im getting complaints from my DC that my server is beeing used to spam
but i carnt see anything in the email logs in DA any other way to find out what they are using to send spam?

or should i change the SMTP port?

i've got a rootkit detector installed and its finding nothing

example header from a complaint

> X-Mailer: Openwave WebEngine, version 2.8.16.1
> (webedge20-101-1106-101-20040924)
> X-Originating-IP: [85.**.**.***] my i.p was there
> From: kola williams <onlinedeskinfo@bellsouth.net>
> Reply-To: kolawilliams500@yahoo.com.hk

Rootkits dont attribute to spam. Its something else and here are some of the things you need to look at;

1) formmail installed on any domain
2) old and outdated scripts such as Gallery, Phpnuke etc installed in a user webspace that has major security hole.
3) a compromised account. A user account that has had the password guessed to the account which allows a spammer to login, upload their scripts into the sites webspace then use it to spam from
4) any form on a user site, eg contact forms that allows the injection of bcc, cc etc.

This is only 4 and a good start. I would also look at any new signup recently. Usually, those have have recently signed up and not verified properly are responsible so i suggest you take a good look.

If you know what your doing, you could set some traps via exim.conf but thats provided you know how to do it. There are many other way for spammer to send outgoing spam.

Good luck.

the server is only used by me i have SMF and plogger gallery on there and a about 2 directory listing scripts thats about it on my server.

i've removed wordpress blog and can not think of any scripts on my server that should allow emails out

Rootkits dont attribute to spam.
I'd almost agree with that statement if you'd said something like usually rootkits don't attribute to spam. Rootkits can and may be used by spammers, especially criminal spammers.

here are some of the things you need to look at
Good list.

Jeff

the server is only used by me i have SMF and plogger gallery on there and a about 2 directory listing scripts thats about it on my server.
Check your exim mainlog. If your server is being used to send spam through exim, then results should be in the logs.

Somewhere on these forums is a patch you can make to PHP to add lines to outgoing emails indicating which PHP script created the email. Install that, then when your upstream says your server is spamming ask them for one of the spams and look for that header.

Jeff

Somewhere on these forums is a patch you can make to PHP to add lines to outgoing emails indicating which PHP script created the email
Jeff

Hi Jeff!
Can you provide a link for that?

I want to put an additional header line in all outgoing message from my server... i.e. Return-path: <abuse@main-domain.ext> for having a reply in case of spam that are sending with brute force rootkit or similar...

PHP is patched by default with this patch: http://choon.net/php-mail-header.php :)

ok... I see it!

and for insert of one additional header line with return-path in all message outgoing of my server?

Are you talking about sendmail_from? You can set it in /usr/local/lib/php.ini. If not - take a look at http://uk2.php.net/manual/en/book.mail.php.

No,
I want to set one additional header in email that server is sending...

for example:
this is an original email's header where:

user@domain.it is the directadmin user owner of domain
mail-address@dest-domain.it is the destination of email
http://www.domain.it/message-mailer.php is the php file that is sinding the email whit mail() function


From user@domain.it Sun Jun 22 12:45:12 2008
Return-path: <user@domain.it>
Envelope-to: mail-address@dest-domain.it
Delivery-date: Sun, 22 Jun 2008 12:45:12 +0200
Received: from apache by host.hostname.it with local (Exim 4.54)
id 1KAN4K-0001R9-2W
for mail-user@dest-domain.it; Sun, 22 Jun 2008 12:45:12 +0200
To: mail-user@dest-domain.it
Subject: Ciao User, hai appena ricevuto un nuovo commento alla tua foto su domain.it
X-PHP-Script: www.domain.it/message-mailer.php (http://www.domain.it/message-mailer.php) for 87.1.xx.xx
From:no-reply@domain.it
Content-type: text/html;
Message-Id: <E1KAN4K-0001R9-2W@host.hostname.it>
Date: Sun, 22 Jun 2008 12:45:12 +0200

