How To Find The Script Which Uses Exim And Apache To Send Spam
Mar 14, 2008
Not far ago somebody hacked our customer account through the vulnerability in phpBB Album module and uploaded some scripts. Then it started to send nigerian spam using exim and apache. These scripts were found and deleted and the Album module was fully deleted too. But when I look at the processes now I see that exim and httpd still start very often so the system resources are probably overused by them ......
View 7 Replies
ADVERTISEMENT
Feb 28, 2007
I'm getting this email errors (cpanel box)
Code:
2007-02-28 16:36:51 1HMXPn-0005P3-Ea == user@recipient.com (user@senderlocal.com) <user@senderlocal.com> R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host
2007-02-28 16:41:25 1HMXTl-0005zF-C0 => user@recipient.com (user@senderlocal.com, user@senderlocal.com) <news@senderlocal.com> F=<dont@orfa.com> P=<dont@orfa.com> R=lookuphost T=remote_smtp S=11767 H=c.mx.mail.yahoo.com [xxx.142.237.182]:25 C="250 ok dirdel" QT=28s DT=1s
2007-02-28 16:41:27 1HMXPn-0005P3-Ea => user@recipient.com (user@senderlocal.com) <user@senderlocal.com> F=<bounce-flnl-35375142@mx01.castlemountains.com> P=<bounce-flnl-35375142@mx01.castlemountains.com> R=lookuphost T=remote_smtp S=5503 H=c.mx.mail.yahoo.com [xxx.142.237.182]:-1* C="250 ok dirdel" QT=4m36s DT=1s
2007-02-28 16:41:27 1HMXOJ-0005Dm-Fg == user@recipient.com (user@senderlocal.com, user@senderlocal.com) <freeclipart@senderlocal.com> R=lookuphost T=remote_smtp defer (-46): SMTP error from remote mail server after end of data: host c.mx.mail.yahoo.com [xxx.142.237.182]: 451 Message temporarily deferred - [170]
Just now I ran...
exim_tidydb -t 1m /var/spool/exim wait-remote_smtp
exim_tidydb -t 1m /var/spool/exim retry
View 5 Replies
View Related
May 2, 2009
we have a freebsd/cpanel box what seems to be trouble prone combination, specially for exim.
After cpanel upgrade, exim simple has stopped. Somehow I managed receiving on this way:
# /etc/init.d/exim start
/libexec/ld-elf.so.1: Shared object "libperl.so" not found, required by "sendmail"
I checked which perl version is running: perl -v
This is perl, v5.10.0 built for i386-freebsd-64int
then applied:
unix1# ln -s /usr/local/lib/perl5/5.10.*/mach/CORE/libperl.so /usr/local/lib
unix1# /etc/init.d/exim start
exim exim antirelaydunix1#
unix1#
but this solved only half of a problem, now we can receive e-mails, but not send them, what is really frustrating.
Here is the error which cpanel sends on each 5 min:
exim failed @ Fri May 1 16:06:15 2009. A restart was attempted automatically.
Service Check Method: [tcp connect]
Failure Reason: TCP Transaction Log:
<< 220-xxxxxxxxxx.xxxx ESMTP Exim 4.69 #3 Fri, 01 May 2009 16:06:41 +0200 << <<
>> EHLO localhost
<< 250-xxxx.xxxx.xxx Hello localhost [127.0.0.1] << << << << <<
>> AUTH PLAIN
>> AF9fY3BhbmVsX19zZXJ2aWNlX19hdXRoX19leGltX19Nd2NxU1pyUng1S3R5YTl2enZaV
>> zN4R3Q1MU5WdTh1MHBZcnI4NDhqaWVtWFhSY3VraERTSGZnZU1tQkpiVXNWAFRkbzNpY3
>> ZVTUg1N1Z0R0t5c2VLYW82T1U1UFlqRDEwVThpVXlGSUpFMkZDRWVFaWxzTTNZMHVaRGd
>> UWXM1WnU=
<<
exim: ** [ != 2]
and I can not find the solution for this almost two days (!), no help for host support either. Closest what I have found on net is this topic:
[url]
View 4 Replies
View Related
May 16, 2009
I've looked through my exim logs a number of times and I see emails being sent out with "from:" fields with email addresses of other domains. Usually they are spam related and fraudulent.
