How Do I Track Down Spam Coming FROM My Server
May 29, 2007
Logwatch says I send out about 3k emails each day and that is a ridiculous amount. I use postfix and do not run any sort of relay, even for myself. I have IPB 2.2.2, Wordpress 2.0.4, and Gallery 2.x.
How can I track down where these messages are originating from? Or perhaps I am reading my LogWatch file incorrectly?
Quote:
--------------------- postfix Begin ------------------------
17999281 bytes transferred
2460 messages sent
26 messages expired and returned to sender
145 messages removed from queue
Top ten senders:
24 messages sent by:
apache (uid=48):
2 messages sent by:
root (uid=0):
View 4 Replies
ADVERTISEMENT
Oct 29, 2006
I have:
WHM 10.8.0 cPanel 10.9.0-R44
CentOS 3.8 i686 - WHM X v3.1.0
I've gotten several complaints through spamcop in the last several weeks. The headers show the spam mails coming from nobody@ my server and they show the originating IP as my server. The datacenter is threatening to shut me down.
I've looked in the mail queue and haven't found any of the sent spam mails in there (or bounces from them). I am getting bounces into horde that were apparently sent from me.
How do I find which client is sending them? Or maybe the server has been hacked and spam software uploaded somewhere?
View 14 Replies
View Related
Mar 26, 2007
I just got a bounce back from an email address. However I didn't send the original email.
Here is the header of the email which was sent to the other party:
Quote:
Subject:
This blend will help you get thinner
From:
"sales" <myaddress>
Date:
Mon, 26 Mar 2007 19:19:17 -0000
To:
<corprestruct@lists.law.duke.edu>
Received:
from 85.139.98.84.in-addr.arpa (unknown [85.139.98.84]) by lawweb.law.duke.edu (Postfix) with ESMTP id 63EA0292603 for <corprestruct@lists.law.duke.edu>; Mon, 26 Mar 2007 14:19:18 -0400 (EDT)
Received:
from [69.6.190.249] (HELO VORQPXFNM) by 85.139.98.84 (CommuniGate Pro SMTP 5.0.11) with SMTP id 39495966 for corprestruct@lists.law.duke.edu; Mon, 26 Mar 2007 19:19:17 -0000
Message-ID:
<02ec01c76fd3$44a009b0$54628b55@85.139.98.84.inaddr.arpa>
MIME-Version:
1.0
Content-Type:
multipart/alternative; boundary="----=_NextPart_000_02E9_01C76FDB.A62015B0"
X-Priority:
3
X-MSMail-Priority:
Normal
X-Mailer:
Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE:
Produced By Microsoft MimeOLE V6.00.2900.2962
Is there anyway of telling what is sending the spam?
View 3 Replies
View Related
Aug 9, 2007
I'm wondering if theres anything I can install on the server that will either filter or track outgoing spam. I don't want to limit the number of emails sent per hour or anything, I just want to be able to maybe search through some flagged emails or something. Or if they send the exact same email more than x times it can disable their account... I'm not sure
View 1 Replies
View Related
Jan 31, 2007
Recently, just out of interest I set the 'Mail to nonexistent user' to forward to my email address.
Within an hour I have about 60 emails saying:
Delivery Status Notification (Failure)
This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
and then some email address.
I check out the contents of the message that had been sent and it is some rubbish like:
Up to 500% more volume
- Cover her in it if you want
Which, although amusing, i look at the email address that sent the failed email and it is some random email address @ my domain.com which isn't so amusing.
Now I know that someone is just pretending to be from my domain and sending out these emails (unless someone in my office (of 4 people) is secretly a spammer) but yeah I don't particularly want to have my domain name known as being a source of spam and being blacklisted etc etc...
Are negative effects of this a possibility and is there anything i can do about it?
View 7 Replies
View Related
Aug 29, 2007
Is there a way I can track the HTTP traffic to which domain is running with high traffic. Due to traffic load I/O wait is increasing. I want to suspend the domain that have the large traffic to avoid down time.
