How to stop this spammer?
Hello Guys.
Am not able to locate the user that is sending thousend of emails to one email address. He is sending mails per remote (I have already restricted it).
Here how it looks:
s14.postimg.org/j3oh5csox/Unbenannt.png
Thank you!
-
I thought <> was the system ? 0 -
No, there are different sender IP's 0 -
Hello, Could you review the message headers of some of those messages to see if you notice any additional information? Also, try reviewing /var/log/exim_mainlog for more details on the potential source of the mail. Thank you. 0 -
Here is one of the email headers: Date: Tue, 12 May 2015 17:57:31 +0000 (UTC) From: MAILER-DAEMON@yahoo.com To: noelmcgrathnoel@somedomain.com.au Subject: Delivery failure Delivery-date: Tue, 12 May 2015 19:57:40 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1431453451; bh=n304UVi/eq91NvQQeV7cY3AGsb8RKf87EVI4X+yI3jY=; h=Date:From:To:Subject:From:Subject; b=i4WBHnROeRNou55ATh7sc950j9EKyMivLJupYWeRtPDwhiSU4JxEk+tXEtuBSweKHo192V4zraDNvSIS/xrb3SC3N9fleTOj56G6+mxG7+y9IWLDW/xaYyEMoAznQXRuO8yv6gr5+1fDxFZtf+Kee0Q9X/S39fJa0xz5tMwI4iNiV+hwn0GM1BseGgSWfIoCJ+5eiqIr+OPh/XK57VqauFb1ihMWkeuYf0jfD01TOn63ufvTseehYwFMe17UF9zbzRhBpt06KE4MBvTKKFOXXD5HZxGb0MCuI5aM7inY6n8AwDGrKKtWI/oiNKJKovjZJMQivRkU+p2lpL+lj+maWg== Envelope-to: noelmcgrathnoel@somedomain.com.au Message-ID: <150607.77793.bm@omp1015.mail.gq1.yahoo.com> Received: from nm10-vm6.bullet.mail.gq1.yahoo.com ([98.136.218.141]:38313) by cpanel.server07.ovh with esmtps (TLSv1:RC4-SHA:128) (Exim 4.85) id 1YsEQu-0006CK-Ox for noelmcgrathnoel@somedomain.com.au; Tue, 12 May 2015 19:57:40 +0200 Received: from [98.137.12.175] by nm10.bullet.mail.gq1.yahoo.com with NNFMP; 12 May 2015 17:57:31 -0000 Received: from [98.137.12.207] by tm14.bullet.mail.gq1.yahoo.com with NNFMP; 12 May 2015 17:57:31 -0000 Received: from [127.0.0.1] by omp1015.mail.gq1.yahoo.com with NNFMP; 12 May 2015 17:57:31 -0000 Return-path: <> X-Ham-Report: Spam detection software, running on the system "cpanel.server09.ovh", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Message from yahoo.com. Unable to deliver message to the following address(es). : Sorry your message to hamedshafipor@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102]. [...] Content analysis details: (-0.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: somedomain.com.au] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (mailer-daemon[at]yahoo.com) -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [98.136.218.141 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Loop: MAILER-DAEMON@yahoo.com X-Rocket-Delivery: 9xtDVgE3bBsJKEJ1rNM3QQM7uYsLrYfCBrRPaYKWgKQRtJ01n3m8AOVurvYY11dbgH47uu7B7Ysk65Toyp8fRYG9bHuDIiVkONdFcCt6nVtppRrZIxz0ZDLDOuvrvmUN8CpR.1lJajkWnY5WRym9BNCSF1ncsaV6OEP7Qr79cHUwweY8uf9rOzkeTQKYFuZRIoLg4a2_FVHmZpOtLcmzXlrR.Uwsz1kFjw-- X-RocketRCL: ;;;639 X-RocketSRV: s_ip=210.164.134.2;d_t=1431453421;Retro=Y;SgrnP=N;FolderOfDelivery= ;msgid=1431453415.972961.87623@mta1634.mail.gq1.yahoo.com#0; X-RocketTIP: 210.164.134.2 ; NO_TIP_HEADER_ALLOWED ; X-Spam-Bar: / X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Status: No, score=-0.1 X-Yahoo-Newman-Id: 150607.77793.bm@omp1015.mail.gq1.yahoo.com X-Yahoo-Newman-Property: ymail-5 Message from yahoo.com. Unable to deliver message to the following address(es). : Sorry your message to hamedshafipor@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102]. : Sorry your message to hamedsky36@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102]. : Sorry your message to hamedvolet@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102]. : This user