Article 11191 at 07/11/20 05:28:26 From: kenmarcus (at mark) precisionweb.net Subject: [coba-e:11191] Re: Email Still Blacklisted

Index: [Article Count Order] [Thread]
Date:  Mon, 19 Nov 2007 12:26:55 -0800
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Subject:  [coba-e:11191] Re: Email Still Blacklisted
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <090001c82aea$89802650$6700a8c0@OfficeKen>
References:  <03ca01c82ad8$c3437660$9501a8c0@DELL>
X-Mail-Count: 11191


----- Original Message ----- 
From: "Donald Zimmer" <dwz (at mark) usa.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Monday, November 19, 2007 10:19 AM
Subject: [coba-e:11188] Email Still Blacklisted


> Hi Everyone,
>
> I could still use some help with my spam/blacklist problem. I've verified 
> through the abuse.net relay test that I am not relaying and I do have a 
> valid PTR record.
>
> I know that something is generating spam from all the reject emails I'm 
> getting (see below).
>
> I assume that a PHP or CGI script is cranking out the spam but how can I 
> tell what is doing it?? The server logs are not any help and the site's 
> email reports don't show any increased activity.
>
> How can I tell what is sending the spam??
>
> Thanks,
>
> Don
> **************************************************
>
> The original message was received at Mon, 19 Nov 2007 12:00:48 -0500
> from localhost [127.0.0.1]
>
>   ----- The following addresses had permanent fatal errors -----
> <x520815 (at mark) tomail.com.tw>

>
>   ----- Transcript of session follows -----
> 554 5.0.0 MX list for tomail.com.tw. points back to msi.mydomain.net
> 554 5.3.5 Local configuration error
>
>


Don


Type:
mailq

That will show you the outgoing emails.

The format is something like
lAHJc60k014130    15994 Mon Nov 19 12:38 <something (at mark) something.com>
                 (Deferred: Connection timed out with 
mx1.somethingelse.com.)
                                         <EligibiltyNotifcation@retiredmountain

In this example the ID is:
lAHJc60k014130

cd    /var/spool/mqueue
#then
cat *lAHJc60k014130

Look carefully at that output and see if you can tell anything from there 
like what contact form they are exploiting. Maybe in it, you will see the 
domain name of the To: address is one of your domains and all the BCC are 
what they area ctually trying to spam.  Then look at the cgi / php scripts 
on their site.


Or, look at your access log
#Mon, 19 Nov 2007 12:00:48

 cat  /var/log/httpd/access_log | grep php   | grep   19/Nov/2007:12:

OR maybe they uploaded a php script to a user directory like something with 
user test password test
Check that.
ls -la /home/sites/*.*/users/*/web | grep php
ls -la /home/sites/*.*/users/*/web | grep pl
ls -la /home/sites/*.*/users/*/web | grep cgi



Also, check you /tmp   dir

ls -bals
/tmp


Or, they might simply have the login of one of your email addresses and are 
using that to send email.



----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net