Track SPAMMER

How do I trace this spammer sending via nobody?

Is there a way to change the IP in cpanel for outgoing mail using nobody user?

Received: from server4.hostname.com (hostname.com [xxx.x02.65.178] (may be forged))
by mail.nwsup.com (8.13.5/8.13.5) with ESMTP id j94IHoYP012535
for <mun...@nwsup.com>; Tue, 4 Oct 2005 14:17:56 -0400
Received: from [222.253.69.94] (helo=it)
by server4.hostname.com with esmtpa (Exim 4.52)
id 1EMrMA-0000EY-S9
for mun...@nwsup.com; Tue, 04 Oct 2005 13:17:39 -0500
From: "dang hong thuy" <danghongt...@vnn.vn>
To: mun...@nwsup.com
Subject: hello
Date: Wed, 5 Oct 2005 01:17:39 +0700
MIME-Version: 1.0
X-Mailer: Internal Email Service (4.6.0.715)
Message-ID: <!~!55AEB621c3858$508b8$43432...@vnn.vn>
Reply-To: danghongt...@vnn.vn
Content-Type: multipart/alternative;
boundary="--=_NextPart_055AEB71_7239A071_01C9F258.D84EF1C0"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server4.hostname.com
X-AntiAbuse: Original Domain - nwsup.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - vnn.vn
X-Source:
X-Source-Args:
X-Source-Dir:
X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on mail.nwsup.com
X-Virus-Status: Clean


This is a multi-part message in MIME format.


----=_NextPart_055AEB71_7239A071_01C9F258.D84EF1C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit


hello welocom to vert out


----=_NextPart_055AEB71_7239A071_01C9F258.D84EF1C0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3Diso-8859-1">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>hello welocom to vert out</DIV>
</BODY></HTML>


----=_NextPart_055AEB71_7239A071_01C9F258.D84EF1C0--



I have these enabled in WHM

Include a list of Pop before SMTP senders in the X-PopBeforeSMTP
Silently Discard all FormMail-clone requests
Track the origin of messages sent though the mail server by adding X

Exim enabled these:

Always set the Sender: header when the sender is changed from the actual sender.
Verify the existance of email senders.
Use callouts to verify the existance of email senders.
Discard emails for users who have exceeded their quota instead of keeping them in the queue.

exim.conf
(first box)

untrusted_set_sender = *
local_from_check = false
local_sender_retain = true

timeout_frozen_after = 2d
ignore_bounce_errors_after = 12h

domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist
message_size_limit = 5M
log_selector = +arguments +subject

timeout_frozen_after = 2d
ignore_bounce_errors_after = 12h

acl_not_smtp = acl_check_pipe

(under begin acl)

#!!# ACL that is used after the RCPT command


##Added Sendmail Bcc and Cc Spam Removal##
acl_check_pipe:
#drop condition = ${if match {$message_body}\
#{\N.*\
#MIME-Version:.*\N}{true}}
#log_message = "Spam MIME-Version:$header_subject: "

#drop condition = ${if match {$message_body}\
#{\N.*\
#Reply-To:.*\N}{true}}
#log_message = "Spam Reply-To:$header_subject: "

# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Type:.*\N}{true}}
# log_message = "Spam: Content-Type: $header_subject: "

# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Transfer-Encoding:.*\N}{true}}
# log_message = "Spam: Content-Transfer-Encoding: $header_subject: "

drop condition = ${if match {$message_body}\
{\N.*\
[Bb][Cc][Cc]:.*\N}{true}}
log_message = "Spam: BCC: $header_subject: "

drop condition = ${if match {$message_body}\
{\N.*\
[Cc][Cc]:.*\N}{true}}
log_message = "Spam: CC: $header_subject: "
accept

accept
##End of Additions ##

check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack


drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient

# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}


# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

#if it gets here it isn't mailman

#sender verifications are required for all messages that are not sent to lists

require verify = sender
accept domains = +local_domains
endpass

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests

message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
verify = recipient

accept domains = +relay_domains

warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts

warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept

(under begin rewrite)

nobody@lsearch;/etc/localdomains "${if !eq {$header_From:}{}{$header_sender:$header_From:}fai l}" Fs

 

 

 

 

Top