Linux Red Hat Question

Started by Da Pittman1 pages
Da Pittman "Pitt Happens"

Linux Red Hat Question

Posted this on the Linux forum and not getting any help so I thought I would try here for any KMC programs out there that can help me.

I have been having this issue for about a week now and it looks like one of our clients has been infected by a spam virus that is sending out emails through his computer however I’m not able to figure out which client this is. We run cPanel and I have checked the logs for any increases in SMTP traffic and I’m not seeing any spikes and in the log files I’m not able to find any noticeable traffic. I have tried searching the log files for suspicious message ID but every time I do the message ID is not found so I’m not able to look at the header information for sent mail. Our normal traffic is about 300 to 400 a day and we have been hitting close to 2,000 daily according to Godaddy SMTP reports. We have checked our system and it doesn’t accept Open Relays.

I have been searching on the net trying to find some answers to this problem but either the suggestions haven’t panned out or I’m not finding what I’m looking for. Any help would be great because we are trying to stop this so that our IP is not blacklisted for spam.

Operating System: Red Hat Fedora Core 7

Sample of the exim_mainlog, client emails have been * out

2009-05-29 07:50:51 H=(FSINGVA) [125.211.167.243] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:50:53 H=adsl-84-227-23-6.adslplus.ch [84.227.23.6] F=<[email protected]> rejected RCPT <*******@*******.net>: "JunkMail rejected - adsl-84-227-23-6.adslplus.ch [84.227.23.6] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?84.227.23.6"
2009-05-29 07:50:53 H=adsl-84-227-23-6.adslplus.ch [84.227.23.6] Warning: "Increment Connection Ratelimit - adsl-84-227-23-6.adslplus.ch [84.227.23.6] because of RBL match"
2009-05-29 07:51:09 no IP address found for host host-41-196-156-251.static.link.com.eg (during SMTP connection from [41.196.156.251])
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) [41.196.156.251] F=<[email protected]> rejected RCPT <*******@*******.net>: "JunkMail rejected - (host-41-196-156-251.static.link.com.eg) [41.196.156.251] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?41.196.156.251"
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) [41.196.156.251] Warning: "Increment Connection Ratelimit - (host-41-196-156-251.static.link.com.eg) [41.196.156.251] because of RBL match"
2009-05-29 07:51:12 H=(host-41-196-156-251.static.link.com.eg) [41.196.156.251] Warning: Sender rate 0.0 / 1h
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] F=<[email protected]> rejected RCPT <*******@******.com>: "JunkMail rejected - c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?76.108.210.126"
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] Warning: "Increment Connection Ratelimit - c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] because of RBL match"
2009-05-29 07:51:44 H=c-76-108-210-126.hsd1.fl.comcast.net [76.108.210.126] Warning: Sender rate 0.0 / 1h
2009-05-29 07:51:57 no IP address found for host 18912188161.user.veloxzone.com.br (during SMTP connection from [189.12.188.161])
2009-05-29 07:51:58 H=(pappiro2) [189.12.188.161] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:23 no host name found for IP address 59.93.127.133
2009-05-29 07:53:25 H=(VQEGLBS) [59.93.127.133] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:36 no IP address found for host 18912188161.user.veloxzone.com.br (during SMTP connection from [189.12.188.161])
2009-05-29 07:53:40 H=(pappiro2) [189.12.188.161] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:53:43 H=amefcinfo.com [209.190.241.36] Warning: Sender rate 0.0 / 1h
2009-05-29 07:53:46 1MA3Ss-0004H0-9m Completed
2009-05-29 07:53:46 1MA3Ss-0004H0-9m => loans <*******@*******.net> R=virtual_user T=virtual_userdelivery
2009-05-29 07:53:46 1MA3Ss-0004H0-9m <= [email protected] H=amefcinfo.com [209.190.241.36] P=smtp S=5523 [email protected]
2009-05-29 07:54:26 H=smtp1.nylx.com [64.106.165.4] Warning: Sender rate 0.7 / 1h
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 Completed
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 <= [email protected] H=smtp1.nylx.com [64.106.165.4] P=smtp S=5831 [email protected]
2009-05-29 07:54:29 1MA3TZ-0004HC-F3 => paul <******@******.net> R=virtual_user T=virtual_userdelivery
2009-05-29 07:54:34 H=adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] Warning: Sender rate 0.0 / 1h
2009-05-29 07:54:36 H=adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?78.99.44.131"
2009-05-29 07:54:36 H=adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] Warning: "Increment Connection Ratelimit - adsl-dyn131.78-99-44.t-com.sk [78.99.44.131] because of RBL match"
2009-05-29 07:54:45 H=114-76-246-201.adsl.terra.cl [201.246.76.114] Warning: Sender rate 0.0 / 1h
2009-05-29 07:54:51 H=114-76-246-201.adsl.terra.cl [201.246.76.114] F=<[email protected]> rejected RCPT <*******@******.com>: "JunkMail rejected - 114-76-246-201.adsl.terra.cl [201.246.76.114] is in an RBL, see http://www.spamhaus.org/query/bl?ip=201.246.76.114"
2009-05-29 07:54:51 H=114-76-246-201.adsl.terra.cl [201.246.76.114] Warning: "Increment Connection Ratelimit - 114-76-246-201.adsl.terra.cl [201.246.76.114] because of RBL match"
2009-05-29 07:54:55 no IP address found for host 189-79-42-195.dsl.telesp.net.br (during SMTP connection from [189.79.42.195])
2009-05-29 07:54:57 H=(189-79-42-195.dsl.telesp.net.br) [189.79.42.195] Warning: Sender rate 0.0 / 1h
2009-05-29 07:55:00 H=(189-79-42-195.dsl.telesp.net.br) [189.79.42.195] F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - (189-79-42-195.dsl.telesp.net.br) [189.79.42.195] is in an RBL, see Blocked - see http://www.spamcop.net/bl.shtml?189.79.42.195"
2009-05-29 07:55:00 H=(189-79-42-195.dsl.telesp.net.br) [189.79.42.195] Warning: "Increment Connection Ratelimit - (189-79-42-195.dsl.telesp.net.br) [189.79.42.195] because of RBL match"
2009-05-29 07:55:39 H=(TNWUEOYV) [116.41.65.189] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:55:39 no host name found for IP address 116.41.65.189
2009-05-29 07:55:41 no host name found for IP address 88.244.150.151
2009-05-29 07:55:42 H=(server) [88.244.150.151] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2009-05-29 07:55:55 H=pool-71-121-53-27.plspca.dsl-w.verizon.net (71.121.53.27) [71.121.53.27] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.3)
2009-05-29 07:55:59 H=adsl201-232-234-28.epm.net.co [201.232.234.28] Warning: Sender rate 0.0 / 1h

Raz Meister

Open a console session and look for rogue programs running, that shouldn't.

Personally, I would do a fresh install to make sure the machine is fully clean.

Da Pittman "Pitt Happens"

Originally posted by Raz
Open a console session and look for rogue programs running, that shouldn't.

Personally, I would do a fresh install to make sure the machine is fully clean.

Thanks but this is a hosting server for many of our clients. I've done a bit more research and it looks like he is bouncing the emails off the server but not going through. The log files show the email being passed and forward onto me but there is not copy or other record of it on the server of the other emails, even the email that was to be forward to me is gone.