Find out who is sending email on my server

[games_master]

Hey all,

I don't know if this is the correct category to post this in but it said Tech support so i guesses it would be correct.

But anyway, a client of mine is sending out mass emails from a script, and i see i got a massive mail queue on my server. I don't know exactly how to find out witch client it is because the emails are been sent from nobody@domain.com, so is there anyway of finding out? Through SSH or WHM?

Cheers in advance and hello to the people that might remember me I'm back .

[Hades]

can you redirect one of these messages to your inbox?
if you can receive at least 1 of the emails just click on view all headers of your email client and that will give you some info of the URL from which they were triggered.

I opened the headers of the messages I get from one of my websites and the header called "received from" gives me the path to the client subdomain on the server (ie: myclient.hostingname.co.uk), and it also gives me the IP of that domain.

[kieransimkin]

It would help if you told us what mail server you're running (Exim? Sendmail? Qmail?)

[games_master]

Hey,

Hades, I've checked the header and it says:
Received from nobody by "My Hostname"

And kieransimkin, I am running Exim 4.69

Cheers for the help.

[kieransimkin]

Question - does your web server run as 'nobody' ?

[games_master]

Yup.

[kieransimkin]

They're probably coming from an insecure formmailer script on one of your customer's websites. Check your users for unusual spikes in bandwidth usage and suspiciously large numbers of posts to "contact us" type forms and guestbooks.

[~ServerPoint~]

What is operation system installed there?
What email servers
What kind of access do you have for the server?

[SyfonicHosting]

Quote:

Originally Posted by ~ServerPoint~

What is operation system installed there?
What email servers
What kind of access do you have for the server?

If you are still interested in getting this issue resolved, please answer these questions...

[thewebhostingdir]

Quote:

Originally Posted by games_master

Hey all,

I don't know if this is the correct category to post this in but it said Tech support so i guesses it would be correct.

But anyway, a client of mine is sending out mass emails from a script, and i see i got a massive mail queue on my server. I don't know exactly how to find out witch client it is because the emails are been sent from nobody@domain.com, so is there anyway of finding out? Through SSH or WHM?

Cheers in advance and hello to the people that might remember me I'm back .

First you would to grep the logs for the email address 'nobody@domain.com' through SSH. To do this kindly use the below mentioend command to grep the logs:

cat /var/log/exim_mainlog | grep nobody@domain.com

You will get the list of email logs for the above mentinoed email address. Now select the header ID related to the mail and use the bleow mentioned command to grep the full header:

cat /var/log/exim_mainlog | grep 1KJXXX-123XX-XX

Once you grep the header ID you will get the actual email address through which you can check which SMTP authentication is used.

[SyfonicHosting]

Quote:

Originally Posted by thewebhostingdir

First you would to grep the logs for the email address 'nobody@domain.com' through SSH. To do this kindly use the below mentioend command to grep the logs:

cat /var/log/exim_mainlog | grep nobody@domain.com

You will get the list of email logs for the above mentinoed email address. Now select the header ID related to the mail and use the bleow mentioned command to grep the full header:

cat /var/log/exim_mainlog | grep 1KJXXX-123XX-XX

Once you grep the header ID you will get the actual email address through which you can check which SMTP authentication is used.

That's a nice tutorial. Mind if I share it on another forum?