I found a problem because my server ip listed in http://cbl.abuseat.org. How can I know that who (my user) sent spam mail ?

I saw mainlog of exim but I can't determine that which one. please suggest me how to know this.

You could follow this guide (http://help.directadmin.com/item.php?id=151) to help you distinguish which domains are sending out the most mail but i can't guarantee you'll be any the wiser.

Obtain the headers of the spam and that will help.

You could follow this guide (http://help.directadmin.com/item.php?id=151) to help you distinguish which domains are sending out the most mail but i can't guarantee you'll be any the wiser.

I found



Top 50 sending hosts by volume
------------------------------
Messages Bytes Average Sending host
4029 10MB 2602 local

Local isn't make sense for me. or which stats I need to look.

Is there a user named local?

Jeff

Is there a user named local?

Jeff

No there's not. so I don't know what's Local mean or who :confused:

I have the similar problem too. I have check sender email, it is from yahoo mail , hotmail, etc. some domain mail like @cbn.com

May i know anyway to search the email address is create from which user?

I'm far from superman.... but next time you are deleting spam from your inbox you can thank people like yourself that run servers without having them secure enough to prevent spammers on their own servers.

I'm just being brutally honest, it's nothing personal at all, so don't get upset, use the frustration to learn more about your server and how to prevent these types of things.

Your comment are right but wrong place please read my topic title again. it's very easy to understand.

"How to know who sent spam mail from my server"

I'm not start this topic to discuss about good or bad security. you should read all topic title before post (if you're not bot)

Thanks and go to the point

I received a sugestion like


Check /etc/virtual/usage/*

the larger of the files (by a lot) would be the spamming account.

Related:
http://help.directadmin.com/item.php?id=81

but I think may be some emails sent without recode here. I saw in "Mail Queue Administration" and found many emails sent with sender is <>

I get some info from other forum as below:


Who is having large number of emails?

exim -bp | exiqsumm


To check message header

exim -Mvh messageid


To check message content

exim -Mvb messageid


Removing Bad Mail

for i in `exiqgrep -i -f nobody`; do exim -Mrm $i; done >> Removes Nobody Mail

for i in `exiqgrep -i -o 259200`; do exim -Mrm $i; done >> Removes Mail older than 3 Days

for i in `exiqgrep -i -f “^<>$”`; do exim -Mrm $i; done >> Removes Mail with weird Characters (Spam)


Delete mails from a particular domain

for i in `exiqgrep -i -f domain.com`; do exim -Mrm $i; done



Delete mails to a particular domain

for i in `exiqgrep -i -r domain.com`; do exim -Mrm $i; done


Flush the entire Mail queue

for i in `exiqgrep -i -f `; do exim -Mrm $i; done


Run Mail queue

runq -qqff&

Your comment are right but wrong place please read my topic title again. it's very easy to understand.

"How to know who sent spam mail from my server"



I believe you can use cbl.abuseat.org to determine why you got listed. If you do not know how to use it then give us the ip that is listed and I will look at it for you.

I saw in "Mail Queue Administration" and found many emails sent with sender is <>
Unfortunately the Mailer Daemon sends back reports with a null sender (<>).

And the RFCs say you have to accept emails from Mailer Daemon.

And there are still many servers that use Mailer Daemons to return email rather than refuse it as it comes in.

What's probably happening is that spammers are forging your email addresses.

Check on these forums and elsewhere for collateral spam.

Jeff

Can anyone make a tutorial for this issue.
Got the same problem too and it is not a piece
of cake to find the spammer. :(

Did you read my suggestion? Did you google Collateral Spam (http://www.google.com/search?hl=en&safe=off&client=firefox-a&rls=org.mozilla:en-US:official&hs=7eI&ei=jlqQSp3nGY3UsgO50dUR&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=collateral+spam&spell=1)?

Did you google for collateral spam in The DirectAdmin Forum (http://www.google.com/search?hl=en&as_q=collateral+spam&as_epq=&as_oq=&as_eq=&num=10&lr=&as_filetype=&ft=i&as_sitesearch=directadmin.com&as_qdr=all&as_rights=&as_occt=any&cr=&as_nlo=&as_nhi=&safe=off)?

Or do you want me to do your homework for you :)?

Jeff