[BlueOnyx:13500] Re: Mailing Spam Issue

Chris Gebhardt - VIRTBIZ Internet cobaltfacts at virtbiz.com
Fri Aug 9 07:44:18 -05 2013 

On 8/8/2013 12:40 AM, Marcello Torchio wrote:
> Hi everybody,
>
> I'm having trouble on my BO boxes with SPAM issues.
>
> Sometimes it happens that at the beginning of the month my customers
> receive spam mails from themselves.
>
> The mail, if analyzed in source code, contains FROM and TO fields the
> same (eg. the mail of a customer) but in return-path different address.
>
> The mail are incoming from outside servers and they are not sent through
> my servers.
>
> On servers I've running different tools to check mailq size and mail
> stats to analyze if there are possible outgoing SPAM issues, but it does
> not seems to be.
>
> I don't understand why, at the beginning of the month, a lot of
> customers receive these mails.
>
> Someone else had similar experience?
>
> Could be a "normal" SPAM issue?

Hi Marcello,
You are not talking about the barely-usable "Mail Queue Manager" in 
cPanel, are you?   I've never found that feature to be anything but slow 
and useless, especially in the event of a spam outbreak.

On a BlueOnyx server, I'd immediately like to take a look via CLI.

First off, you can view your mailq like this:
# mailq

That's it.  That will print a list of everything that is in the mailq. 
It will even give you the message ID numbers, which will look something 
like this:  "r76Ib2wt003915"

 From there, you can grep for the message ID in the maillog like this:
grep "r76Ib2wt003915" /var/log/maillog

And that will print to screen every instance of that message ID that has 
been logged.

 From what you have said about the spam problem that you are having, my 
advice would be to look for a web script that is being exploited.  For 
whatever reason, I've seen a lot of Joomla exploits lately, and they all 
happen to be on our cPanel servers.  I don't know what the connection 
is.   Maybe it's because many of our BlueOnyx hosting customers are 
using something other than Joomla?   Who knows.   At any rate, similar 
problems have been seen across the board without regard to control panel.

BlueOnyx makes it very easy to find the problem because of the shared 
httpd access log.   You can tail a single log file and see activity for 
all the sites hosted on the box.

Better yet, if you already know the domain that is the source of the 
problem, you can further narrow the search.

I would be looking for POST commands.  You can tail the log and pipe to 
grep for easy diagnosis like this:

tail -f /var/log/httpd/access_log | grep "POST" | grep "domain.tld"

Of course you want to replace domain.tld in the above example with the 
actual domain.

If the problem is ongoing, you'll be sure to find it because you'll see 
a particular URL getting hit with a POST command over and over, likely 
from a handful of IP addresses.

Or if the problem is not ongoing, and you want to just search past 
entries, then you just modify the command a bit to eliminate the tail

grep "domain.tld" /var/log/httpd/access_log | grep "POST"

I hope that helps get you on your way a bit.

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ

More information about the Blueonyx mailing list