Search code examples
unixspamexim

Exim Identifying Spam Script Location

My unix server is sending lots of spam mail. I am investigating the issue but could not find the script location. Here is one of the spam mail header. There is no information about script location.

    1XG440-0003wz-8i-H
mail 8 12
<[email protected]>
1407580792 0
-helo_name silakalite.com
-host_address 127.0.0.1.44541
-host_name localhost.localdomain
-interface_address 127.0.0.1.25
-received_protocol esmtp
-body_linecount 5
-deliver_firsttime
XX
1
[email protected]

245P Received: from localhost.localdomain ([127.0.0.1] helo=silakalite.com)
    by s1.codezing.com with esmtp (Exim 4.67)
    (envelope-from <[email protected]>)
    id 1XG440-0003wz-8i
    for [email protected]; Sat, 09 Aug 2014 13:39:52 +0300
037  Date: Sat, 9 Aug 2014 10:39:50 +0000
055F From: "Latisha Powers" <[email protected]>
058R Reply-To:"Latisha Powers" <[email protected]>
046I Message-ID: <[email protected]>
027T To: [email protected]
028  Subject: Re:  heh malay car
023  X-Priority: 3 (Normal)
018  MIME-Version: 1.0
046  Content-Type: text/html; charset="iso-8859-1"
032  Content-Transfer-Encoding: 8bit

Also here you can find exim mainlog. 

2014-08-09 12:29:15 1XG2xZ-0001cm-Sy == [email protected] R=lookuphost T=remo
te_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<maude_m
[email protected]> SIZE=1851: host mta6.am0.yahoodns.net [66.196.118.36]: 42
1 4.7.1 [TS03] All messages from 46.102.243.208 will be permanently deferred; Re
trying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-08-09 12:29:18 1XG2xi-0001dA-KT <= [email protected] U=apache P
=local S=794 T="Fw:  He he Ulia Suzana Homemade Lesbian" from <hillary_newton@si
lakalite.com> for [email protected]

How can i identify the script location?

Solution

  • Your web hosting panel uses Exim as its mail server. One of your customers has a website that has an insecure feedback form (it allows a submitter to specify the recipient, possibly the sender, and the data). The first clue is from this:

    2014-08-09 12:29:18 1XG2xi-0001dA-KT <= [email protected] U=apache P =local

    It says that the user is apache. So the next thing to do is go look in your webserver logs, starting at exactly 12:29:18, and look a few seconds before and a few seconds after until you find one site that a GET or POST was performed on a feedback form (or an insecure form in general).

    Is silakalite.com your customer? Is hillary_newton@ a valid sender for that domain? If yes, then it should be easy to find the website which is causing this. If no, then you can only figure it out by the timestamps.