doesn't have a yahoo.com account (hameed.mohd89@yahoo.com) [-5] : This user doesn't have a yahoo.com account (hameed.umer@yahoo.com) [-5] : Sorry your message to hameed179@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102]. : This user doesn't have a yahoo.com account (hameed386@yahoo.com) [-5] : This user doesn't have a yahoo.com account (hameed@yahoo.com) [-5] : Sorry your message to hameed_a62@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102]. : This user doesn't have a yahoo.com account (hameed_pm007@yahoo.com) [0] : This user doesn't have a yahoo.com account (hameed_varpat@yahoo.com) [-5] : Sorry your message to hameedbhat@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102]. --- Original message follows. The original message is over 5K. Message truncated. Return-Path: X-YahooFilteredBulk: 210.164.134.2 Received-SPF: none (domain of somedomain.com.au does not designate permitted sender hosts) X-YMailISG: 2tJhMoMWLDshezeSImngf.XSq1Ry8GREcxlxq2qgXV06eBdz 5GNjq0ZkXjym99Bsih67VkCOCHuWXXJOyrmlKNxfVt9fcsBwA7VPjIkvZt.M yz3nN8RwT.nBz4CJDdGwc5a2uQqk0AewwYqRO9TIdJIVF9w0ltVr1H4PgGVi HzcvBHYr3KKI3qPMcy8mMHRFjGE2FJFzLJXjvHCVYwh7wpMe6.9N5qJA.xdV .zzc3qY0G6iyMQbvjHvwIUKsZU9QPRFffqQePolGGw5ztQ0ev31f2CcIhgJV bmqdQq6DAWJrpxrB6XqOE_TnyxvvM0Tru5dh0.cNtghCm577hdLGmrPGpHZk .sJt86laeADVgQAj7f.8z48n39xjDe14UD2.9Geag.zpT9dbABUEzo8cBPY1 0BA5rBLbIQXyMWdlW1ulnABahur8Q_kKNbmVucpZ4zhr3ASWMmg0aC5UMYBF lIphu_LCi9gZMmgT8rNNt_hHAxryMuUtkSNv0v762SmBbwO3s_umTkibSS6a M0Sy8Imx3ddStRQNC.YhbPLCoYcKr4v.jHwGe1_m4Xja0x7dGBUtdLu5EGDN XC6FvQCfW_k_aaNzJngGvmjk.AsbmvnQkPAMnO.adgjQwN9pcNufPqQsZZdH dhZk0.SyGXV30eUWD9SCPczgRSj4k2JKL7o0NnDlyd24uKoyx_g7hKxK0qfu DDZ2lgbsbn_fOOIMDHxrhuvZ9Y3GdULeEhn2fKwNRIVi.hBGjBveHt5XnC8e ceyrBk42vSNYV_gCbb3JpCAffNaBMa2JKWN2rdueh6G_WBbWv2ZpJTOgCqDx acWzkpm_rHyNYhxf_xsaBRBCzXC_6H11FVgxKf2kWN3ZVOgwDpx6OmYP798Y J2V3GsKXlHJIcf8re8NVwhhO0uCNSNzqSLo2MMH83lXt1
somedomain.com.au is hosted with me but that email address do not exists. I have enable to ask for halo before delivery but this did not happend in this account.0 -
Here is some more info: Event: success success Sender User: -remote- Sender Domain: Sender: <> Sent Time: May 12, 2015 7:57:19 PM Sender Host: nm10-vm6.bullet.mail.gq1.yahoo.com Sender IP: 98.136.218.141 Authentication: localdelivery Spam Score: -0.1 Recipient: noelmcgrathnoel@somedomain.com.au Delivered To: crystal1@somedomain.com.au deliveryuser: crystal1 deliverydomain: somedomain.com.au Router: localuser Transport: local_delivery Out Time: May 12, 2015 7:57:19 PM ID: 1YsEQu-0006CK-Ox Delivery Host: localhost Delivery IP: 127.0.0.1 Size: 7.5 KB Result: Message accepted0 -
Hello, Try running the following command: awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
This will list the source and the number of messages from each source. Thank you.0 -
Ok i got this: 12879 cwd=/var/spool/exim 1851 cwd=/home/laboneme 1145 cwd=/etc/csf 866 cwd=/ 795 cwd=/home/lawebdechile 795 cwd=/home/hostsclc0 -
Check the account that's sent 1851 messages to determine if any scripts installed are utilized to send out SPAM. Thank you. 0 -
I have suspended that account and still emails get sent. Any other option? 0 -
I have suspended that account and still emails get sent. Any other option?
Are you sure new messages have been sent out? Have you removed the existing messages from the mail queue so they are not retried? If so, try searching for "somedomain.com.au" in /var/log/exim_mainlog to see if you can find out more information. EX:exigrep somedomain.com.au /var/log/exim_mainlog
Thank you.0
Please sign in to leave a comment.
Comments
10 comments