KillerMovies - Movies That Matter!

KMC Community Forums
User Name  
Password
REGISTER HERE TO JOIN IN! - It's easy and it's free!
Home » Communications » News & Questions » Computer Help Forum » Linux Red Hat Question

Linux Red Hat Question
Started by: Da Pittman

Forum Jump:
 Post New Thread    Post A Reply
  Last Thread   Next Thread
Author
Thread
Da Pittman
"Pitt Happens"

Gender: Unspecified
Location: One for the other hand

 Linux Red Hat Question

Posted this on the Linux forum and not getting any help so I thought I would try here for any KMC programs out there that can help me.





I have been having this issue for about a week now and it looks like one of our clients has been infected by a spam virus that is sending out emails through his computer however I知 not able to figure out which client this is. We run cPanel and I have checked the logs for any increases in SMTP traffic and I知 not seeing any spikes and in the log files I知 not able to find any noticeable traffic. I have tried searching the log files for suspicious message ID but every time I do the message ID is not found so I知 not able to look at the header information for sent mail. Our normal traffic is about 300 to 400 a day and we have been hitting close to 2,000 daily according to Godaddy SMTP reports. We have checked our system and it doesn稚 accept Open Relays.

I have been searching on the net trying to find some answers to this problem but either the suggestions haven稚 panned out or I知 not finding what I知 looking for. Any help would be great because we are trying to stop this so that our IP is not blacklisted for spam.


Operating System: Red Hat Fedora Core 7

Sample of the exim_mainlog, client emails have been * out

2009-05-29 07:50:51 H=(FSINGVA) [125.211.167.243] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:50:53 H=adsl-84-227-23-6.adslplus.ch [84.227.23.6] F=<[email protected]> rejected RCPT <*******@*******.net>: "JunkMail rejected - adsl-84-227-23-6.adslplus.ch [84.227.23.6] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?84.227.23.6"
2009-05-29 07:50:53 H=adsl-84-227-23-6.adslplus.ch [84.227.23.6] Warning: "Increment Connection Ratelimit - adsl-84-227-23-6.adslplus.ch [84.227.23.6] because of RBL match"
2009-05-29 07:51:09 no IP address found for host host-41-196-156-251.static.link.com.eg (during SMTP connection from [41.196.156.251])
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) [41.196.156.251] F=<[email protected]> rejected RCPT <*******@*******.net>: "JunkMail rejected - (host-41-196-156-251.static.link.com.eg) [41.196.156.251] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?41.196.156.251"
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) [41.196.156.251] Warning: "Increment Connection Ratelimit - (host-41-196-156-251.static.link.com.eg) [41.196.156.251] because of RBL match"
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) [41.196.156.251] Warning: Sender rate 0.0 / 1h
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] F=<[email protected]> rejected RCPT <*******@******.com>: "JunkMail rejected - c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?76.108.210.126"
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] Warning: "Increment Connection Ratelimit - c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] because of RBL match"
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] Warning: Sender rate 0.0 / 1h
2009-05-29 07:51:57 no IP address found for host 18912188161.user.veloxzone.com.br (during SMTP connection from [189.12.188.161])
2009-05-29 07:51:58 H=(pappiro2) [189.12.188.161] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:23 no host name found for IP address 59.93.127.133
2009-05-29 07:53:25 H=(VQEGLBS) [59.93.127.133] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:36 no IP address found for host 18912188161.user.veloxzone.com.br (during SMTP connection from [189.12.188.161])
2009-05-29 07:53:40 H=(pappiro2) [189.12.188.161] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:43 H=amefcinfo.com [209.190.241.36] Warning: Sender rate 0.0 / 1h
2009-05-29 07:53:46 1MA3Ss-0004H0-9m Completed
2009-05-29 07:53:46 1MA3Ss-0004H0-9m => loans <*******@*******.net> R=virtual_user T=virtual_userdelivery
2009-05-29 07:53:46 1MA3Ss-0004H0-9m <= [email protected][/email] H=amefcinfo.com [209.190.241.36] P=smtp S=5523 [email protected]
2009-05-29 07:54:26 H=smtp1.nylx.com [64.106.165.4] Warning: Sender rate 0.7 / 1h
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 Completed
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 <= [email][email protected] H=smtp1.nylx.com [64.106.165.4] P=smtp S=5831 [email protected]
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 => paul <******@******.net> R=virtual_user T=virtual_userdelivery
2009-05-29 07:54:34 H=adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] Warning: Sender rate 0.0 / 1h
2009-05-29 07:54:36 H=adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?78.99.44.131"
2009-05-29 07:54:36 H=adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] Warning: "Increment Connection Ratelimit - adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] because of RBL match"
2009-05-29 07:54:45 H=114-76-246-201.adsl.terra.cl [201.246.76.114] Warning: Sender rate 0.0 / 1h
2009-05-29 07:54:51 H=114-76-246-201.adsl.terra.cl [201.246.76.114] F=<[email protected]> rejected RCPT <*******@******.com>: "JunkMail rejected - 114-76-246-201.adsl.terra.cl [201.246.76.114] is in an RBL, see http://www.spamhaus.org/query/bl?ip=201.246.76.114"
2009-05-29 07:54:51 H=114-76-246-201.adsl.terra.cl [201.246.76.114] Warning: "Increment Connection Ratelimit - 114-76-246-201.adsl.terra.cl [201.246.76.114] because of RBL match"
2009-05-29 07:54:55 no IP address found for host 189-79-42-195.dsl.telesp.net.br (during SMTP connection from [189.79.42.195])
2009-05-29 07:54:57 H=(189-79-42-195.dsl.telesp.net.br) [189.79.42.195] Warning: Sender rate 0.0 / 1h
2009-05-29 07:55:00 H=(189-79-42-195.dsl.telesp.net.br) [189.79.42.195] F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - (189-79-42-195.dsl.telesp.net.br) [189.79.42.195] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?189.79.42.195"
2009-05-29 07:55:00 H=(189-79-42-195.dsl.telesp.net.br) [189.79.42.195] Warning: "Increment Connection Ratelimit - (189-79-42-195.dsl.telesp.net.br) [189.79.42.195] because of RBL match"
2009-05-29 07:55:39 H=(TNWUEOYV) [116.41.65.189] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:55:39 no host name found for IP address 116.41.65.189
2009-05-29 07:55:41 no host name found for IP address 88.244.150.151
2009-05-29 07:55:42 H=(server) [88.244.150.151] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:55:55 H=pool-71-121-53-27.plspca.dsl-w.verizon.net (71.121.53.27) [71.121.53.27] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.3)
2009-05-29 07:55:59 H=adsl201-232-234-28.epm.net.co [201.232.234.28] Warning: Sender rate 0.0 / 1h


