Suspect Email Spam sending, how to stop it?
- Thread starter rchan
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Check your logs to see if the spam is coming from a login account or a local process. If a local pocess, find it and remove or disable it. If a login account, change the password so it can't be used to login.
Jeff
Jeff
zEitEr
Super Moderator
Hello,
The messages seem to me to be bounces, in this case it does not mean you've got a SPAMER on the server. But to check the logs to be more sure is a good thing.
The messages seem to me to be bounces, in this case it does not mean you've got a SPAMER on the server. But to check the logs to be more sure is a good thing.
Need more help Spam Email
Thanks for the reply.
The email received from was not created in the domain.
From [email protected] ( not created in the domain )
To [email protected] ( Only email created in the domain )
So the [email protected] is not a login A/C.
I am a newbie in Server Admin.
I do not know to read the attached log.gif
What does column frozen mean?
In log_01.gif
Does Is that message mean someone use the email server to send spam.
"This is message was created automatically by mail delivery software"
The email [email protected] is only email created in this domain.
I set the email forward from [email protected] for my email a/c and got some log from
attached gif.
In the screen cap the IP in the sending host 210.87.247.19
and the rest IP. are those IPs were used to send the emails?
I found that [email protected] (not created in this domain) sent email to
[email protected].
How can I prevent and stop it.
Thanks for help.
Ronny
Thanks for the reply.
The email received from was not created in the domain.
From [email protected] ( not created in the domain )
To [email protected] ( Only email created in the domain )
So the [email protected] is not a login A/C.
I am a newbie in Server Admin.
I do not know to read the attached log.gif
What does column frozen mean?
In log_01.gif
Does Is that message mean someone use the email server to send spam.
"This is message was created automatically by mail delivery software"
The email [email protected] is only email created in this domain.
I set the email forward from [email protected] for my email a/c and got some log from
attached gif.
In the screen cap the IP in the sending host 210.87.247.19
and the rest IP. are those IPs were used to send the emails?
I found that [email protected] (not created in this domain) sent email to
[email protected].
How can I prevent and stop it.
Thanks for help.
Ronny
Attachments
Richard G
Verified User
What kind of authentication is used for sending mail? Because in your screenshot, authentication is blank.
zEitEr
Super Moderator
You should read logs. As if they are not bounces, then your account might be hacked.
Hi Richard,
Thanks for your reply.
The email ( sender ) [email protected] is not a valid email opened officially under this domain.
So it is not authorised to send email. It is not an existing email.
Can I filter this email or block or stop it.
Thanks.
Thanks for your reply.
The email ( sender ) [email protected] is not a valid email opened officially under this domain.
So it is not authorised to send email. It is not an existing email.
Can I filter this email or block or stop it.
Thanks.
zEitEr
Super Moderator
Open exim logs and read it. If you block the address in case your server contains malware and is sending spam that won't solve the issue, and it will make a hacker to change the address.
In case if somebody outside is using [email protected] as fake sender email address, then there is nothing you can do about it. You can not protect your domain from using it in illegal spamming with faked sender addresses.
Once again for full overview you need to carefully read exim logs and find out where from the problem comes from. If you have no time to investigate it yourself, you'd better hire somebody to do that for you. You might want to ask guys from your DC to help you. Also you might want to hire somebody from these forums.
In case if somebody outside is using [email protected] as fake sender email address, then there is nothing you can do about it. You can not protect your domain from using it in illegal spamming with faked sender addresses.
Once again for full overview you need to carefully read exim logs and find out where from the problem comes from. If you have no time to investigate it yourself, you'd better hire somebody to do that for you. You might want to ask guys from your DC to help you. Also you might want to hire somebody from these forums.
Thanks for your quick reply Alex,
From the screenshot there is another non-existing email sender, [email protected],
What log I should look into, in Log viewer, I found
Exim Rejectlog
Exim Mainlog
Exim Panclog
But do not how to read this log properly
Thanks,
Ronny.
From the screenshot there is another non-existing email sender, [email protected],
What log I should look into, in Log viewer, I found
Exim Rejectlog
Exim Mainlog
Exim Panclog
But do not how to read this log properly
Thanks,
Ronny.
zEitEr
Super Moderator
You need to deal with Exim Mainlog, and the best way would be to read it in SSH. As you might need to run grep/exigrep to find some details.
This article http://www.liquidweb.com/kb/how-to-read-an-exim-maillog/ might help you to understand how to read exim logs.
And this one of course http://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
The simplest example would be as following:
the output might contain some clues.
This article http://www.liquidweb.com/kb/how-to-read-an-exim-maillog/ might help you to understand how to read exim logs.
And this one of course http://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
The simplest example would be as following:
Code:
exigrep [email protected] /var/log/exim/mainlogthe output might contain some clues.
zEitEr
Super Moderator
Some members of these forums can give you a commerce service to investigate and solve the issue as once time job on hourly payment basis. I'm as well available for this kind of a job. Note please send a PM or email to those of us who you are wanting to hire.
Richard G
Verified User
It could also be a malicious script the user is using, maybe something on that domain of the non existend email account.
If you have changed the exim.conf a bit, there is a good chance you can see which script is causing this.
However, if you are going to hire somebody to have a look at it, I'm sure he will find out where it's coming from.
If you have changed the exim.conf a bit, there is a good chance you can see which script is causing this.
However, if you are going to hire somebody to have a look at it, I'm sure he will find out where it's coming from.
zEitEr
Super Moderator
I've re-sent my reply in case the first one did not arrive.