View 4 Replies
View Related
Sep 6, 2013
I know it's not specifically a plesk issue, but as I use plesk to resell webs and many users install (manually) wordpress, I thought I'll ask around.I would like to know if this can be done with a single sql select or if I would have to use a script to do this:
- track all mysql databases on my server
- find the proper table in each database (as the prefix can be customized, the start of the table name will probably never be the same in two WP installations)
- find the proper field in that table and check the WP version and administrator email
and then what I will do is send an email to those adresses advising them to update WP
View 4 Replies
View Related
Feb 29, 2008
In January I ordered a server with them, knowing that their support isn't the "best".
The server info ended in spam folder, but that isn't their fault I guess. They advertise that every server comes with 2 IPs, however you only get 1. Until you request that 2nd IP. However, when you call them out of working hours, they tell you that you have to pay 135 euro (about 200 USD), great I will wait for tomorrow then. So the day after I called them again. The person I talked with, was very friendly and started to work on it. About 5 hours later I received an email with the second IP information. I added it, but it didn't get assigned. I rebooted the server etc. Still no 2nd IP. It was already 'after working hours' so I had to wait again, because I wasn't going to pay 200$ for an IP. The day after the guy on the phone tells me they assigned me an IP that was already assigned to another customer (lol)..... Ok, so I asked him if I could get a different IP than I was supposed to get. (Now I had to fix my DNS settings also, but o well....). The new IP info arrived in my inbox about 80 minutes after the call this time. After rebooting the server everything ran flawlessly. I manage my own servers, so I didn't contact their support again.
On the 21st of february, I called their administration about cancelling the server (they had a new offer, which suited me better & because I only wanted a fast network for this server, I didn't care about their support), I was told that if I submitted their cancellation form the same day or the day after, It would be taken care of before the end of the month. So I filled it in and sent it to them on the day after (22 february).
Today I called their administration to check if everything went ok (I didn't want to order the new server & pay the old one at the same time). I was told: No, it isn't cancelled. She checked that my email was there & indeed it was sent to them. She then asked me if I could wait a minute, so she could ask someone else what to do. She told me that she would assign me to a sales guy, who would be able to tell me more about it. He told me that the cancellation has to be done X days in advance. Which I did, then he said: It has to be done a month up front. I asked him why I was told that it would be cancelled on the 22 of february, but now I had to cancel it the 1st of february. He said it was a mistake. There was "nothing" he could do (or wanted to do). I don't have the time do anything about it, so I'll let it be and just pay for another crappy month.
Great, now I'm fed up another month with their server. What if I didn't call them today? I would have had 2 servers with them & they would have, the only thing they want: Money.
View 14 Replies
View Related
Sep 25, 2007
My friend has been building a myspace page for herself using our old computer and all of a sudden I've found multiple trojans, 1 of which was very tough to get rid of.
Could these trojans be coming from the little dealiemajigs (sp?) she's using to decorate her page?
View 2 Replies
View Related
Apr 10, 2009
im running centos 5 64 bit, cpanel
AMD Phenom 9600
the load is showing as :
* Load Averages: 1.13 1.09 1.02
I don't know where the load is coming from. Normally im getting 0.00 or below .5
I clicked on that link show cpu processes but they are showing 0
I checked apache connections and no load too
identify where the load reported in WHM is coming from
View 4 Replies
View Related
Apr 7, 2007
My server currently has some problems with DNS/mail, which i can't seem to fix myself. My colocation host offered to help me by giving him root access, but i don't know him very well yet. Is there some kind of script/logtool so i can track everything he did on the server? I don't want him snooping around through my webfiles and databases...
View 13 Replies
View Related
Oct 28, 2009
I was doing a search on google and retrieved some files on it with some sites that should not be available to the public. I investigated the site a little bit and it looked like they are running ASP. I know with Linux servers you can place a .htaccess file which can restrict bots from accessing certain directories, but how can you do it with a windows server running IIS? I would like to get in contact with these companies and let them know about the issues I ran into with their site.
View 4 Replies
View Related
Sep 24, 2007
I write this as my site has been down for some 11 hours now and need a way to calm down while I wait for my new host to get my account "up".
I've used shared hosting since 1995 up until just a month ago. I was always happy with shared hosting. Who can beat $5 a month to have your site up and running? I had all the subdomains I needed and I even had cPanel. Tech support was fantastic. My accounts were ALWAYS set up within 2 hours tops. Life is good.
Then a recent .com I built got too popular too fast and one day I found (even though I was at 75% of my allotted bandwidth for the month) the plug pulled on my site because (even though it was a static site - html and images only) I was taking up too many "cycles". Too bad cycles aren't something advertised when selling a site to a customer. They made the big mistake of not offering me a VPS soultion from my pitiful little shared hosting account, or any other alternative. So I left them, I had no choice as I couldn't trust them any more.
I got a VPS account, which I must say is not an easy thing to shop for because how do you know who is good? Forums are not a 100% indicator and I don't know any better so it's a crap shoot really. So I looked for the most important qualities: it had to be a managed account because I don't know my butt from a hole in the ground when it comes to running a server (I'm the kind of customer who will tell you "you handle the server voodoo, and let me worry about the content on it ok?"), and I needed a quick setup because my site was already dead in the water.
I picked my first VPS host and all seemed good. My server was fully running in about 2 hours. Once I got through the growing pains of getting various things configured (which I didn't do I aksed for this to be done via trouble tickets) everything was set. The only issue that cropped up here and there was downtime. So now I'm shopping for my second VPS host. I just spent even more money than at my last host and what has my experience been thus far?
I will admit I signed up around 2.am. because my site went down at 11p.m. at my previous host so I was in full panic mode. I plunked down the cash and got an automated email saying how my account must be "verified" over the phone. Fine I wait up an hour or so and finally fall asleep when no call is received. I wake up around 10a.m. and have another email from the new host saying how they couldn't get in touch with me on my phone to "verify" me. I check my phone. Nope, no missed calls, no messages. WTF? So I call them. They have my correct number. Could their call have just never registered on my phone? Is there a black hole for phone calls?
They "verify" me by making me repeat info already provided when I signed up. I've never had a host do this to me, this is ridiculous and a waste of time on everyone's part. Stop. It's a waste of time. If was going to steal someone's credit card I'd buy something a heck of a lot more exciting than a Unix web hosting account at 2a.m.
They tell me I'll get an email with my account info. Great. I wait and wait and nothing arrives. It's almost 10 hours now since my site has gone dark. I write the company to say where is that email so I can get going? I get a quick response that says new account take 8-24 hours to set up. Where the heck was this mentioned on the site when I signed up? Why is this important fact hidden? I"m spending $90 a month, I guess my business isn't important enough to rate better service. Unless a whole bunch of people just signed up for more expensive plans than me at the same time, why can I not get "set up" faster?
So now I wait. I'm crossing my fingers this host will be great. Felt good to rant, I'm more relaxed.
View 8 Replies
View Related
May 25, 2009
Can anyone please tell me how dangerous in fact Apache's TRACE and TRACK functions?
I have read common explanation but would disabling TRACK and TRACE improve my server's ability to fight cross site scripting and similar attacks and make it more secure?
View 1 Replies
View Related
Mar 23, 2009
I'm small hosting provider. On one dedicated server I have around 100 cPanel accounts.
That server is under constant, although not powerful DoS attack.
Since my company domain is not targeted on another server I believe that it is not me but one of my customers that attack is against.
Is there a way, tool, service provider than can help me pin down which account is being hit?
All accounts are on server main shared IP.
Would spreading them on another IPs help? Or would I still see attacks only on main shared IP?
View 7 Replies
View Related
Jun 27, 2009
I'd like to know, is there any way to know about hosting provider, if we have only ip address of the server. i.e.
66.63.181.74 - this is the ip address of my website server, how can i trace the service provider who is giving this hosting service?
View 6 Replies
View Related
Oct 29, 2009
I have a few shred hosting servers I run. One of them keeps getting listed on CBL. It is very frustrating. Does anyone have an tools, tips, or tricks on finding the compromised?
