Hi,

Kindly please help me with this. My server with DA seems to be sending out spam.

=============================================

[root@server root]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 MYIPADDRESS:53 0.0.0.0:* LISTEN
tcp 0 0 MYIPADDRESS:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 MYIPADDRESS:33531 209.86.93.229:25 TIME_WAIT
tcp 0 1 MYIPADDRESS:33501 63.237.122.0:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33457 64.34.105.163:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33429 64.34.105.163:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33399 64.34.105.163:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33378 64.34.105.163:25 SYN_SENT
tcp 1 0 MYIPADDRESS:32882 68.6.19.3:25 CLOSE_WAIT
tcp 0 0 MYIPADDRESS:25 209.225.28.161:43693 TIME_WAIT
tcp 0 0 MYIPADDRESS:25 216.119.128.23:54766 TIME_WAIT
tcp 0 29 MYIPADDRESS:33465 205.188.159.57:25 ESTABLISHED
tcp 0 10136 MYIPADDRESS:33510 205.188.159.57:25 ESTABLISHED
tcp 0 1 MYIPADDRESS:33534 205.188.159.57:25 SYN_SENT
tcp 0 0 MYIPADDRESS:33552 207.115.57.16:25 ESTABLISHED
tcp 0 14480 MYIPADDRESS:33548 209.150.236.156:25 ESTABLISHED
tcp 0 13032 MYIPADDRESS:33549 209.86.93.237:25 ESTABLISHED
tcp 0 84 MYIPADDRESS:33551 194.154.128.2:25 ESTABLISHED
tcp 0 28 MYIPADDRESS:33543 64.12.138.89:25 ESTABLISHED
tcp 0 1 MYIPADDRESS:33546 64.12.138.89:25 SYN_SENT
tcp 0 2186 MYIPADDRESS:33511 64.12.138.89:25 ESTABLISHED
tcp 0 0 MYIPADDRESS:33521 129.81.118.37:25 TIME_WAIT
tcp 0 1 MYIPADDRESS:33212 63.237.122.20:25 SYN_SENT
tcp 0 32 MYIPADDRESS:33529 64.12.138.185:25 ESTABLISHED
tcp 61 0 MYIPADDRESS:32888 205.152.58.33:25 CLOSE_WAIT
tcp 0 7 MYIPADDRESS:33547 206.211.123.47:25 FIN_WAIT1
tcp 0 29 MYIPADDRESS:33522 205.188.159.217:25 ESTABLISHED
tcp 0 10136 MYIPADDRESS:33497 205.188.159.217:25 ESTABLISHED
tcp 0 0 MYIPADDRESS:33553 193.209.83.72:25 ESTABLISHED
tcp 0 0 MYIPADDRESS:25 129.115.102.173:13013 TIME_WAIT
tcp 51 0 MYIPADDRESS:33512 207.115.20.21:25 CLOSE_WAIT
tcp 0 7 MYIPADDRESS:33554 66.211.211.51:25 FIN_WAIT1
tcp 0 0 MYIPADDRESS:25 209.225.28.213:52543 TIME_WAIT
tcp 0 0 MYIPADDRESS:33064 4.79.181.14:25 ESTABLISHED
tcp 0 0 MYIPADDRESS:25 65.24.7.62:23234 TIME_WAIT
tcp 0 1 MYIPADDRESS:33309 66.110.17.71:25 SYN_SENT
tcp 0 8688 MYIPADDRESS:33507 205.188.157.25:25 ESTABLISHED
tcp 0 7 MYIPADDRESS:33203 65.64.1.195:25 FIN_WAIT1
tcp 1 49 MYIPADDRESS:25 66.133.183.136:45408 CLOSING
tcp 0 7 MYIPADDRESS:33306 65.64.1.195:25 FIN_WAIT1
tcp 0 0 MYIPADDRESS:33491 64.34.161.33:25 TIME_WAIT
tcp 0 48 MYIPADDRESS:22 218.212.135.222:1738 ESTABLISHED
tcp 0 1 MYIPADDRESS:33539 64.12.138.152:25 SYN_SENT
tcp 0 0 MYIPADDRESS:25 64.12.138.17:53228 ESTABLISHED
tcp 0 0 MYIPADDRESS:25 167.193.142.16:4389 TIME_WAIT
tcp 0 1 MYIPADDRESS:33520 64.12.138.152:25 SYN_SENT
tcp 0 12312 MYIPADDRESS:33550 160.109.70.76:25 ESTABLISHED
tcp 0 75 MYIPADDRESS:33541 160.109.70.76:25 FIN_WAIT1
tcp 0 0 MYIPADDRESS:33504 205.188.156.185:25 ESTABLISHED
tcp 0 78 MYIPADDRESS:25 205.158.62.61:39084 ESTABLISHED
tcp 0 1 MYIPADDRESS:33239 207.218.192.49:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33556 216.119.128.24:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33555 204.127.134.23:25 SYN_SENT
udp 0 0 0.0.0.0:32769 0.0.0.0:*
udp 296 0 MYIPADDRESS:53 0.0.0.0:*
udp 0 0 MYIPADDRESS:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 1455 /var/lib/mysql/mysql.sock
unix 7 [ ] DGRAM 1290 /dev/log
unix 2 [ ] DGRAM 27963
unix 2 [ ] DGRAM 4217
unix 2 [ ] DGRAM 1905
unix 3 [ ] STREAM CONNECTED 1818
unix 3 [ ] STREAM CONNECTED 1817
unix 3 [ ] STREAM CONNECTED 1816
unix 3 [ ] STREAM CONNECTED 1815
unix 2 [ ] DGRAM 1686
unix 2 [ ] DGRAM 1486
unix 2 [ ] DGRAM 1301

nano /etc/exim.conf

#Find:
log_selector = \
+delivery_size \
+sender_on_delivery \
+received_recipients \
+received_sender \
+smtp_confirmation \
+subject \
+smtp_incomplete_transaction \
-dnslist_defer \
-host_lookup_failed \
-queue_run \
-rejected_header \
-retry_defer \
-skip_delivery

#Change it to:
#log_selector = \
# +delivery_size \
#+sender_on_delivery \
#+received_recipients \
#+received_sender \
#+smtp_confirmation \
#+subject \
#+smtp_incomplete_transaction \
#-dnslist_defer \
#-host_lookup_failed \
#-queue_run \
#-rejected_header \
#-retry_defer \
#-skip_delivery


log_selector = \
+address_rewrite \
+all_parents \
+arguments \
+connection_reject \
+delay_delivery \
+delivery_size \
+dnslist_defer \
+incoming_interface \
+incoming_port \
+lost_incoming_connection \
+queue_run \
+received_sender \
+received_recipients \
+retry_defer \
+sender_on_delivery \
+size_reject \
+skip_delivery \
+smtp_confirmation \
+smtp_connection \
+smtp_protocol_error \
+smtp_syntax_error \
+subject \
+tls_cipher \
+tls_peerdn

#CTRL + X
/sbin/service exim restart


now tail /var/log/exim/mainlog
search for masive e-mail messages that are send from a web page (like:


2005-12-08 00:50:11 cwd=/home/user/domains/domain.come/public_html/dir 5 args: /usr/sbin/sendmail -t -i -f ....

or masive e-mail sending from one adress.

btw check out this:
http://help.directadmin.com/item.php?id=81

I did a exim -bp | less and i got quite a number of results.

How do I do a mass removed off the message ID?

This exim "cheatsheet" (http://bradthemad.org/tech/notes/exim_cheatsheet.php) has some great ideas and examples.

Jeff