Since yesturday the mail queue on my server has been filling up, and its mostly spam messages that were not able to be delivered to the recipient because their address doesn't exist, or that server is starting to block mail from me. I enabled phpsuexec and blocked the user nobody from sending mail, but I don't think its coming from a php script so I'm not sure where to look or what else to do.

Headers of one of the messages that got bounced back:


myserversdomain.com is where my server's address is

Any suggestions on what I could do to find out where these messages are being sent from?

This is one that got bounced back from AOL, it looks like it was sent from a different ip that is also on my server

-------- Original Message --------
X-AOL-UID: 26.339224157
X-AOL-DATE: Wed, 15 Feb 2006 9:19:56 PM Eastern Standard Time
Return-Path:
Received: from rly-na05.mx.aol.com (rly-na05.mail.aol.com [172.18.151.234]) by air-na02.mail.aol.com (vx) with ESMTP id MAILINNA24-2d1443f3e14cbc; Wed, 15 Feb 2006 21:19:56 -0500
Received: from replyprompt.com (myotherdomain.com [64.246.x.x]) by rly-na05.mx.aol.com (vx) with ESMTP id MAILRELAYINNA53-3543f3e13d364; Wed, 15 Feb 2006 21:19:42 -0500
Message-Id: <81887946345.2005jbsd3322@kajp.replyprompt.com>
X-Delivered-To: ds1@replyprompt.com
Date: Thu, 16 Feb 2006 01:19:07 -0100
Received: (from nobody@aff81887946345.2005jbsd3322) by localhost (127.0.0.1) id 81887946345.2005jbsd3322 Thu, 16 Feb 2006 01:19:07 -0100
X-Sender:
Mime-Version: 1.0
From:
To:
Subject: Optin Confirmation Required
Reply-To:
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"
X-AOL-IP: 172.18.151.234

where myotherdomain.com [64.246.x.x] is a different ip on the same server

thanks

In "View Mail Statistics" Half the mail sent looks like its coming from a legit user account, so I'm looking into that now to make sure there is no vulnerable scripts and such... other half is coming from mailnull, would that be from messages trying to resend if sending them failed before?

I would also look at View Relayers to see if you can identify any unusual activity on a spceific account.

There are no relayers listed, however in the mail stats generated there are over 5000 forwards like this:

1 localhost [127.0.0.1] admin@flashreply.com
=> mx1.hotmail.com [65.54.244.136] mehmet_41_1@hotmail.com
1 localhost [127.0.0.1] alcavalier@replyalert.com
=> mx1.mail.yahoo.com [4.79.181.14] irenekperez@yahoo.com
1 localhost [127.0.0.1] alcavalier@ultrafastreply.com
=> mx3.mail.yahoo.com [64.156.215.5] goldenkoi42@yahoo.com

also

Exim statistics from 2006-02-15 16:54:45 to 2006-02-16 20:36:47

Grand total summary
------------------- At least one address
TOTAL Volume Messages Hosts Delayed Failed
Received 165MB 27575 2532 3676 13.3% 7459 27.0%
Delivered 137MB 17628 1270

Top 50 sending hosts by message count
-------------------------------------
11114 87MB local
10160 27MB localhost
...

Top 50 sending hosts by volume
------------------------------
11114 87MB local
10160 27MB localhost
...

Top 50 local senders by message count
-------------------------------------
5841 49MB joedog
4789 17MB mailnull
...

Top 50 local senders by volume
------------------------------
5841 49MB joedog
4789 17MB mailnull
...

Top 50 host destinations by message count
-----------------------------------------
12593 118MB local
317 1101KB turboreply.com
310 1053KB mx3.mail.yahoo.com
305 1053KB mx1.mail.yahoo.com
290 1113KB mx2.mail.yahoo.com
210 517KB gateway-s.comcast.net
154 375KB gateway-r.comcast.net
138 293KB mail.charter.net
119 5796KB gmail-smtp-in.l.google.com
104 266KB sbcmx3.prodigy.net
...

Top 50 host destinations by volume
----------------------------------
12593 118MB local
119 5796KB gmail-smtp-in.l.google.com
290 1113KB mx2.mail.yahoo.com
317 1101KB turboreply.com
305 1053KB mx1.mail.yahoo.com
310 1053KB mx3.mail.yahoo.com
210 517KB gateway-s.comcast.net
154 375KB gateway-r.comcast.net
138 293KB mail.charter.net
104 266KB sbcmx3.prodigy.net
...

Top 50 local destinations by message count
------------------------------------------
11252 71MB joedog
184 1401KB jim
...

Top 50 local destinations by volume
-----------------------------------
11252 71MB joedog
18 15MB save-vs-dm
166 6497KB dan
...

I looked around the joedog account and the http logs for it and didn't notice anything unusual right away, so I'm thinking it might just be an account getting hit with a lot of spam (so I'm not sure if its the source of the spam being sent by the server).

Also I'm not sure why the mailnull user has sent 4789 messages... any advice?

problem solved, after more searching it was the same problem this person had: http://forum.ev1servers.net/showthread.php?t=59968