How can exim be setup to only send out emails that have localdomains in their from fields?
E.g. if I have account bob.com on my server then the owner of bob.com can only send out emails "xxxx@bob.com" no matter what else he tries to do that's all exim will send out.
How can you get exim to do this? I have been using filtering to block commonly spammed domains like aol.com hotmail.com etc - any emails sent out with these in their from fields are filtered and blocked - but rather building up a larger and larger filter of commonly abused domains - why not just block everything except domains on your server.
View 11 Replies
View Related
Mar 11, 2008
I installed exim and have been able to successfully use it as an smtp server. My test setup was as follows:
email client uses smtp.MYSERVER.com, my login, and password
The email is successfully forwarded to the appropriate recipient. However, when I create a new user, and test it's email capabilities, it does not work. I get a 535 error:
535 Incorrect authentication data
I have double checked the login and password, and I've tried this on multiple accounts. Is there an issue with how I'm creating the users? (useradd)
View 3 Replies
View Related
Feb 1, 2009
I have a web blog that shows promise of growing pretty big soon! This is a vbulletin whith chatbox and arcade games. The forum is for gamers and game modification talk. I want to keep my features such as in forum mp3 player for streaming music. I host no files everything is linked from outside sources. Even photos are linked from photo hosts. I forsee about 20-30 members on at all time browsing and chatting in chatbox. Playing in the online arcade!
I have no idea how much bandwidth all this will use up. I do know that 20-40 gig of space should be quite enough but as always I want all I can get. As far as bandwidth I have no idea what all those features will eat up.
I have looked at fatcow.com and talked to them they said their unlimited is this 300gig space 3000 gig bandwidth and they do not keep up with msql databases. I looked on BBB and they have an A+ record if compared to hostgator they have unsatifatory! The only problem is they are yearly contract only. I do not trust this! I also have to let them re-bill me at end of year and this gives them access to my account. The payment options are check,paybal, or credit.
View 9 Replies
View Related
Oct 31, 2009
I found a spam script running in the processes under apache as ky.pl. But no matter how
I search I can't seem to find this file, anyone know what is the procedure?
View 3 Replies
View Related
Jun 16, 2009
Just started to have problems sending emails out but no problem receiving.
Seems to be a exim problem.. tried updating it but the problem still exist but everytime I restart exim then it works for a few hours before the problem comes back.
View 8 Replies
View Related
Jul 9, 2009
I've just came across an issue with mailing list on a Linux server. Problem is that when a message is broadcasted from a mailing list having around 1500 subscribers, most of them having @yahoo.com and @hotmail.com addresses, message to most of the recepients fails with following error...
Code:
2009-07-09 12:26:25 1MOn2u-0001CB-QJ SMTP error from remote mail server after RCPT TO:<he***k@yahoo.com>: host c.mx.mail.yahoo.com [216.39.53.3]: 452 Too many recipients
It is becuase exim tries to send a message to as many recepients as it could to users on same domain
On a Windows server, i was running Merak mail server and there was an option to send separate message to all mailing list subscribers, but i don't know where it could be located in exim config, or even if it has!
View 1 Replies
View Related
Mar 27, 2009
I have a dedicated server, the server itself is secure (as far as I know) and I run lots of my sites from it. I offered a friend hosting for his flash based chat application he built.
Today I was contacted by someone; "Are you the owner of xxxx.net?" so I informed that yes, it was my server and they then showed me an email they'd received from my server. I did a search and apparently someone uploaded mail.php and a couple of files it was using to send out spam based upon a variety of conditions that the other files met. The files contained forenames and surnames, it'd use a forename and a surname then send it to popular free mail services. The email contained ramblings about new world order and promoted a website.
How can I find out how they got the files uploaded to the account and what action can I take? I checked the whois for the domain and have their contact information, however it's a large site so I'm doubtful that the owner did it. I don't want my servers IPs being blacklisted for spam :|
View 3 Replies
View Related
Sep 2, 2008
I don't know about you guys... But when my datacenter opens a Ticket, I drop anything else I'm working on to take care of it...