So far I have confirmed that a script is using PHP to send mail out bypassing the MTA. It is faking the HELO and impersonating a well known ISP.
I used a combination of tshark and netstat. tshark can show me the HELO and EHLO. When I see the wrong entry I cross check that with netstat to see what. So Netstat only shows that it was PHP not the script path.
Here are the commands I'm running:
Code:
nohup netstat -c -p -n -e | grep -i ":25" > /var/log/monitor/netstat-smtp.log &
nohup tshark -f "port 25 and src host XX.XX.XX.XX" > /var/log/monitor/tshark-smtp.log &
Then I grep for what I'm looking for:
grep -i "HELO" /var/log/monitor/tshark-smtp.log
Is there a way to get Netstat to show the script path or complete command that is establishing the connection? Currently these scripts are eating up memory to a point that other process or getting killed off.
I also tried to force all mail through the MTA, but When I enable SMTP_BLOCK in my firewall config I get and error:
*WARNING* Cannot use SMTP_BLOCK on this VPS as the Monolithic kernel does not support the iptables module ipt_owner - SMTP_BLOCK disabled.
If there is a better way I'm game. Maybe some IDS that can tell me more of what is going on with the server?
View 14 Replies
View Related
Oct 2, 2008
I am currently developing a web application on a WAMP server. Once complete my client will have some in-house "programmers" make changes to the code as they are needed.
My client wants to track all changes made to the source files (ie- who made the change, when it was made, what files were modified, and what specific lines were added/removed/modified). Also, the program must run on the server and not the programmers computers.
I've searched high and low and only found a couple programs that scratch the surface of what they want.
View 4 Replies
View Related
Aug 10, 2008
how exactly email works. For example, I set my mx record to google apps in order to use google mail with my own domain. Thing is, I can sent from google mail now with my domain email address but cannot send. Furthermore, login to my website email bij www.domain.com/webmail is possible but receiving is impossible and even sending email from that place will not work.
Thinking about it it seems that email is lost
google can send but not receive
from my domain webmail i cannot receive nor send.
View 9 Replies
View Related
Feb 8, 2007
I've done plenty of searching on DDoS attacks and from what I've found so far it seems that it's "very difficult" track down the person(s) responsible for the attack.
My question is this - could someone actually do it if they were qualified enough? Would a hacker who is well versed in the techniques used be able to find the person(s)? Or is it just simply impossible sometimes?
View 3 Replies
View Related
Jun 16, 2013
I just installed Apache 2.4.4 and it seems to run fine overall. But in my error.log I get about 3 of these every hour or so.error.log:[Sat Jun 15 20:57:44.095961 2013] [core:notice] [pid 31400:tid 16384] AH00052: child pid 1971 exit signal Segmentation fault (11)
track down what causes this? What module? vhost?Otherwise the server seems to run fine. It's on Linux with PHP 5.3.26 and MySQL 5.1.
View 2 Replies
View Related
Jun 24, 2007
I want to block all http requests coming to my website via proxy. Is there any way/script to achieve this on the server?
View 5 Replies
View Related
Sep 28, 2006
I'm working on setting something up for monitoring my bandwidth/traffic on multiple interfaces. I have setup interface aliases so I have eth0, eth0:0, eth0:1 and the issue I'm running into is that it seems snmp cannot tell the diff between the aliased interfaces. I've found references in the cacti forums of using ipchains rules to track the bandwidth, but I've not found a good howto that explains what I need to get going on this.
Any clues/hints?
View 0 Replies
View Related
Oct 7, 2007
What script/application can I install on my linux box to track the bandwidth per each domain?
I currently have no CP, on lighttpd.
View 2 Replies
View Related
May 19, 2008
I have FreeBsd with Cpanel.someone is running attacking perl script from my server.Below is information about that script but it shows / path in command lsof -p 30251 | grep cwd.
