-ident mail
-received_protocol local
-body_linecount 29
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
[email protected]
152P Received: from mail by MY.SERVER.com with local (Exim 4.67)
id 1LySql-000774-1d
for [email protected]; Mon, 27 Apr 2009 12:34:31 -0300
042 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
072F From: Mail Delivery System <[email protected]>
022T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
061I Message-Id: <[email protected]>
038 Date: Mon, 27 Apr 2009 12:34:31 -0300
• E-Mail Body Chunk
1LySql-000774-1d-D
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[email protected]
all relevant MX records point to non-existent hosts
------ This is a copy of the message, including all the headers. ------
Return-path: <[email protected]>
Received: from localhost ([127.0.0.1])
by MY.SERVER.com with smtp (Exim 4.67)
(envelope-from <[email protected]>)
id 1LySqk-000772-Oi
for [email protected]; Mon, 27 Apr 2009 12:34:31 -0300
Received: (tjbzhcvnu@localhost) by localhost (8.12.11.20060614) id n26yvze8od; Mon, 27 Apr 2009 12:34:29 -0300
Date: Mon, 27 Apr 2009 12:34:29 -0300
Message-Id: <200904271234.n26yvze8od@localhost>
To: [email protected]
Subject: Free Bonus for Casinos
From: [email protected]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
<font color="#8B0A50" size="4"><b><a href="http://noche-salon.com.ar/win.html">BEST CASINO</a></b></font>
• Log
2009-04-27 12:34:31 Received from <> R=1LySqk-000772-Oi U=mail P=local S=1638
2009-04-27 12:35:06 [email protected] R=lookuphost defer (-1): host lookup did not complete
2009-04-28 05:12:23 [email protected] R=lookuphost defer (-1): host lookup did not complete
---------------------------------------------------------------
Resuming...
For what i've understand the problem is this: A website of one domain in my server has a form with security problems (Maybe some PHP form without CAPTCHA that its being exploted).
I've benn reading a lot of LOGs of Apache and EXIM, however i couldnt find any domain or any IP related to the EMails that Email.
This is REALLY difficult to resolve, cause its easy to resolve the SPAM problem (just deleting all those junk EMails) however the form with the vulnerability is still around and i can see in all the domains cause i have a lot of them!
Any ideas?
Thanks in advance.
Bye!
PD: Sorry for my poor English, im from Argentina.