God forbid someone had reported spam on MY domain, and they were warning me with a server take down notice.
Imagine my surprise when it turned out it was them breaking there own spam policy.
Here's the ticket /SPAM for those interested:
--
Dear Customer,
Your account has been selected for a special promotional price on our Network Attached Storage (NAS) for off-server backup. This is a great way to insure that your mission critical files and data are kept safe in case of some form of hardware failure. The FTP/NAS storage we offer is basically an allotment of space on one of our shared storage servers. We will provide you with the IP address and login to the space, and you can FTP your data across the private network from the private NIC on your server to this space.
You or your server administrator can automate the process by installing a script/cron job, or by setting up the backup utility within cPanel or Plesk.
Currently your account is eligible to order a NAS account for one half of the normal retail pricing. You will need to be logged in to your customer portal at the following link:
[url]
Enter the following promotional codes to take advantage of the special pricing.
$5/mo for 20GB of NAS: Half20nas
$10/mo for 40GB of NAS: Half40nas
$20/mo for 80GB of NAS: Half80nas
$25/mo for 100GB of NAS: Half100nas
$50/mo for 250GB of NAS: Half250nas
Having a solid backup of critical data is very important. It can save hours of time and trouble for your server administrator in the event the server is compromised, or the hard drive fails. For just a few dollars a month you can rest assured that your files and data are securely stored and your business is safe. How much is your business worth to you? If it is worth more than a few dollars a month I suggest you take advantage of our half off NAS storage promotion while it lasts as this promotion is only good for 7 days!
View 14 Replies
View Related
Oct 22, 2008
way to send up to a few thousand emails per day.
These emails are simply replies to people contacting me first then I reply with ONE message from an autoresponder. No further contact is made unless they write me back again.
This is not really something that would work with aweber, getresponse, or a similar service.
And most email service providers seem to have a limit of 250/messages a day.
I'm guessing I will need a dedicated server for this?
Anything else I need on the dedicated server? I only have a few mailbox accounts I use that I access via outlook.
View 14 Replies
View Related
Jan 17, 2008
I check and see many email was sent from my domain but i dont do it, how to stop this problem ?
View 2 Replies
View Related
Jun 20, 2014
I facing a serious problem with my qmail and plesk 11.0.9.I found the way spammer did with my server by listening everything on port 25. Maybe he know the RCPT hosts of mine, and they send emails with random username but with domain hosted on my Plesk. (user1@mydomain.com, user2@ my domain.com, ... userxxx@mydomain.com).
qmail only check domain in RCPT if spammer input:"mail from user1@mydomain.com" - (with out ":") - no email address on my server.then server reply: 550, no mailbox here by that name. (#5.7.17)
But qmail check username and domain if spammer input:""mail from: user1@mydomain.com" - (with ":") - no email address on my server. Then server reply: 250 OK..This is really weird! I tried with all my plesk server, this bug still effected.Click to expand...
View 2 Replies
View Related
Apr 18, 2007
We received a few days ago a warring that our server is spamming. We hired someone to find the problem and it turned out that someone was using our phplivesupport to send spam from our server. The person who we hired showed us this http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6769 ("Multiple cross-site scripting (XSS) vulnerabilities in PHP Live! 3.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the...")
I sent a ticket to them and asked when they are going to release a new version and they did not answer, I asked them for a refund and no answer.
1) What do you think about this whole situation? You don't think they should refund us? (or release a new version)
2) Which live chat alternative do you recommend?
View 9 Replies
View Related
May 11, 2009
I have a dedicated server, and how many emails can i send per hour that are not called spam?
View 4 Replies
View Related
Nov 11, 2008
Any idea? Or any program can prevent it?
(CentOS 5.2 Linux running on servers)
View 2 Replies
View Related
May 15, 2008
I've been getting a lot of "Undeliverable" emails sent to my email address. On these messages, the spammer is using my email on the "From" part of the email...... So whenever he sends out spam, the person(s) getting spammed think it's from me..... And the thousands of Undeliverable email error messages are also sent to me.
Is there a way to stop this from Happening? ....... Besides changing my email address?
