SPAM send from my server?!

T

TestUser

Verified User
Joined
Aug 26, 2011
Messages
215
Hello all.
I would like some help from the community.
1. i have several users on my email server
2. for last coupple of weeks, i get message from DA that some email just send 200 emails... so the email gets blocked...
3. chaged the password for the email... all good... for 2 weeks or so...
now same user...same problem....
when i go an check exim log... this user that today aperently send 200 emails... actualy send only about 10
how can i find what is going on on my email sever?
And idea higly apreciated
 
You have to check your mail queue. You can do that via SSH with the exim -bp command but even better is to install the Configserver Mailqueue addon.

If you only see around 10 mails in the exim log while about 200 are send, most likely the spammers did not use the smtp account from the user but are abusing some script or created a hack script via a leak script or theme or something similar.

In the mail queue you often find mails of the spammer which are blocked or refused and are still in the mail queue. With the addon, you can look into these mails, and often it's displayed which script is sending the mails somewhere in the headers.

Also if you know which account it is, it might be good to scan it with a malware scanner.

It's always good to have Maldetect or a kindlike protecting product installed and configured.
 
I have checked email queue in DA in there is no emails there
 
Last edited:
You could check the users php logfile.
You can find the php-mail.log file in the users /home/user/.php directory.

P.s. please don't quote full posts. Use the reply box on the bottom. ;)
 
In the Email usage part, you can filter date /inbound and outbound emails
 
Additionally check if they not managed to put in a little smtp server themselves. Sometimes you see something odd when doing this command as root:
lsof -i:25
so that's a lowercase L not an uppercase i in there. Or you can just copy and paste.

Normally you should only see exim in the output.
 
Is it possible DA is not reseting counring each midnight?
How could i check this?
 
You could via that at the statistics/stats page if all is correct.

Did you run a maldetect check?
 
hmmmm i have done watch lsof -i:25 and i only see exim...
every now and then i see aditional processes...also exim and user mail... (i guess users sending emails....
This is interesting....
mailwarecheck i didnt runn.. im looking into it
 
Last edited:
TestUser said:
every now and then i see aditional processes...also exim and user mail...
Click to expand...
Yes that indeed can happen, for a short time. It's suspicious if another process is there for a long time. So I don't think there's any issue now.

The malware check you can do with Maldetect. It's free.
 
guys,,, interesting thing is that my cron backups are also not working on this server....
hmmm
i have tryed to do a manual backup... all ok...
i have deleted the crone backup... and created a new one... but it dosent work...
seems like my DA is broken?
 
I have scaned for maleware... nothing extraordinary...
2 mails had some windows malware...
what IS interesting is that at midnight a fev users send thousends of emails, but limit is set to 200
how is this even possble?
but still... nothing in logs...
this is getting bizare :D

any ideas?
 
Last edited:
TestUser said:
but limit is set to 200
Click to expand...
That's the limit for SMTP mail. This means it must have been done via php mail.

Still nothing in the mail queue either yet? Because with so many mails normally there always are some bounces.
And from these bounces or from refused mails, you should be able to see where it's coming from.

Also odd that Maldetect did not found anything and that it's multiple users.

Maybe @Zhenyapan has some idea's left.
 
also you can check today emails info for account in:
/etc/virtual/usage/USERNAME.bytes
there you can see script path, auth login, IP, email way (outgoing/incoming), email ID, than you can grep exim log for this ID to see details, or grep exim log for USERNAME or recepient email /ip etc. to check who for whom what send and how.
 
Is there any way to check yesterdays logs?
ie /etc/virtual/usage/USERNAME.bytes from yesteday?
becouse today... everithing normal...
hmmmm...
i tell you... bizare :D
 
as I know - /var/log/exim/mainlogDATE keeps by default few weeks logs.
 
You must log in or register to reply here.
Back
Top