Wednesday, 12 September 2012

Finding spammer

Check for bulk/spam emails.

The 1st thing you should check for is the number of emails in the Exim queue using the below command:


exim -bpc


Then check if the emails are from same source:


exim -bp


Quote

    0m  1.6K 1Ryd9X-000aSt-8N <euser@host.hostname.com>
              user1@aol.com

     0m  1.6K 1Ryd9X-000aTK-NT <euser@host.hostname.com>
              user2@sbcglobal.net

     0m  1.6K 1Ryd9X-000aTT-Ui <euser@host.hostname.com>
              user3@aol.com

     0m  1.6K 1Ryd9Y-000aUC-Tp <euser@host.hostname.com>
              user4@aol.com

     0m  1.6K 1Ryd9Z-000aUN-59 <euser@host.hostname.com>
              user5@aol.com

     0m  1.6K 1Ryd9Z-000alM-P0 <euser@host.hostname.com>
              user6@aol.com


As you can see all the emails were sent a few minutes before I checked (0m), so there is definitely a bulk emailer/spammer. See if there is a cPanel user in the name "euser".



grep euser /etc/userdomains


If there is one, suspend/block him.

If you don't get much details. Check the header of one of the emails, using the below command.



exim -Mvh message_id


for eg:



exim -Mvh 1Ryd9Z-000alM-P0


Analyze the subject, from and to email address to locate the spammer.

Mailnull spammers, won't show up in the above headers most of the time. However an SSH connection is opened and we can identify them after seeing the netstat output.

Quote

    tcp        0      0 127.0.0.1:32587             127.0.0.1:25                ESTABLISHED 547580/sshd: euser
    tcp        0      0 127.0.0.1:32568             127.0.0.1:25                ESTABLISHED 547580/sshd: euser
    tcp        0      0 127.0.0.1:32458             127.0.0.1:25                ESTABLISHED 547580/sshd: euser
    tcp        0      0 127.0.0.1:32541             127.0.0.1:25                ESTABLISHED 547580/sshd: euser


Suspend the "euser" in that case and disable SSH access for him.

If you still don't find any spammers, enable extended logging for Exim. Read http://www.webhostgear.com/118.html

Also check the exim logs using the message_id to find more details.

Quote

    exigrep message_id /var/log/exim_mainlog

    exigrep 1Ryd9Z-000alM-P0 /var/log/exim_mainlog


Prevent Spamming

To prevent spamming, you should enable SpamFilters, SpammAssassin and anti-virus in the server. Read

http://www.sput.nl/software/exim.html http://wiki.exim.org/SpamFiltering and http://www.webhostgear.com/338.html

Also, the following command will give you some information if the spamming is done using any script.


ps -C exim -fH eww | grep home


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)