View 3 Replies
View Related
Apr 15, 2015
We have just had reports of SPAM being sent from our CentOS 6.x server running Plesk 12.
Services like Plesk Premium antivirus, SpamAssasin, watchdog(rkhunter) and mod_security are enabled on the server to enhance security and none of these seemed to stop the scripts.
The issue is that multiple domains are sending out mail from this server, so it is difficult to find the script sending out SPAM.
When we were running Plesk 11.0 we had a seperate log-file where we could see the file sending any mail going out from the postfix mailserver. I have check both /var/log/maillog and /usr/local/psa/var/log/maillog, but there is nothing in those files to tell me the file that sent the mail.
How would I go about finding this file from either the Plesk Control Panel or through SSH (using log-files)?
View 1 Replies
View Related
Dec 3, 2008
Exim server - being used to relay spam?
Hoping someone can help here. I have a web server running a couple of sites, has been for a couple of years now. With one of the domains, I have an email forwarder setup through cpanel to forward mail sent to a specific address at that domain to my gmail account (it's a "contact us" type address). I don't think the email address is listed on the web anywhere.
Anyway, I am noticing a lot of spam emails being sent to that address, from that same address and they all appear to be relayed through my exim server legitimately. Obviously they aren't (as I am not sending them).
I am only familiar with sendmail, and am unsure about where to look for any possible hacks to my exim server. Can someone point me in the right direction? I want to stop these spam messages being sent, asap.
View 3 Replies
View Related
Mar 8, 2008
after noticing the SQL errors on my sites, I went in to take a closer look.
First thing I noticed was my server load was at 200! This was all due to EXIM!
I stopped exim and then watched my load go back down to like 1... then started it, and it gradually rose again.
After using the Exim Cheat Sheet...
I discovered I had over 7000 messages frozen in my que and a few thousand not frozen.
After erasing all of the frozen messages because they were all spam, I am left wondering what I can do to stop this from happening again...
1. Is this spam being SENT FROM me? Or TO me?
2. Regardless of the answer to #1, how do I make it stop? I don't host any significant sites, and the server only has a few sites on it. None of the domains match up with anything I have anything to do with, so its all worthless and nobody on my server heavily uses their email through me.
What do I do? This is the second time I have had my system with a load this high and after the first time, I paid a chunck for more RAM.
View 4 Replies
View Related
May 8, 2008
exim queue is always being filled by millions of spam mails...
In 5 minutes more than 1000 messages..
I have removed all several times but they insist in coming back..
In 1 one min:
1Ju7q6-00039t-031mDeleteDeliver Now
ALEXNSONIA@MSN.COM
1Ju7q6-00039w-161mDeleteDeliver Now
ALEXNSTEPH4-1-98@MSN.COM
1Ju7q6-0003A0-2s1mDeleteDeliver Now
ALEXIA27@BELLSOUTH.NET ...
View 7 Replies
View Related
May 16, 2007
We've been seeing sluggish performance on our mail gateways, and so I started doing some digging in the logs. It looks like we are filling up with messages like:
2007-05-16 12:22:16 Connection from [xx.xx.xx.xx] refused: too many connections
We have our max connections set to 20 (total, not host-specific) in exim4. So I started tailing the logs, and sure enough, we are getting bombarded with requests to randomstring@ourdomain.com coming from all over the map. The requests are getting denied of course, but that doesn't help the connection issue since they are consuming all of them, preventing real mail (for the most part) from getting through.
What is the proper way to deal with something like this? I could certainly just up the max connections value from 20 to 40 or 50 or whatever, but I'm not sure what kind of performance impact that will have on the rest of the traffic going through our gateways.
Since the spam attempts are coming from all over the place, it doesn't seem like I can just firewall out a few addresses and be done with it.
This particular rack is a cluster of web and database servers behind two gateway boxes, which handle the mail traffic (so this problem is on the gateways, the actual mail server itself sits behind the gateways and never actually sees these fake emails).
View 1 Replies
View Related
May 28, 2009
i have a vps but there is too much process called mailnull
after that the data centre closed my server for being sent spam
so how i can catch the user sending spam with mailnull?
View 7 Replies
View Related