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
29018 root 96 0 35968K 30528K select 0:03 2.71% 2.69% perl
newinst# lsof -p 30251 | grep cwd
lsof: WARNING: compiled for FreeBSD release 5.5-STABLE; this is 5.3-RELEASE.
perl 29018 root cwd VDIR 4,12 1024 2 /
newinst# ls -la / | more
total 22413
drwxr-xr-x 25 root wheel 1024 May 16 03:23 .
drwxr-xr-x 25 root wheel 1024 May 16 03:23 ..
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .black
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .black.bak
-rw-r--r-- 2 root wheel 801 Nov 5 2004 .cshrc
-rw-r--r-- 1 root wheel 355 Feb 21 2007 .new
-rw-r--r-- 2 root wheel 251 Nov 5 2004 .profile
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db.bak
drwxrwxr-x 2 root operator 512 Jul 19 2005 .snap
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db.bak
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .white
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .white.bak
-r--r--r-- 1 root wheel 6184 Nov 5 2004 COPYRIGHT
drwx--x--x 3 root wheel 512 Aug 20 2005 backup
drwxr-xr-x 2 root wheel 1024 Dec 28 2006 bin
drwxr-xr-x 5 root wheel 512 Jul 19 2005 boot
drwxr-xr-x 2 root wheel 512 Jul 19 2005 cdrom
lrwxr-xr-x 1 root wheel 10 Jul 19 2005 compat -> usr/compat
-rw-r--r-- 1 root wheel 177 Dec 5 12:15 cpgd.c
dr-xr-xr-x 4 root wheel 512 May 16 16:23 dev
drwxr-xr-x 2 root wheel 512 Jul 19 2005 dist
-rw------- 1 root wheel 4096 May 13 15:58 entropy
drwxr-xr-x 28 root wheel 4608 May 19 11:57 etc
drwx--x--x 501 root wheel 9216 May 19 01:33 home
drwxr-xr-x 3 root wheel 1024 Jul 19 2005 lib
drwxr-xr-x 2 root wheel 512 Jul 19 2005 libexec
drwxr-xr-x 2 root wheel 512 Nov 5 2004 mnt
drwxr-xr-x 3 root wheel 512 Jul 21 2005 nonexistent
drwxr-xr-x 8 root wheel 512 Oct 30 2007 opt
-rw------- 1 root wheel 22786048 May 16 04:51 perl.core
dr-xr-xr-x 1 root wheel 0 May 19 11:57 proc
drwxr-xr-x 2 root wheel 2560 Jul 19 2005 rescue
drwxr-xr-x 13 root wheel 1024 May 19 01:33 root
drwxr-xr-x 2 root wheel 2560 Jul 19 2005 sbin
drwxr-xr-x 5 root wheel 13824 May 19 01:22 scripts
drwxr-xr-x 4 root wheel 1024 Jul 19 2005 stand
lrwxrwxrwx 1 root wheel 11 Jul 19 2005 sys -> usr/src/sys
drwxrwxrwt 9 root wheel 31744 May 19 11:57 tmp
drwxr-xr-x 21 root wheel 512 Dec 5 12:12 usr
drwxrwxrwx 24 root wheel 512 May 16 16:24 var
where it is localted at/path.
View 10 Replies
View Related
May 18, 2007
I'd like to track the email user agents that our clients use. Basically, I'd like to have something that looks like that:
[url]
View 3 Replies
View Related
Sep 3, 2008
But with my current host, my incoming e-mails have stopped and have done quite a lot of times, If I send an e-mail to myself from another acount, it gets bounced back.
When I'm searching for hosts, I can't see any info on mailbox allowance.
I'm using Outlook to download all my e-mails.
I don't know why they are stopping and I can't find out from the person who got the host from me, in the past he said something about me having to delete e-mails. But this would come back to mailbox space which no hosts seem to advertise, unless it goes under webs space.
If my mailbox is full or ran out of space, does anybody have any recommendations for a host that offers a good amount of mailbox space.
Another question, am I limited to the amount of e-mails I can send with some hosts? I'll be sending out Newsletters to 600+ people each month.
View 8 Replies
View Related
