Spam coming from server
Hi there,
i got something strange,
I'm kinda new at this
so i got a huge spam report sending by our own server to our own email
I looked into some logs, used to
tail -f /var/log/exim_mainlog | grep "cwd"
identify mail sending script it says
cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc
is sending those all spams
so kindly help please
-
Can you please tell me the output for this command grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n 0 -
Here it is the output +++++++++++++++++++++++++++++++++++++ 1 /home/allierph/public_html 1 /home/breakinw/public_html 1 /home/teamspot/public_html 1 /root 2 /home/dmydesig/public_html 2 /home/mahporta 2 /home/scottde1/public_html 4 9 /home/penjaske 15 /usr/local/cpanel/whostmgr/docroot 34 /home/psgarmen 53 /home/bozurgco 64 /home/sbytpost/public_html 108 /home/bdiltour 174 /etc/csf ++++++++++++++++++++++++++++++++++++++ 0 -
so i got a huge spam report sending by our own server to our own email
What does this mean exactly, can you be more specific please?0 -
What does this mean exactly, can you be more specific please?
here is sample email======================================================= Return-Path: <2871032039@qq.com> Delivered-To: contact+Junk@example.com Received: from yellow.domain.us by yellow.domain.us with LMTP id gCs5ORvVC1r+EgAAt+PjBg for ; Wed, 15 Nov 2017 11:18:11 +0530 Return-path: <2871032039@qq.com> Envelope-to: contact@example.com Delivery-date: Wed, 15 Nov 2017 11:18:11 +0530 Received: from [117.63.76.121] (port=58690 helo=pcloud.com) by yellow.domain.us with smtp (Exim 4.89) (envelope-from <2871032039@qq.com>) id 1eEqYI-0001CQ-LC for contact@example.com; Wed, 15 Nov 2017 11:18:07 +0530 Received: from pcloud.com (unknown (251.253.138.244]) by pcloud.com with SMTP id c6186503-f821-4c97-bdf5-47bd96938f3f; for <2871032039@qq.com>;Wed, 15 Nov 2017 13:46:46 +08:00 Message-ID: From: "=?utf-8?B?6Z+p5a2Q?=" <2871032039@qq.com> To: Date: Wed, 15 Nov 2017 13:46:46 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="9e8abb380d27d759f03d13c200026040" Disposition-Notification-To: 2871032039@qq.com X-Spam-Status: Yes, score=12.2 X-Spam-Score: 122 X-Spam-Bar: ++++++++++++ X-Spam-Report: Spam detection software, running on the system "yellow.intersite.us", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: zc""""""116498"com"""""38""""""""778741365 """"49"? zc""""""116498"com"""""38""""""""778741365 """"49"? [...] Content analysis details: (12.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (2871032039[at]qq.com) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (2871032039[at]qq.com) 4.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see SPF: Why] 4.0 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see SPF: Why] 0.0 HTML_MESSAGE BODY: HTML included in message 2.0 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 2.0 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines X-Spam-Flag: YES Subject: ***SPAM*** =?utf-8?B?YeW9leWPlumAmuefpeS5puOAjua+s+mWgOaWsOiRoeS6rOacnw==?= =?utf-8?B?5b6F5oKo55qE5Yqg5YWlLemHpumHpu+8mjc3ODY4NDE2MiAt6Ki75YaK?= =?utf-8?B?6YCBMzgt5YWt55uSNDktMTE2NDk46bueY29t44CP54+g6IGU55Kn5ZCI?= This is a multi-part message in MIME format. --9e8abb380d27d759f03d13c200026040 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable zc=E2=89=AE=E6=BE=B3=E9=96=80=E6=96=B0=E8=91=A1=E4=BA=AC116498=E9=BB=9Ecom= =EF=BD=9C=E8=A8=BB=E5=86=8A=E5=8D=B3=E9=80=8138=E5=8F=8A=E5=B7=A5=E8=B3=87= =EF=BD=9C=E9=87=A6=E9=87=A6=EF=BC=9A778741365 = =EF=BD=9C=E5=85=AD=E7=9B=9249=E5=82=99? --9e8abb380d27d759f03d13c200026040 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable zc=E2=89=AE=E6=BE=B3=E9=96=80=E6=96=B0=E8=91=A1=E4=BA=AC116498=E9=BB=9Ecom= =EF=BD=9C=E8=A8=BB=E5=86=8A=E5=8D=B3=E9=80=8138=E5=8F=8A=E5=B7=A5=E8=B3=87= =EF=BD=9C=E9=87=A6=E9=87=A6=EF=BC=9A778741365 = =EF=BD=9C=E5=85=AD=E7=9B=9249=E5=82=99? --9e8abb380d27d759f03d13c200026040-- ===================================================================
We are getting tons of emails like this0 -
Looks to me that these mails are from qq.com (search for qq.com spam in your favourite search engine) If you have any evidence that one or more of your (or your customer) email accounts is sending these mails, you should take steps to immediately change the cPanel/FTP/eMail/root/reseller....etc etc account passwords as appropriate and treat the incident as if your server has been compromised. If you have any evidence that a script on your server is responsible for sending these emails, you will probably need to engage an experienced server security administrator to help track it down and secure the server if at all possible. Also see these two SPF rejection reports: SPF: Why SPF: Why You may also find some useful tips and advice from 0
Please sign in to leave a comment.
Comments
5 comments