Exim spam centos, how can i detect the source
Question
i have a lot of message like this
2012-10-03 06:53:36 1TJGxf-0006kG-F0 ** * @yahoo.com.tw F=< *@* . *> R=enforce_mail_permissions: Domain . * has exceeded the max emails per hour (250/200 (125%)) allowed. Message discarded.
I have never seen the yahoo mail of course, and there is approximately 10 messages like this every 5-10 seconds...
How could i detect the source ?
How could i stop it ?
1 answers
solution1
1 2013-05-11 14:21:18
In your example, the mail queue id is 1TJGxf-0006kG-F0. The first thing you want to do is look at the logs for that email. There are two possible ways, depending upon how exim is configured. Try this first:
exim -Mvl 1TJGxf-0006kG-F0
It will print out the logs for that email, including what IP address it came from, if there was any user who authenticated, etc. Exim can be configured not to track this individual message information and we don't know how your exim is configured, so if that doesn't work, then run this instead:
exigrep 1TJGxf-0006kG-F0 /var/log/exim/main.log
You may have to find which log file your exim is logging to. Here is how I would find that on my system:
# exim -bP | grep log_file_path log_file_path = /var/log/exim/%s.log
Then use that result to figure out where your logfile is.
Having given you those tools to dig and find your info, I strongly suspect that you are running some website that has a submission form that is insecure. By "insecure", I mean that some web bot is able to submit a sender, a recipient, and a message body and is using that form to send out massive amounts of spam. The logs above will probably confirm that it's originating from your web server and not from somewhere outside. Of course, it could also be some user account that is compromised because they used a spectacularly simple password of "12345" or "secret" and spam bots are connecting to that account from all over the world and using it to send out spam.
The first step is identifying the source of the spam (local web form, compromised account, etc) and then blocking that.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.