stop sending spam

D

deltaned

Verified User
Joined
Jan 23, 2004
Messages
102
Hi,

I see one of my server is on the spam list of spamcop.net
This server is owd by myself and it is for some fun domains.
Now I try to find out what domain / script or something is sending spam to the mailtraps of spamcop.net

I mailed spamcop.net but the can`t \ will not give me details of the messages they get.

Is there an option to "watch" and "monitoring ALL outgoing mail incl mail send by sendmail?
Or (not the best option) to stop ALL outgoing mail and block outgoing mail from sendmail so this server can`t send any mail to any mailadress?

Thanks for your advise!
 
a standard DA server can't be used for sending spam by people who don't have an account at your server....and since your the only user you say, you know whats being send i assume
 
Hi Sander,

I know a standard directadmin server can`t send mail without any user, but the point is the server is sending mail without my permission.

If I know what account / script is sending mail I don`t open an topic here ;-)
 
Any of the domains on your server could be sending spam. Many scripts can send spam.

A known serious offender is most versions of FormMail.pl. This is the official capitalization, and the official extension, though it may also be found on servers with the .pl replaced by .cgi, and with no capitalization, so if you're going to do a search you should search at least for:

FormMail.pl
FormMail.cgi
formmail.pl
formmail.cgi

It is NOT the same as formail, which is usually a completely different program with a completely different purpose.

There is a secure version of FormMail.pl; you can find it here.

But note that because it's secured against spammers it is NOT a drop-in replacement, so be sure to read all the instructions.

Of course FormMail.pl may not be the problem or the only problem.

Can you read the logs to see what email is leaving your server? Absolutely.

Check /var/log/exim/mainlog

It'll be quite long if you're really sending spam.

Don't forget it could be rotating as often as once daily, at around 4 am, so be sure also to unzip (if necessary) and check any mainlog files, no matter their extension.

Your server may also have been compromised, in which case it could be sending spam directly through a hidden process running either in userspace or in the kernel. Be sure to run the latest version of chkrootkit, available here.

We're an anti-spam house ourselves, and work with many anti-spam houses. We can probably check your server thoroughly to make sure it's not being used by one or more spammers, even with hidden processes, but such forensics can get expensive. If you need to contact me privately please do not use the forum Private Message function, but instead write my email address below in my sig.

I hope I've been able to be of some help to you and I hope you find your spammer.

Jeff
 
Last edited:
Ji Jeff,

I look into the mainlog and see a lot of mail what is send of my server.
On what line I can see what user or what program is sending it?
 
If you're using the later versions of exim.conf (the SpamBlocker one) whether supplied from my website or from a DA install, the log lines you want to look at will have the characters => followed by an address somewhere not on your server, and then the characters F= followed by an address on your server.

You can also look in your outgoing email queue to see the actual messages; they'll be in /var/spool/exim/input, with the actual message ending in -D and the headers and control information in -H.

Jeff
 
Hi,

I have an example I find at the bottom of my maillog:

2004-09-27 18:45:46 1CBydA-0008WR-W6 no immediate delivery: more than 10 messages received in one connection
2004-09-27 18:45:48 1CBydD-0006m9-Ct <= [email protected] H=(bessie) [218.88.122.39] P=asmtp A=login:webmaster S=908
2004-09-27 18:45:48 1CBydD-0006m9-Ct no immediate delivery: more than 10 messages received in one connection
2004-09-27 18:45:48 1CBydE-0008Mt-8y <= [email protected] H=(michigan) [201.135.251.143] P=asmtp A=login:webmaster S=959
2004-09-27 18:45:48 1CBydE-0008Mt-8y no immediate delivery: more than 10 messages received in one connection
2004-09-27 18:45:52 1CBydJ-0008WQ-B9 <= [email protected] H=(excuse) [201.128.234.242] P=asmtp A=login:webmaster S=1020
2004-09-27 18:45:52 1CBydJ-0008WQ-B9 no immediate delivery: more than 10 messages received in one connection

I can`t find something about it :-(
And the formmail.pl / cgi is not on the server
 
Hello deltaned
you should check your /tmp and /dev/shm directory using 'ls -al' and search for any strange directories.
For example ".. "
"..."
and such
 
It looks like they are accessing your SMTP server directly and authenticated as webmaster. I would use the new DA or Jeff's Spamblocker version of exim.conf. It has a lot spam blocking/security built in. Also you need to make sure you have either passwords on all your accounts or make sure they are all locked up. Especially one named webmaster, since that one seems to be open or have a known/easy password.
 
You must log in or register to reply here.
Back
Top