Unusual Spam Problem being reported by Data Center

Portal Home > Knowledgebase > Articles Database > Unusual Spam Problem being reported by Data Center

Posted by djstonefish, 03-18-2008, 07:13 AM
Hello, I have an unusual spam problem on my server being reported by my data center (theplanet). They have opened up an abuse ticket on the issue as they say it appears my server is sending out child porn spam. Something I am obviously keen to stop. I've had the mail logs checked, and there's not been any sign of the cpu going above normal acceptable levels, nor can I see any processes running that appear to be sending out spam. The only information I have to go on, is the mail headers provided by the data centre themselves, which I will copy and paste below. Does anyone have any suggestions as to what could be causing this? or what I can do to stop it? Whenever anything like this has happened before, there's usually something like dm.cgi being run on the server which can be traced and stopped, but with this there's nothing. As you'll see from the report below, it even states that it has been received from a different server, but it just says xyvcx or something similar... Thanks in advance... Last edited by bear; 03-18-2008 at 07:33 AM.
Posted by HoundOfTheSmith, 03-18-2008, 07:44 AM
What does your mail log say?
Posted by applicurearun, 03-18-2008, 08:43 AM
Look like some one abuse you. Please update all your scripts / addon(s) and make sure that your mail has set :fail: .
Posted by brianoz, 03-18-2008, 09:29 AM
Did you even think for a microsecond before you posted that drivel applicurearun?? It's particularly unhelpful, especially as the opposite may be the case. What's important is to track down that the spam actually is coming from your server. If your server IP does not appear in any of the headers, it's not coming from your server, unless it's a new form of magic email that travels by telepathy. If your server IP does appear there, then there are two possibilities:Spam sent by system mail - look in your server mail logs for entries around the time given in the redacted spam sample from AOL;Spam originating from a script. Usually sent via port 25, this is easily stopped by enabling the "SMTP tweak" in cpanel and/or installing the CSF firewall and preventing outgoing port 25 to all but exim and root. This usually comes from an exploited script or account and theres heaps written here in posts about how to find the exploited user/script, so I won't duplicate what you can easily research.
Posted by applicurearun, 03-18-2008, 09:59 AM
Hi brianoz, Thank you for pointing me! Yes i thought before the posting. Have a take look at your two possibilities. its about exploited script ( in my word " Abuse") may be the word was not correct. but until i don't have any clue, how can I say it is because of exploited script. His service provider not saying about any load or process. so, i said it may be abuse! Also your solution (enabling the "SMTP tweak") is the best at the time. We have to assume base on limited information here... so, some time our solution might come from various angle of the issue. Anyway I appreciate your command.
Posted by djstonefish, 03-18-2008, 10:05 AM
Hello, Thank you for your replies. The SMTP tweak is already enabled, and according to the server admin there's no sign of it in the mail log. Which part of the email headers should I be searching for in the mail log? As I will check it myself to make sure... Thanks again for your help.
Posted by HoundOfTheSmith, 03-18-2008, 04:03 PM
I don't know what SMTP software you're using, but a trawl for the from address in that email (carnagecct@sangoma.com) for the logs on Monday the 10th should tell you whether or not it came through your SMTP server. If it's not there then it's unlikely that your server is the source. It's still possible it could be (a process on your server could be connecting to remote SMTP servers directly), but less likely.

Add to Favourites Print this Article