__________________
Old Post Jun 1st, 2009 03:40 PM
Da Pittman is currently offline Click here to Send Da Pittman a Private Message Find more posts by Da Pittman Edit/Delete Message Reply w/Quote Quick Quote
Raz
Meister

Gender: Male
Location: UK

Admin

Open a console session and look for rogue programs running, that shouldn't.

Personally, I would do a fresh install to make sure the machine is fully clean.


__________________
Old Post Jun 2nd, 2009 09:36 PM
Raz is currently offline Click here to Send Raz a Private Message Find more posts by Raz Edit/Delete Message Reply w/Quote Quick Quote
Da Pittman
"Pitt Happens"

Gender: Unspecified
Location: One for the other hand

quote: (post)
Originally posted by Raz
Open a console session and look for rogue programs running, that shouldn't.

Personally, I would do a fresh install to make sure the machine is fully clean.
Thanks but this is a hosting server for many of our clients. I've done a bit more research and it looks like he is bouncing the emails off the server but not going through. The log files show the email being passed and forward onto me but there is not copy or other record of it on the server of the other emails, even the email that was to be forward to me is gone.


__________________
Old Post Jun 2nd, 2009 10:09 PM
Da Pittman is currently offline Click here to Send Da Pittman a Private Message Find more posts by Da Pittman Edit/Delete Message Reply w/Quote Quick Quote
All times are UTC. The time now is 02:10 AM.
  Last Thread   Next Thread

Home » Communications » News & Questions » Computer Help Forum » Linux Red Hat Question

Email this Page
Subscribe to this Thread
   Post New Thread  Post A Reply

Forum Jump:
Search by user:
 

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is ON

Text-only version		  

< - KillerMovies.com - Forum Archive - Forum Rules >


© Copyright 2000-2006, KillerMovies.com. All Rights Reserved.
Powered by: vBulletin, copyright ©2000-2006, Jelsoft Enterprises Limited.