[exim] Please help determine how spam is being sent from my …

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MM 
Eduardo M KALINOWSKI at ->
Delete this message
Reply to this message
Author: George
Date:  
To: exim-users
Subject: [exim] Please help determine how spam is being sent from my server
Hi,

I am running FC4 with Exim 4.68

Someone is sending spam from my server and I can't find how he is doing this.

I enabled the following scripts/exim settings to try to find him but
none of these helped:
1. lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' {
if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep
public_html | grep php > /root/sendmail_log
2. sendmail wrapper:
root@svr1 [~]# cat /usr/bin/sendmail
#!/usr/local/bin/perl 

# use strict;
 use Env;
 my $date = `date`;
 chomp $date;
 open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
 my $uid = $>;
 my @info = getpwuid($uid);
 if($REMOTE_ADDR) {
         print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
 }
 else {


        print INFO "$date - $PWD -  @info\n";


 }
 my $mailprog = '/usr/sbin/sendmail.real';
 foreach  (@ARGV) {
         $arg="$arg" . " $_";
 }


 open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
 while (<STDIN> ) {
         print MAIL;
 }
 close (INFO);
 close (MAIL);


3. extended exim logging:
log_selector = +address_rewrite +all_parents +arguments
+connection_reject +delay_delivery +delivery_size +dnslist_defer
+incoming_interface +incoming_port +lost_incoming_connection
+queue_run +received_sender +received_recipients +retry_defer
+sender_on_delivery +size_reject +skip_delivery +smtp_confirmation
+smtp_connection +smtp_protocol_error +smtp_syntax_error +subject
+tls_cipher +tls_peerdn

None of these things indicate how the spammer is sending spam.

What I know is that he does this by somehow connecting to port 25 from
localhost and feeding the data to exim. When he sends spam, all I see
in the exim_mainlog is:
2008-11-22 03:04:03 SMTP connection from [127.0.0.1]:60739
I=[127.0.0.1]:25 (TCP/IP connection count = 5)
2008-11-22 03:04:03 H=localhost (hostname.com) [127.0.0.1]:60739
I=[127.0.0.1]:25 Warning: Sender rate 12.0 / 1h
2008-11-22 03:04:03 H=localhost (hostname.com) [127.0.0.1]:60739
I=[127.0.0.1]:25 sender verify fail for <Pharmacy-shop@???>

I was able to reproduce the same log entries by running:
telnet localhost 25
HELO hostname
MAIL FROM:<some@???>
RCPT TO:<some@???>
DATA
some data
.

I have too many domains on the server so I can't search through the
logs and compare times.

Can someone please tell me how I can determine how he is sending the spam?

Thanks in advance

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] we all agree, let's drop that spamRe: [exim] Please help determine how spam is being sent from my server->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)