In this header I want to insert this additional line (in red), even in substitution of previous Return-path, but I want that is exim (or apache or php) to make it, not user's php script


From user@domain.it Sun Jun 22 12:45:12 2008
Return-path: <user@domain.it>
Return-path: <abuse@hostname.it>
Envelope-to: mail-address@dest-domain.it
Delivery-date: Sun, 22 Jun 2008 12:45:12 +0200
Received: from apache by host.hostname.it with local (Exim 4.54)
id 1KAN4K-0001R9-2W
for mail-user@dest-domain.it; Sun, 22 Jun 2008 12:45:12 +0200
To: mail-user@dest-domain.it
Subject: Ciao User, hai appena ricevuto un nuovo commento alla tua foto su domain.it
X-PHP-Script: www.domain.it/message-mailer.php (http://www.domain.it/message-mailer.php) for 87.1.xx.xx
From:no-reply@domain.it
Content-type: text/html;
Message-Id: <E1KAN4K-0001R9-2W@host.hostname.it>
Date: Sun, 22 Jun 2008 12:45:12 +0200

Note that RFC 2822 requires one (optional) Return-Path header, and not more. If you're going to add one, you need to remove the original.

I suppose you could rewrite exim or php, or even use functionality in exim.conf, but it would make your email non-compliant.

Which won't help you with anti-spam issues.

Jeff

Note that RFC 2822 requires one (optional) Return-Path header, and not more. If you're going to add one, you need to remove the original.

I suppose you could rewrite exim or php, or even use functionality in exim.conf, but it would make your email non-compliant.

Which won't help you with anti-spam issues.

Jeff
Ok, I want to put into every outgoing email from my server one email "abuse@hostname.it" for receive the bounce error email...

How can do it?

If my server send an email with php, with any user, in /etc/email-addresses what can I to put for force exim to rewrite return-path into email address that I want to...

I'm not going to take the time here to verify all the details but I believe you have to set the user sender in your php headers, and then in exim.conf set the trusted_users.

If I'm missing something or I'm in error, someone please correct me.

Thanks.

Jeff

I'm not going to take the time here to verify all the details but I believe you have to set the user sender in your php headers, and then in exim.conf set the trusted_users.

If I'm missing something or I'm in error, someone please correct me.

Thanks.

Jeff

Hi Jeff,
I don't want to put return-path header by my script in php, but I want that Exim put it in all email that it is sending from my server...

the same header for all email

EDIT:
I don't have the total control of php script on server, but i think that one of my user is sending spam... Can I to do for identify who is?
What is the log file that log this fact?

It seems that each time I read this thread I understand it differently... that's probably my fault; I'm very busy on other matters this week :(.

Let's look for a moment at the section of your post following your EDIT header:

Exim should set the user's username as the return-path header. This is invaluable for searching for a spammer; you can just check the logs.

Jeff

Exim should set the user's username as the return-path header. This is invaluable for searching for a spammer; you can just check the logs.

Jeff

I have check the log... but I'm not an expert...

what is the log that I must to check for find my spammer-user?
I've already searched in /etc/virtual/usage, var/log/mail.log, mail.info, mail.warn, /var/log/exim -> all log, var/spool/mail -> all file, but I find no information that identify the responsible

If the return-path is the same for all email, I can receive the bounce email and I can see who is the sender and what is the script that is sending mail

for example:
if the user named "fmortara" send an email, exim put this into header of mail: return-path: fmortara@domain.ext.
I want to substitue it with email of administrator.
And this for every mail that is sending for all user...

What must I to put In /etc/email-addresses for this substitution? And in /etc/exim.conf and /etc/exim/exim.conf?

In my humble opinion you really don't want to do that because if you do you could get thousands of returned emails into your server, the anti-spam world will consider you responsible since you're telling the world you're the sender, and you'll have obliterated any way to tell which of your users actually sent the spam.

Once you recognize an email problem you can search the /var/log/exim/mainlog for the username to see how many emails the spammer is sending. You can also set a cronjob to search for any/all users who send (for example) over 250 emails a day, and to notify you of those users by username.

Jeff

In my humble opinion you really don't want to do that because if you do you could get thousands of returned emails into your server, the anti-spam world will consider you responsible since you're telling the world you're the sender, and you'll have obliterated any way to tell which of your users actually sent the spam.

Once you recognize an email problem you can search the /var/log/exim/mainlog for the username to see how many emails the spammer is sending. You can also set a cronjob to search for any/all users who send (for example) over 250 emails a day, and to notify you of those users by username.

Jeff

Yes!
I don't want to do it, but I have already looking my mainlog file and no information of mail sending (no user has sending many mail) is present into it. For this situation, I will to receive, for a short time, all bounce email of my user's outgoing email...
Now all the emails was correctly delivered, I think that libero and yahoo has a temporarily malfunction...

Please, can you provide me an example of cronjob for notify me if anyone send over "x" mail from my server?

Is it possible that one user send an email and exim don't log it into mainlog file?

Today I send an email to postmaster of libero.it and Mail delivery System (of my server..?) response that my local dinamic IP is blocked by Blacklist at 12.07 PM:

Il messaggio non ha raggiunto alcuni o tutti i destinatari.

Oggetto: I: Delivery Status Notification
Inviato: 28/06/2008 12.07

Impossibile raggiungere i seguenti destinatari:

'support_postmaster' 28/06/2008 12.07
550 5.7.1 87.6.119.253 has been blocked by abuseat

But in mainlog there isn't this sending attempt. I have resend correctly after 1 minute with the same IP address and into log there are the correct log:


2008-06-28 12:13:55 H=host253-119-dynamic.6-87-r.retail.telecomitalia.it (server) [87.6.119.253] incomplete transaction (RSET) from <xxx@xxx.it> for support@postmaster.libero.it
2008-06-28 12:14:00 1KCXRQ-0005Sp-1m <= xxx@xxx.it H=host253-119-dynamic.6-87-r.retail.telecomitalia.it (server) [87.6.119.253] P=esmtpa A=login:xxx@xxx.it S=3697 id=001301c8d907$b0e89490$0201a8c0@server T="I: Delivery Status Notification" from <xxx@xxx.it> for support@postmaster.libero.it
2008-06-28 12:14:01 1KCXRQ-0005Sp-1m => support@postmaster.libero.it F=<xxx@xxx.it> R=lookuphost T=remote_smtp S=3811 H=postmaster.libero.it [193.70.192.239] C="250 Ok: queued as 193365D04D"
2008-06-28 12:14:01 1KCXRQ-0005Sp-1m Completed

2 Ask:
1. Why in the log is writed incomplete transaction (RSET) from...
2. Why the first attempt is not into logfile?


PS: Now, without any technical configuration, libero.it and yahoo.com/it accept all my email that I've send from my server. Yesterday I have sended my newsletter and no one email has returned to me. Every time that I send my NL, I delete the bounce recipient(s).

Now all the emails was correctly delivered, I think that libero and yahoo has a temporarily malfunction...
I already explained why email may be considered spam; more below.

Please, can you provide me an example of cronjob for notify me if anyone send over "x" mail from my server?
Not really. I don't have time to write it at this time and if I have one of my employees write it I have to charge for it. Perhaps someone else will respond with an example.

Is it possible that one user send an email and exim don't log it into mainlog file?
Yes, If someone installs their own software to send email, and doesn't use exim, it won't appear in the exim logs.

Today I send an email to postmaster of libero.it and Mail delivery System (of my server..?) response that my local dinamic IP is blocked by Blacklist at 12.07 PM:

But in mainlog there isn't this sending attempt. I have resend correctly after 1 minute with the same IP address and into log there are the correct log:
If you sent the email through your server the attempt should appear in your /var/log/exim/mainlog file. You can always tail the file in realtime while sending the mail to see if your server is logging it properly.

2 Ask:
1. Why in the log is writed incomplete transaction (RSET) from...
Because the other end disconnected you.

2. Why the first attempt is not into logfile?
I have no idea.

PS: Now, without any technical configuration, libero.it and yahoo.com/it accept all my email that I've send from my server.
Often companies block only temporarily.

Jeff

I already explained why email may be considered spam; more below.

I don't understand, but maybe is my english... :p


Yes, If someone installs their own software to send email, and doesn't use exim, it won't appear in the exim logs.
None has the possibility to install any software on server, all user must use exim for sending email.
If use their own software on their local pc, they can't use the server's account, but only the domain's address... In this case, what spamblocker report for block? Domain or Ip address of domain?
In particular one of my user, use own mail server as MX record...
This is their configuration of DNS for USERDOMAIN on my SERVER:
x.x.x.x is My server IP
y.y.y.y and z.z.z.z is their 1st and 2nd mail server

ftp A x.x.x.x
USERDOMAIN.it. A x.x.x.x
localhost A 127.0.0.1
mail A y.y.y.y
mail2 A z.z.z.z
pop A x.x.x.x
webmail A x.x.x.x
www A x.x.x.x
USERDOMAIN.it. NS ns1.SERVER.it.
USERDOMAIN.it. NS ns2.SERVER.it.
mail.USERDOMAIN.it. MX 10
mail2.USERDOMAIN.it. MX 20
USERDOMAIN.it. TXT "v=spf1 a mx ip4:x.x.x.x ?all"
They want to have the complete control of their mailserver because in the past they have had some problem with their hoster...
If they send spam, which IP address is listed in the blacklist to block?
Keep in mind that they don't use my mailserver for send their email...


If you sent the email through your server the attempt should appear in your /var/log/exim/mainlog file. You can always tail the file in realtime while sending the mail to see if your server is logging it properly.
In the exact moment that I have received the mail delivery notification, I log into directadmin to see the /var/log/exim/mainlog file, but I see that there isn't the loggin of error while sending. After I see it, I resend the message and exim correctly log it!


Because the other end disconnected you.
And is it a problem? Why the other disconnect me?
You intend to say that the process ends with an error or may be a normal thing?

None has the possibility to install any software on server, all user must use exim for sending email.

Really? You mean you don't allow CGI scripts or PHP? Either can be used to write a mailserver.

If use their own software on their local pc, they can't use the server's account, but only the domain's address... In this case, what spamblocker report for block? Domain or Ip address of domain?
If they're using their own PC, then you either allow them access to your mailserver (you probably do) in which case they can either use their ISP's server for outgoing email, or yours. Or if you don't, they have to use their ISP's mailserver for outgoing email.

In either event, IP#s are blocked, not domain names.

In particular one of my user, use own mail server as MX record...
This is their configuration of DNS for USERDOMAIN on my SERVER:
x.x.x.x is My server IP
y.y.y.y and z.z.z.z is their 1st and 2nd mail server
They could still be using your mailserver if they want to; they could use ftp or www for their outgoing mail if they wish, and still find your server. There's no inherent limitation in either DNS, or your server; using different service names is a convenience, not a requirement.

They want to have the complete control of their mailserver because in the past they have had some problem with their hoster...
If they send spam, which IP address is listed in the blacklist to block?
Keep in mind that they don't use my mailserver for send their email...
As I wrote above, you don't know that unless you read and understand the logs. The IP# address blocked will be the IP# of the last server handling the mail before it reaches the server blocking it.

In the exact moment that I have received the mail delivery notification, I log into directadmin to see the /var/log/exim/mainlog file, but I see that there isn't the loggin of error while sending. After I see it, I resend the message and exim correctly log it!
Then you need to ask the recipient why they're blocking your mail.

And is it a problem? Why the other disconnect me?
You intend to say that the process ends with an error or may be a normal thing?
No, I'm just explaining what the message means. Generally if they disconnect you they have a reason; for example they may believe you're a spammer.

