Portal Home > Knowledgebase > Articles Database > Help me find out which user is sending spam
Help me find out which user is sending spam
Posted by crisdias, 09-05-2009, 03:56 PM |
Hi there, ThePlanet just sent me an alert that my server is being flagged as a spam source. They sent me 2 examples but I can't figure out which user is sending the messages. Looks like a backdoor was found in someone's outdated site and spam-sending files got injected.
I have tracked down the messages they sent me in exim_mainlog but I can't find any sign of a username. No "U=" or "A=fixed_login" in the log to help me, just a localhost connection.
Do I have any chance on figuring this out?
Thanks!
|
Posted by ianeeshps, 09-06-2009, 05:57 AM |
If it is a cpanel server you can enable extended login so that you can track down all details if you are suspecting a spammer.
you can edit exim.conf file and use
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peer
zerizon.net is that a domain in your server also try to exigrep msgid to check .sometimes it will provide little more clear logs
=> means sent to and <= means sent from address.
Last edited by ianeeshps; 09-06-2009 at 06:01 AM.
|
Posted by eth10, 09-07-2009, 12:11 PM |
grep "exceeded the max emails per hour" /var/log/exim_mainlog
This will help you find the user who send max emails and most of the times its spams.
|
Posted by inspiron, 09-08-2009, 08:49 AM |
You can easily trace the users sending the spam on the server by checking the maillogs using,
#tail -f /var/log/exim_mainlog
|
Posted by rwxguru, 09-08-2009, 05:54 PM |
Try this and it should report how many times the abusers hit your limits .
|
Posted by crisdias, 09-13-2009, 10:44 AM |
Thank you guys,
Looks like Wordpress has a huge security hole that let spammers inject code on outdated sites. Since like 80% of my customers run Wordpress... X-(
|
Posted by JediKnight2, 09-13-2009, 03:01 PM |
Yeah...WordPress is a HUGE pain in the REAR END!
|
Posted by serveradminz, 09-13-2009, 10:27 PM |
yea.. i would recommend you to upgrade wp
|
Add to Favourites Print this Article
Also Read