Knowledgebase

Portal Home > Knowledgebase > Articles Database > Help me find out which user is sending spam


Help me find out which user is sending spam




Posted by crisdias, 09-05-2009, 03:56 PM
Hi there, ThePlanet just sent me an alert that my server is being flagged as a spam source. They sent me 2 examples but I can't figure out which user is sending the messages. Looks like a backdoor was found in someone's outdated site and spam-sending files got injected. I have tracked down the messages they sent me in exim_mainlog but I can't find any sign of a username. No "U=" or "A=fixed_login" in the log to help me, just a localhost connection. Do I have any chance on figuring this out? Thanks!
Posted by ianeeshps, 09-06-2009, 05:57 AM
If it is a cpanel server you can enable extended login so that you can track down all details if you are suspecting a spammer. you can edit exim.conf file and use log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peer zerizon.net is that a domain in your server also try to exigrep msgid to check .sometimes it will provide little more clear logs => means sent to and <= means sent from address. Last edited by ianeeshps; 09-06-2009 at 06:01 AM.
Posted by eth10, 09-07-2009, 12:11 PM
grep "exceeded the max emails per hour" /var/log/exim_mainlog This will help you find the user who send max emails and most of the times its spams.
Posted by inspiron, 09-08-2009, 08:49 AM
You can easily trace the users sending the spam on the server by checking the maillogs using, #tail -f /var/log/exim_mainlog
Posted by rwxguru, 09-08-2009, 05:54 PM
Try this and it should report how many times the abusers hit your limits .
Posted by crisdias, 09-13-2009, 10:44 AM
Thank you guys, Looks like Wordpress has a huge security hole that let spammers inject code on outdated sites. Since like 80% of my customers run Wordpress... X-(
Posted by JediKnight2, 09-13-2009, 03:01 PM
Yeah...WordPress is a HUGE pain in the REAR END!
Posted by serveradminz, 09-13-2009, 10:27 PM
yea.. i would recommend you to upgrade wp


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Need this url rewrite of apache to nginx format (Views: 482)
integrating pgp with squirrelmail (Views: 437)
Bot Agent majestic12.co.uk banging my server - how to fix (Views: 470)
ip ping Need Help (Views: 471)
Why Cloud Computing May Not Be All It's Cracked Up to Be (Views: 502)

Language: