Help - Search - Members - Calendar
Full Version: who is the spamer :(
The Planet Forums > Control Panels > cPanel/WHM
haill
Jul 27 2004, 03:25 AM
hi

every day some site at my swerver send more than 1000 emails like this:

QUOTE
Displaying Message ID 1BpNew-0004EQ-Uz
mailnull 47 12
<>
1090918206 0
-ident mailnull
-received_protocol local
-body_linecount 52
-frozen 1090918212
-localerror
XX
1
gdrewerysqkrbgixpvfdx@qykpz.tw

157P Received: from mailnull by server.xxx.com with local (Exim 4.34)
id 1BpNew-0004EQ-Uz
for gdrewerysqkrbgixpvfdx@qykpz.tw; Tue, 27 Jul 2004 11:50:07 +0300
129  X-Failed-Recipients: smartin882@aol.com,
 turtlemoontrader@aol.com,
 n13liz@aol.com,
 smartin880@aol.com,
 gdrewerys@aol.com
031  Auto-Submitted: auto-generated
060F From: Mail Delivery System
035T To: gdrewerysqkrbgixpvfdx@qykpz.tw
059  Subject: Mail delivery failed: returning message to sender
049I Message-Id:
038  Date: Tue, 27 Jul 2004 11:50:06 +0300

 
1BpNew-0004EQ-Uz-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

 smartin882@aol.com
   SMTP error from remote mailer after MAIL FROM::
   host mailin-01.mx.aol.com [64.12.137.89]: 550 REQUESTED ACTION NOT TAKEN:
   DNS FAILURE
 turtlemoontrader@aol.com
   SMTP error from remote mailer after MAIL FROM::
   host mailin-01.mx.aol.com [64.12.137.89]: 550 REQUESTED ACTION NOT TAKEN:
   DNS FAILURE
 n13liz@aol.com
   SMTP error from remote mailer after MAIL FROM::
   host mailin-01.mx.aol.com [64.12.137.89]: 550 REQUESTED ACTION NOT TAKEN:
   DNS FAILURE
 smartin880@aol.com
   SMTP error from remote mailer after MAIL FROM::
   host mailin-01.mx.aol.com [64.12.137.89]: 550 REQUESTED ACTION NOT TAKEN:
   DNS FAILURE
 gdrewerys@aol.com
   SMTP error from remote mailer after MAIL FROM::
   host mailin-01.mx.aol.com [64.12.137.89]: 550 REQUESTED ACTION NOT TAKEN:
   DNS FAILURE

------ This is a copy of the message, including all the headers. ------

Return-path:
Received: from nobody by server.xxxx.com with local (Exim 4.34)
id 1BpNep-00044U-Kv; Tue, 27 Jul 2004 11:49:59 +0300
To: gdrewerys@aol.com,smartin880@aol.com,n13liz@aol.com,turtlemoontrader@aol.com,smartin882@aol.com
Subject: Doctorate (PHD and/or MBA, Masters, Bachelors
From: gdrewerysqkRbgixpVfdX@qykpz.tw
Reply-To: gdrewerysqkRbgixpVfdX@qykpz.tw
X-Mailer: DT_formmail
Message-Id:
Date: Tue, 27 Jul 2004 11:49:59 +0300
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
X-MailScanner-From: gdrewerysqkrbgixpvfdx@qykpz.tw

cneqhutGGB29952:  
Discover.a little known secret to Energize your employability and  

prestige.  Reach us anytime of the  day at 1-253-369-6717       DYvHDJq7qq7q5Ia3AUS3lZU



This Does Notgeocities.com/qwisdk/heyInterest Me geocities.com/qwisdk/hey
realname: gdrewerys


any help plz.
dynamicnet
Jul 27 2004, 04:28 AM
Greetings:

Check if you mail server is an open relay.

Check for vulnerable formmail scripts.

Thank you.
haill
Aug 2 2004, 11:56 AM
thank you for ur reply, but who can i check mail server is an open relay, and vulnerable formmail scripts.

tnx.
levovich
Aug 2 2004, 12:35 PM
You can use this tool to check for opey relay:

http://www.abuse.net/relay.html
huck
Aug 2 2004, 12:52 PM
updatedb
locate -i formmail.pl
locate -i formmail.php

to find formmail scripts. Carefully analyze your logs and look for the relay ---

To start. Also note that I have seen many people mistake virus activity for spamming. Note that some viruses can send a lot of email -- while some use their own SMTP mailers a many due to the network settings.

You can also use the ID field in the mail headers to track down how the message was processed through you system.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.