Jeff

They could still be using your mailserver if they want to; they could use ftp or www for their outgoing mail if they wish, and still find your server. There's no inherent limitation in either DNS, or your server; using different service names is a convenience, not a requirement.

I have unchecked the flag on "Use this server to handle my emails" in MX Record fields in user area of Directadmin control panel. In this case mail-server cannot be used for send or receive email...??
[OT] If I disable "DNS control" for user (that are enabled at this moment), this modification make some change, or it's the same for email of user? In admin or reseller area, there is a field for check/uncheck this flag?



No, I'm just explaining what the message means. Generally if they disconnect you they have a reason; for example they may believe you're a spammer.

Jeff

But in this case, is my server that received an email from my user for an his contact... PCRaffaele il my user... and 87.17.31.77 is his local IP address.

He send an email with his email address of domain.it at his contact xxx@tiscali.it has regularily received this email.
In this case, why there is an incomplete transaction (RSET)?


2008-06-30 12:34:23 H=host77-31-dynamic.17-87-r.retail.telecomitalia.it (PCRaffaele) [87.17.31.77] incomplete transaction (RSET) from <email@domain.it> for xxx@tiscali.it
2008-06-30 12:34:31 1KDGiG-0005Oe-HA <= email@domain.it H=host77-31-dynamic.17-87-r.retail.telecomitalia.it (PCRaffaele) [87.17.31.77] P=esmtpa A=login:email@domain.it S=653874 id=3B73C8EA80BB4B688C2C2775625DDF19@PCRaffaele T="regolamento" from <email@domain.it> for xxx@tiscali.it
2008-06-30 12:34:33 1KDGiG-0005Oe-HA => xxx@tiscali.it F=<email@domain.it> R=lookuphost T=remote_smtp S=662411 H=mail-mx-2.tiscali.it [213.205.33.32] C="250 <485628E002BA088F> Mail accepted"
2008-06-30 12:34:33 1KDGiG-0005Oe-HA Completed

Hi Jeff,




Once you recognize an email problem you can search the /var/log/exim/mainlog for the username to see how many emails the spammer is sending. You can also set a cronjob to search for any/all users who send (for example) over 250 emails a day, and to notify you of those users by username.


Is there code examples available for such a cronjob (possible together with a trigger that only makes the script send out an email when the 250 email a day-limit is reached)?

Thanks :)

I have the solution for my original question...

In DA you can edit the file "/usr/local/directadmin/data/users/USERNAME/httpd.conf" and in the section called <IfModule !mod_suphp.c> you can edit the default recipients that you will be used for default value of return-path header.

I have already attempted to edit this parameter in main httpd.conf file, but the modification not apply... Of course, it was overwrite by included custom httpd.conf...


<IfModule !mod_suphp.c>
php_admin_flag engine ON
php_admin_flag safe_mode OFF
php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f email@domain.ext'

php_admin_value open_basedir /home/USERNAME/:/tmp:/usr/local/lib/php/

</IfModule>


Paid attention!
This trick is useful for receive, in most case, returned mail that cannot delivered correctly from your server (infact in most case the default value is the user@domain and some times it isn't used to receive email or you can, for a short time, put here your alternative or dedicated, ie abuse@hostname, address for monitoring use of email by your user), but, it can determine in recipients server that you are a spammer...
Jeff docet!

Really? You mean you don't allow CGI scripts or PHP? Either can be used to write a mailserver.
Jeff

Hi!
Today I have the same problem, after 15 days, where the emails was sended correctly, libero.it rejected the email from my server whit the same error code (550 too many invalid recipients).

Please, can you provide me information, in order to identify if anyone use an external CGI or PHP script to send email from my server?
Where I can look into for identify?

You have to check your user accounts to see if they've put any executable scripts onto their server. It's not easy, and I don't have any suggestions; perhaps someone else does.

Jeff